CVE-2025-12643 in Saphali LiqPay for Donate Plugin
Summary
by MITRE • 11/08/2025
The Saphali LiqPay for donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saphali_liqpay' shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/09/2025
The vulnerability identified as CVE-2025-12643 affects the Saphali LiqPay for donate WordPress plugin, specifically targeting versions up to and including 1.0.2. This represents a critical security flaw that undermines the integrity of web applications by enabling malicious actors to execute unauthorized code within the context of legitimate user sessions. The issue manifests through the plugin's 'saphali_liqpay' shortcode functionality, which fails to properly validate or sanitize user-supplied input parameters. The vulnerability resides in the plugin's insufficient input sanitization mechanisms and inadequate output escaping protocols that should normally protect against cross-site scripting attacks. Attackers exploiting this weakness can inject malicious scripts that persist within the application's database and execute whenever affected pages are accessed, creating a persistent threat vector that can compromise user sessions and potentially escalate to more severe security incidents.
The technical implementation of this vulnerability demonstrates a classic stored cross-site scripting flaw that aligns with CWE-079 - Improper Neutralization of Input During Web Page Generation. The vulnerability occurs when user-provided attributes passed to the shortcode are not properly escaped before being rendered in HTML output, creating an opportunity for attackers to inject malicious JavaScript code. This particular weakness allows authenticated users with contributor-level privileges and above to leverage the vulnerability, which significantly reduces the attack surface requirements compared to unauthenticated attacks. The attack vector operates through the manipulation of shortcode parameters that are then processed and stored within the WordPress environment, making the malicious code persistent across multiple user sessions. The exploitation requires minimal privileges but can result in substantial damage to user data and application integrity, as the injected scripts execute in the context of the victim's browser session with their privileges.
The operational impact of this vulnerability extends beyond simple script execution, creating potential pathways for more sophisticated attacks such as session hijacking, credential theft, and data exfiltration. When authenticated users access pages containing the malicious shortcode, their browsers execute the injected scripts, which can capture sensitive information, modify application behavior, or redirect users to malicious sites. This vulnerability particularly affects WordPress environments where multiple contributors or editors have access to the platform, as these users can inadvertently or maliciously introduce the payload through legitimate content creation workflows. The stored nature of the vulnerability means that once injected, the malicious code remains active until manually removed from the database or the plugin is updated, providing attackers with extended persistence windows. Additionally, the vulnerability can be exploited to compromise not only individual user sessions but potentially entire WordPress installations if attackers can escalate privileges or gain access to administrative functions through the compromised user accounts.
Mitigation strategies for CVE-2025-12643 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. System administrators should implement strict access controls and privilege management to limit the number of users who can create or modify content containing shortcodes, reducing the potential attack surface. The implementation of Content Security Policies can provide additional defense-in-depth measures by restricting the sources from which scripts can be executed within the application context. Regular security audits and input validation testing should be conducted to identify similar vulnerabilities in other plugins and themes within the WordPress ecosystem. Organizations should also consider implementing automated monitoring solutions that can detect anomalous shortcode usage patterns or unauthorized content modifications, enabling rapid response to potential exploitation attempts. The vulnerability highlights the importance of maintaining current security practices including regular plugin updates, proper input validation, and comprehensive security testing as outlined in industry standards such as those recommended by the OWASP Top Ten project and the NIST Cybersecurity Framework.