CVE-2025-12066 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the WP Delete Post Copies plugin for WordPress. This vulnerability affects all versions up to and including 6.0.2 and arises from insufficient input sanitization and output escaping in the plugin's admin settings interface. Specifically, authenticated users with administrator-level permissions or higher can inject arbitrary JavaScript code into pages generated by the plugin. The injected scripts execute whenever any user accesses the affected pages, potentially allowing attackers to hijack sessions, steal sensitive data, or perform actions on behalf of other users. The vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, which restricts the scope of affected environments. Exploitation requires high privileges (administrator or above) and does not require user interaction, but the attack vector is network-based with high attack complexity. The CVSS v3.1 base score is 4.4 (medium severity), reflecting limited confidentiality and integrity impact and no availability impact. No public exploits have been reported, and no official patches are currently available, though the vulnerability has been publicly disclosed and assigned a CVE identifier. The vulnerability's presence in multi-site environments is significant because such setups often serve multiple sites or tenants, increasing the potential impact if exploited.

For European organizations, the impact of CVE-2025-12066 depends largely on the use of the WP Delete Post Copies plugin within multi-site WordPress installations. Organizations running multi-site WordPress environments with this plugin are at risk of stored XSS attacks that can compromise the confidentiality and integrity of user data and administrative functions. Attackers with administrator privileges could inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, credential theft, or unauthorized actions performed under the guise of legitimate users. While the vulnerability does not affect availability, the breach of trust and data integrity can have reputational and compliance consequences, especially under GDPR regulations. The requirement for high privileges limits the risk to insider threats or compromised administrator accounts, but the multi-site context increases the potential blast radius. European entities with extensive WordPress deployments, such as media companies, educational institutions, and government agencies, may face increased risks if they rely on this plugin without mitigation. The absence of known exploits reduces immediate risk but does not eliminate the threat of future exploitation.

1. Restrict administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privilege abuse. 2. Monitor administrative activities and audit logs for unusual changes in plugin settings or suspicious behavior indicative of attempted script injection. 3. Disable or avoid using the WP Delete Post Copies plugin in multi-site WordPress environments until a security patch is released. 4. If the plugin is essential, consider isolating multi-site installations or limiting the use of unfiltered_html capabilities to trusted users only. 5. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. 6. Keep WordPress core and all plugins updated regularly and subscribe to security advisories from the plugin vendor and WordPress security communities. 7. Prepare incident response plans to quickly address any detected exploitation attempts. 8. Conduct regular security assessments and penetration tests focusing on administrative interfaces and multi-site configurations.