CVE-2025-12715

Name of the Vulnerable Software and Affected Versions Canadian Nutrition Facts Label plugin for WordPress versions up to and including 3.0

Description The plugin is susceptible to Stored Cross-Site Scripting through the percentage field within the Nutrition Label custom post type. Insufficient input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. These scripts execute when a user accesses an injected page. The affected API endpoint is the Nutrition Label custom post type. The vulnerable parameter is percentage.

Recommendations Update the Canadian Nutrition Facts Label plugin to a version later than 3.0.