CVE-2025-12652

Name of the Vulnerable Software and Affected Versions Ungapped Widgets plugin for WordPress versions prior to 1.0

Description The software is susceptible to Stored Cross-Site Scripting through the prefillvalues parameter within the ungapped-form shortcode. This is a result of inadequate input sanitization and output escaping of user-provided attributes. An authenticated attacker with contributor-level access or higher can inject malicious web scripts into pages. These scripts will execute when a user accesses the compromised page. The API endpoint involved is the ungapped-form shortcode. The vulnerable parameter is prefillvalues.

Recommendations Update the Ungapped Widgets plugin to a version later than 1.0.