CVE-2025-12061

Published: Nov 26, 2025Modified: Jan 9, 2026

8.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 4.0

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (1)

https://wpscan.com/vulnerability/1015dd69-faa5-4008-8884-f497ff980ed3/

Source: contact@wpscan.com

Timeline

No history available yet.