Canadian Nutrition Facts Label

6.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Description

The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Basic Information

ID CVE-2025-12715

Source Wordfence

Published Dec 6, 2025 at 05:49

Affected Product

Vendor emaude

Product Canadian Nutrition Facts Label

Version *

Affected Versions emaude Canadian Nutrition Facts Label *

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
    "published": "2025-12-06T05:49:30.487Z",
    "modified": "2025-12-06T05:49:30.487Z",
    "type": "cve",
    "title": "Canadian Nutrition Facts Label <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/950e5d04-1436-4886-8d36-fca38bd9414a?source=cve\nhttps://plugins.trac.wordpress.org/browser/canadian-nutrition-facts-label/tags/3.0/canadian-nutrition-facts-label.php#L557",
    "id": "CVE-2025-12715",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "emaude Canadian Nutrition Facts Label *",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Canadian Nutrition Facts Label",
    "version": "*",
    "vendor": "emaude",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Canadian Nutrition Facts Label <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type_CVE-2025-12715