Plataforma
wordpress
Componente
project-honey-pot-spam-trap
Corregido en
1.0.2
CVE-2025-12406 identifies a Cross-Site Scripting (XSS) vulnerability within the Project Honey Pot Spam Trap plugin for WordPress. This flaw allows unauthenticated attackers to potentially inject malicious web scripts by exploiting a lack of proper nonce validation. The vulnerability affects versions 1.0.0 through 1.0.1, and a fix is expected to be released by the vendor.
The primary impact of CVE-2025-12406 is the potential for an attacker to execute arbitrary JavaScript code within the context of a WordPress administrator's session. This could lead to account takeover, data theft (including sensitive user information and administrative credentials), and defacement of the website. Successful exploitation hinges on the attacker's ability to trick a site administrator into clicking a malicious link or performing an action that triggers the vulnerable printAdminPage() function. The attack vector is CSRF-based, meaning the attacker doesn't need to authenticate but needs to forge a request that appears legitimate to the server.
CVE-2025-12406 was publicly disclosed on 2025-11-18. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's nature (CSRF-based XSS) makes it relatively straightforward to exploit. It is not currently listed on CISA KEV. The medium CVSS score reflects the potential impact and relatively low exploitability.
WordPress websites utilizing the Project Honey Pot Spam Trap plugin, particularly those with administrative accounts that are frequently targeted by phishing or social engineering attacks, are at increased risk. Shared hosting environments where multiple websites share the same server resources may also be vulnerable if one site is compromised.
• wordpress / composer / npm:
grep -r 'printAdminPage()' /var/www/html/wp-content/plugins/project-honey-pot-spam-trap/• generic web:
curl -I https://example.com/wp-admin/admin.php?page=project-honey-pot-spam-trap-admin | grep -i 'set-cookie'• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'project-honey-pot-spam-trap'disclosure
Estado del Exploit
EPSS
0.03% (7% percentil)
CISA SSVC
Vector CVSS
The immediate mitigation for CVE-2025-12406 is to upgrade the Project Honey Pot Spam Trap plugin to a version containing the security fix. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the printAdminPage() function that lack proper nonce validation. Carefully review any recent changes to the plugin's configuration or code to identify potential vulnerabilities. After upgrading, verify the fix by attempting to trigger the vulnerable function with a forged request and confirming that the action is blocked.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-12406 is a Cross-Site Scripting (XSS) vulnerability in the Project Honey Pot Spam Trap WordPress plugin, allowing attackers to inject malicious scripts via forged requests.
If you are using Project Honey Pot Spam Trap version 1.0.0 or 1.0.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade the Project Honey Pot Spam Trap plugin to a version containing the security patch. If upgrading is not immediately possible, consider implementing a WAF rule.
While no active exploitation has been confirmed, the vulnerability's nature makes it relatively easy to exploit, so vigilance is advised.
Refer to the Project Honey Pot website and WordPress plugin repository for updates and official advisories regarding this vulnerability.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.