Orbit Fox Companion is a widely deployed WordPress plugin (100k+ installs) that adds extra widgets and extensions for popular builders, including Elementor. These widgets are often used to create dynamic front-end components such as post grids, cards, and metadata sections. During testing, we identified CVE-2025-12045, a Stored Cross-Site Scripting (XSS) vulnerability that can be triggered by a low-privileged Contributor through the Elementor Post Grid widget when Meta → Display → Tags is enabled. By crafting a malicious tag name, an attacker can inject JavaScript that executes in a victim’s browser on hover, enabling session hijacking, privilege escalation, and backdoor installation in real-world exploit chains.
| CVE | CVE-2025-12045 |
| Plugin Version | Orbit Fox Companion <= 3.0.2 |
| Critical | High |
| All Time | 13 508 123 |
| Active installations | 100 000+ |
| Publicly Published | November 3, 2025 |
| Last Updated | November 3, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12045 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/themeisle-companion/orbit-fox-companion-302-authenticated-author-stored-cross-site-scripting-via-post-taxonomy |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 6, 2025 | Plugin testing and vulnerability detection in the Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More have been completed |
| October 6, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 3, 2025 | Registered CVE-2025-12045 |
Discovery of the Vulnerability
he root cause is improper output escaping in the Orbit Fox module that renders tags under post cards. Specifically, in:themeisle-companion/obfx_modules/elementor-extra-widgets/widgets/elementor/posts-grid.php
within the method renderMetaGridTags(), the plugin outputs tag names directly into both:
- the visible tag label text, and
- the link’s
title="..."attribute
without applying esc_html() or esc_attr(). Because tag names are user-controlled content, a crafted tag containing a double quote (") can break out of the title attribute context and inject an inline event handler such as onmouseover, leading to script execution.
Understanding of Stored XSS attack’s
Stored XSS occurs when an attacker injects a payload that is stored in the database and later rendered to other users without proper escaping. In WordPress, taxonomies such as tags and categories are commonly overlooked as injection vectors because they feel “metadata-like,” but they are still user-controlled strings. Many historic WordPress XSS cases involved taxonomy names being rendered in template attributes or HTML nodes without escaping, enabling execution on hover or click. Once JavaScript runs in the context of an authenticated admin session, it can be used to create new admin accounts, install backdoored plugins, steal nonces, or perform REST/AJAX actions silently.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2025-12045, an attacker with Contributor+ cookies:
POC:
Log in as a user with the Contributor role. Create a post with tag with the exact name 123" onmouseover=alert(1) (include the leading digits, closing quote, a space, then the handler). Create a second post with "Post Type Grid" block in Elementor. In Display settings add "Tags" View the page on the front end and hover the tag label under the post card that carries the malicious tag. The injected onmouseover handler fires and an alert(1) pops, demonstrating stored XSS.____
This vulnerability is high impact because it grants low-privileged users a reliable XSS vector on frontend pages—often publicly visible or visited by administrators. Common exploitation paths include:
- Admin session hijacking by stealing cookies or tokens via JavaScript.
- Privilege escalation by issuing authenticated REST/AJAX calls to create new admin users.
- Persistent compromise by installing malicious plugins, modifying theme files, or injecting new scripts into site content.
- Phishing overlays: attackers can inject deceptive UI (login prompts, fake support widgets) into trusted pages to steal credentials.
On multi-author blogs, corporate sites with contributors, and editorial news platforms, this XSS can be triggered naturally by administrators reviewing content, making exploitation realistic and stealthy.
Recommendations for Improved Security
Escape output properly: In renderMetaGridTags(), apply esc_html() for visible text and esc_attr() for attribute values, e.g.:
esc_html( $tag_name )for link textesc_attr( $tag_name )fortitle="..."
Audit all metadata rendering: Review other widget render functions that output taxonomy, author, or meta values into attributes.
Restrict taxonomy creation: Where possible, limit tag creation/editing to trusted roles, especially on sites using Elementor widgets that display taxonomy output.
Defense-in-depth: Deploy a Content Security Policy (CSP) to reduce inline event handler execution and use a WAF to detect suspicious payloads.
Patch and update: Update Orbit Fox Companion immediately once a fixed version is released and verify the vulnerable file has been corrected.
By taking proactive measures to address XSS vulnerabilities like CVE-2025-12045 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #XSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.