Platform
wordpress
Component
project-honey-pot-spam-trap
Fixed in
1.0.2
CVE-2025-12406 identifies a Cross-Site Scripting (XSS) vulnerability within the Project Honey Pot Spam Trap plugin for WordPress. This flaw allows unauthenticated attackers to potentially inject malicious web scripts by exploiting a lack of proper nonce validation. The vulnerability affects versions 1.0.0 through 1.0.1, and a fix is expected to be released by the vendor.
The primary impact of CVE-2025-12406 is the potential for an attacker to execute arbitrary JavaScript code within the context of a WordPress administrator's session. This could lead to account takeover, data theft (including sensitive user information and administrative credentials), and defacement of the website. Successful exploitation hinges on the attacker's ability to trick a site administrator into clicking a malicious link or performing an action that triggers the vulnerable printAdminPage() function. The attack vector is CSRF-based, meaning the attacker doesn't need to authenticate but needs to forge a request that appears legitimate to the server.
CVE-2025-12406 was publicly disclosed on 2025-11-18. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's nature (CSRF-based XSS) makes it relatively straightforward to exploit. It is not currently listed on CISA KEV. The medium CVSS score reflects the potential impact and relatively low exploitability.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-12406 is to upgrade the Project Honey Pot Spam Trap plugin to a version containing the security fix. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the printAdminPage() function that lack proper nonce validation. Carefully review any recent changes to the plugin's configuration or code to identify potential vulnerabilities. After upgrading, verify the fix by attempting to trigger the vulnerable function with a forged request and confirming that the action is blocked.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12406 is a Cross-Site Scripting (XSS) vulnerability in the Project Honey Pot Spam Trap WordPress plugin, allowing attackers to inject malicious scripts via forged requests.
If you are using Project Honey Pot Spam Trap version 1.0.0 or 1.0.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade the Project Honey Pot Spam Trap plugin to a version containing the security patch. If upgrading is not immediately possible, consider implementing a WAF rule.
While no active exploitation has been confirmed, the vulnerability's nature makes it relatively easy to exploit, so vigilance is advised.
Refer to the Project Honey Pot website and WordPress plugin repository for updates and official advisories regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.