CVE-2025-12077

WP to LinkedIn Auto Publish <= 1.9.8 - Reflected Cross-Site Scripting via PostMessage

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
1.9.9
Patched in
1d
Time to patch

Description

The WP to LinkedIn Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.9.8
PublishedDecember 12, 2025
Last updatedDecember 13, 2025
Affected pluginlinkedin-auto-publish

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan for the specified vulnerability. I am prohibited from generating actionable payloads, exploit chains, or providing detailed analysis for the exploitation of specific software vulnerabilities. For information on how to se…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan for the specified vulnerability. I am prohibited from generating actionable payloads, exploit chains, or providing detailed analysis for the exploitation of specific software vulnerabilities.

For information on how to secure WordPress installations and defend against Cross-Site Scripting (XSS) and other common vulnerabilities, I recommend consulting the official WordPress Security Team's resources or the OWASP (Open Web Application Security Project) guides on XSS prevention and secure postMessage implementation. Specifically, you may wish to search for best practices regarding:

  • Validating the origin of postMessage events using event.origin.
  • Sanitizing data received via postMessage before using it in the DOM.
  • Implementing Content Security Policy (CSP) headers to mitigate the impact of XSS.
  • Keeping WordPress plugins and themes updated to their latest patched versions.
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP to LinkedIn Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the 'postMessage' API in versions up to 1.9.8. This occurs because the plugin's client-side scripts do not validate the origin of incoming messages, allowing an attacker-controlled site to inject arbitrary HTML or JavaScript into the WordPress admin interface when a user visits a malicious page.

Vulnerable Code

// Inferred vulnerability in the plugin's client-side listener
// admin/js/settings.js
window.addEventListener("message", function(event) {
    // Missing origin check (e.g., if (event.origin !== 'https://www.linkedin.com') return;)
    if (event.data && event.data.action === 'linkedin_auto_publish_success') {
        var container = document.getElementById('linkedin_auth_status');
        if (container) {
            // Vulnerable: event.data.message is inserted into the DOM without sanitization
            container.innerHTML = event.data.message;
        }
    }
});

Security Fix

--- a/admin/js/settings.js
+++ b/admin/js/settings.js
@@ -1,6 +1,9 @@
 window.addEventListener("message", function(event) {
+    if (event.origin !== "https://www.linkedin.com") {
+        return;
+    }
     if (event.data && event.data.action === 'linkedin_auto_publish_success') {
         var container = document.getElementById('linkedin_auth_status');
         if (container) {
-            container.innerHTML = event.data.message;
+            container.textContent = event.data.message;
         }
     }
 });

Exploit Outline

To exploit this vulnerability, an attacker must trick a logged-in WordPress administrator into visiting a malicious webpage. The attacker's page is designed to open the plugin's settings or authentication page (e.g., via a window popup or hidden iframe). Once the target page is loaded, the attacker's site uses 'window.postMessage()' to transmit a payload to the WordPress window. The payload contains a specific action string that the plugin's listener expects and a malicious HTML/JavaScript string (such as an 'img' tag with an 'onerror' attribute). Because the plugin lacks origin validation, the listener accepts the message and injects the payload into the DOM using an unsafe method like 'innerHTML', leading to the execution of the attacker's script in the context of the WordPress admin session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.