CVE-2025-12416: 
WordPress vulnerability analysis and mitigation

The Pagerank Tools plugin for WordPress (versions up to and including 1.1.5) was identified with CVE-2025-12416, a vulnerability combining Stored Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). The vulnerability was disclosed on November 4, 2025, and received a CVSS v3.1 base score of 6.1 (Medium) (NVD).

The vulnerability stems from missing nonce validation in the pr_save_settings() function and insufficient input sanitization. The combination of these security gaps allows for the execution of malicious web scripts through forged requests. The vulnerability has been assigned a CVSS v3.1 Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity (NVD).

When successfully exploited, the vulnerability allows injected malicious scripts to execute whenever a user accesses the plugin's settings page. This creates a persistent threat that could potentially affect multiple users who access the affected areas of the WordPress installation (NVD).

Website administrators running the affected versions of the Pagerank Tools plugin should update to a version newer than 1.1.5 if available. If an update is not available, it is recommended to disable or remove the plugin until a security patch is released (NVD).