CVE-2025-12872 MEDIUM

CVE-2025-12872: aEnrich|eHRD - Stored Cross-Site Scripting

Vendor Aenrich
Product a+HRD
Weakness CWE-79 · XSS
Published November 12, 2025
Last update November 12, 2025
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

The a+HRD and a+HCM developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to upload files containing malicious JavaScript code, which will execute on the client side when a user is tricked into visiting a specific URL.

Key dates

02Disclosure timeline

November 12, 2025 CVE published
November 12, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-4082 ER Swiffy Insert <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE-2025-68495 WordPress JetEngine plugin <= 3.8.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-4176 CVE-2025-53466 WordPress Better Find and Replace Plugin <= 1.7.6 - Cross Site Scripting (XSS) Vulnerability CVE-2025-53892 Intlify Vue I18n's escapeParameterHtml does not prevent DOM-based XSS via tag attributes like onerror