プラットフォーム
wordpress
コンポーネント
project-honey-pot-spam-trap
修正版
1.0.2
CVE-2025-12406 identifies a Cross-Site Scripting (XSS) vulnerability within the Project Honey Pot Spam Trap plugin for WordPress. This flaw allows unauthenticated attackers to potentially inject malicious web scripts by exploiting a lack of proper nonce validation. The vulnerability affects versions 1.0.0 through 1.0.1, and a fix is expected to be released by the vendor.
The primary impact of CVE-2025-12406 is the potential for an attacker to execute arbitrary JavaScript code within the context of a WordPress administrator's session. This could lead to account takeover, data theft (including sensitive user information and administrative credentials), and defacement of the website. Successful exploitation hinges on the attacker's ability to trick a site administrator into clicking a malicious link or performing an action that triggers the vulnerable printAdminPage() function. The attack vector is CSRF-based, meaning the attacker doesn't need to authenticate but needs to forge a request that appears legitimate to the server.
CVE-2025-12406 was publicly disclosed on 2025-11-18. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's nature (CSRF-based XSS) makes it relatively straightforward to exploit. It is not currently listed on CISA KEV. The medium CVSS score reflects the potential impact and relatively low exploitability.
WordPress websites utilizing the Project Honey Pot Spam Trap plugin, particularly those with administrative accounts that are frequently targeted by phishing or social engineering attacks, are at increased risk. Shared hosting environments where multiple websites share the same server resources may also be vulnerable if one site is compromised.
• wordpress / composer / npm:
grep -r 'printAdminPage()' /var/www/html/wp-content/plugins/project-honey-pot-spam-trap/• generic web:
curl -I https://example.com/wp-admin/admin.php?page=project-honey-pot-spam-trap-admin | grep -i 'set-cookie'• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'project-honey-pot-spam-trap'disclosure
エクスプロイト状況
EPSS
0.03% (7% パーセンタイル)
CISA SSVC
CVSS ベクトル
The immediate mitigation for CVE-2025-12406 is to upgrade the Project Honey Pot Spam Trap plugin to a version containing the security fix. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the printAdminPage() function that lack proper nonce validation. Carefully review any recent changes to the plugin's configuration or code to identify potential vulnerabilities. After upgrading, verify the fix by attempting to trigger the vulnerable function with a forged request and confirming that the action is blocked.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を実施してください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-12406 is a Cross-Site Scripting (XSS) vulnerability in the Project Honey Pot Spam Trap WordPress plugin, allowing attackers to inject malicious scripts via forged requests.
If you are using Project Honey Pot Spam Trap version 1.0.0 or 1.0.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade the Project Honey Pot Spam Trap plugin to a version containing the security patch. If upgrading is not immediately possible, consider implementing a WAF rule.
While no active exploitation has been confirmed, the vulnerability's nature makes it relatively easy to exploit, so vigilance is advised.
Refer to the Project Honey Pot website and WordPress plugin repository for updates and official advisories regarding this vulnerability.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。