CVE-2025-12021 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the WP-OAuth plugin for WordPress, developed by hectavex. This vulnerability exists in all versions up to and including 0.4.1 due to insufficient input sanitization and output escaping of the 'error_description' parameter. When an attacker crafts a malicious URL containing a specially crafted 'error_description' parameter and tricks a user into clicking it, the injected script executes in the context of the victim's browser. This can lead to theft of session cookies, redirection to malicious sites, or execution of arbitrary JavaScript, compromising user confidentiality and integrity. The vulnerability does not require authentication, making it accessible to unauthenticated attackers, but does require user interaction (clicking a link). The CVSS 3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change. No patches or exploits are currently reported, but the risk remains significant given the widespread use of WordPress and its plugins. The vulnerability is categorized under CWE-79, which is a common web application security weakness related to improper neutralization of input during web page generation.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected WordPress sites using the WP-OAuth plugin. Attackers can execute arbitrary scripts in the victim's browser, potentially stealing session tokens, cookies, or other sensitive information, leading to account compromise or unauthorized actions. It can also facilitate phishing attacks by redirecting users to malicious sites or displaying fraudulent content. Although availability is not directly impacted, the reputational damage and loss of user trust can be significant. Organizations relying on WP-OAuth for authentication services may face increased risk of user account compromise and data leakage. Since the vulnerability is exploitable without authentication but requires user interaction, the attack surface includes any visitor to the affected site, increasing the potential scope. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

1. Upgrade the WP-OAuth plugin to a version that addresses this vulnerability once released by the vendor. Monitor official hectavex channels or WordPress plugin repositories for updates. 2. Until a patch is available, implement Web Application Firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the 'error_description' parameter. 3. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 4. Sanitize and validate all user-supplied input on the server side, especially parameters reflected in responses, to prevent injection of malicious code. 5. Educate users and administrators about the risks of clicking on untrusted links, especially those that may contain suspicious parameters. 6. Conduct regular security audits and penetration testing on WordPress installations and plugins to identify and remediate similar vulnerabilities proactively. 7. Consider disabling or replacing the WP-OAuth plugin with alternative, more secure authentication plugins if immediate patching is not feasible.