CVE-2025-12037 is a stored cross-site scripting (XSS) vulnerability identified in the WP 404 Auto Redirect to Similar Post plugin for WordPress, affecting all versions up to and including 1.0.5. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of data entered via the plugin's administrative settings. This flaw allows an authenticated attacker with administrator-level permissions or higher to inject arbitrary JavaScript code that is stored persistently and executed whenever a user accesses the affected pages. The vulnerability is limited to WordPress multisite installations or those where the unfiltered_html capability is disabled, which restricts the scope but still affects many enterprise and multi-tenant WordPress environments. Exploitation does not require user interaction but does require high privileges, making it a targeted threat primarily from insiders or compromised admin accounts. The CVSS 3.1 base score of 4.4 reflects a medium severity, with network attack vector, high attack complexity, and privileges required. The impact includes potential leakage of sensitive information, session hijacking, or manipulation of page content, affecting confidentiality and integrity but not availability. No public exploits have been reported yet, and no patches are currently linked, indicating the need for vigilance and proactive mitigation.

For European organizations, especially those operating WordPress multisite environments or disabling unfiltered_html for security, this vulnerability poses a moderate risk. Successful exploitation could lead to unauthorized script execution in the context of the affected site, enabling attackers to steal session tokens, perform actions on behalf of users, or manipulate displayed content. This can result in data confidentiality breaches, reputational damage, and potential compliance issues under GDPR if personal data is exposed. The requirement for administrator-level access limits the threat to insider threats or attackers who have already compromised privileged accounts, but the multi-tenant nature of multisite installations can amplify the impact across multiple sites. Given the widespread use of WordPress in Europe for corporate, governmental, and media websites, the vulnerability could affect a significant number of organizations if the plugin is in use. The absence of known exploits reduces immediate risk but should not lead to complacency.

European organizations should immediately audit their WordPress installations to identify the presence of the WP 404 Auto Redirect to Similar Post plugin, particularly in multisite configurations. Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of privilege abuse. Temporarily disable or remove the plugin if feasible until a security patch is released. Monitor administrative changes within WordPress for suspicious activity indicative of attempted exploitation. Employ web application firewalls (WAFs) with custom rules to detect and block malicious script injections targeting this plugin. Educate administrators about the risks of stored XSS and the importance of input validation. Once a patch becomes available, apply it promptly. Additionally, consider implementing Content Security Policy (CSP) headers to mitigate the impact of injected scripts. Regularly review and update WordPress core, plugins, and themes to minimize exposure to known vulnerabilities.