CVE-2025-12116: Drift WordPress Theme XSS Vulnerability

CVE-2025-12116 Overview

CVE-2025-12116 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Drift theme for WordPress. The flaw affects all versions up to and including 1.5.0. It stems from insufficient input sanitization and output escaping when the theme renders the post title. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript into pages. The injected scripts execute in the browser of any visitor who accesses the affected page, enabling session theft, redirection, and actions performed under the victim's privileges.

Critical Impact

Authenticated Contributor-level users can inject persistent JavaScript that executes against every visitor, including administrators, exposing accounts and site integrity to compromise.

Affected Products

• WordPress Drift theme versions 1.0 through 1.5.0
• WordPress sites running Drift with Contributor-or-higher user registration enabled
• Any Drift-themed page rendered with attacker-controlled post titles

Discovery Timeline

• 2026-02-19 - CVE-2025-12116 published to the National Vulnerability Database (NVD)
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-12116

Vulnerability Analysis

The Drift theme renders post titles in administrative and front-end contexts without applying adequate escaping. The vulnerable code paths are located in admin/main/options/00.theme-setup.php at lines 122 and 134, where post title values are emitted into HTML output. Because the theme trusts the title field, any markup placed in that field reaches the rendered DOM verbatim.

WordPress permits Contributor accounts to author posts, including setting titles. An attacker who registers or compromises a Contributor account can craft a post with a title containing JavaScript payloads. When an administrator previews the post or another user views the rendered page, the script runs in their session context.

The attack scope changes user context, allowing the payload to act against pages outside the originally injected post. Typical exploitation goals include exfiltrating authentication cookies, planting administrator accounts, and modifying site content.

Root Cause

The root cause is the absence of context-appropriate output escaping. WordPress provides esc_html(), esc_attr(), and wp_kses() helpers for sanitizing user-supplied strings. The Drift theme outputs the post title directly without invoking these helpers, violating the WordPress theme security guidelines for echoing dynamic content.

Attack Vector

Exploitation requires network access to the WordPress site and an authenticated session at the Contributor role or above. The attacker creates or edits a post and embeds an XSS payload inside the title field. When the post is rendered, the browser parses the title as HTML and executes the embedded script. No user interaction beyond viewing the page is required for the payload to fire.

The vulnerability mechanism is described in the Wordfence Vulnerability Report and verifiable in the WordPress Drift Theme Source Code.

Detection Methods for CVE-2025-12116

Indicators of Compromise

• Post titles containing HTML tags such as <script>, <img onerror=>, or <svg onload=> stored in the wp_posts table.
• Unexpected outbound HTTP requests from administrator browsers shortly after accessing Drift-themed pages.
• Creation of new administrator accounts or modification of user roles immediately after Contributor activity.
• Unfamiliar JavaScript references in cached page output served by the Drift theme.

Detection Strategies

• Query the WordPress database for post titles containing angle brackets or JavaScript event handlers: SELECT ID, post_title FROM wp_posts WHERE post_title REGEXP '<|on[a-z]+='.
• Deploy a Web Application Firewall (WAF) rule that inspects post_title parameters submitted to wp-admin/post.php for script payloads.
• Review WordPress audit logs for Contributor accounts that recently created or edited posts.

Monitoring Recommendations

• Alert on the creation of new Contributor or Author accounts followed by post submissions within a short window.
• Monitor administrator session cookies and login source IP changes for signs of session hijacking.
• Track integrity of theme files in wp-content/themes/drift/ to identify tampering or attempts to disable the patch.

How to Mitigate CVE-2025-12116

Immediate Actions Required

• Update the Drift theme to a version newer than 1.5.0 once the maintainer releases a fix.
• Audit all existing posts for malicious markup in titles and remove offending content.
• Restrict Contributor-level registration and review existing low-privilege accounts for legitimacy.
• Force password resets for any account suspected of being used to inject payloads.

Patch Information

No fixed version is identified in the NVD record at the time of publication. Site operators should consult the Wordfence Vulnerability Report and the WordPress theme repository for updated releases. Until a vendor patch is available, switch to an alternative maintained theme or apply the workarounds below.

Workarounds

• Replace direct title output in the Drift theme with WordPress escaping helpers such as esc_html( get_the_title() ).
• Remove or disable the Drift theme on production sites and select a maintained alternative.
• Restrict post creation and editing to trusted Editor or Administrator accounts by adjusting user role capabilities.
• Deploy a WAF rule that blocks HTML tags in submitted post_title parameters.

# Configuration example: WP-CLI scan for suspicious post titles
wp db query "SELECT ID, post_title, post_author FROM wp_posts \
  WHERE post_title REGEXP '<script|onerror=|onload=|javascript:'"

# Demote untrusted Contributor accounts to Subscriber
wp user list --role=contributor --field=ID | \
  xargs -I {} wp user set-role {} subscriber