The WP Delete Post Copies plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-12066. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79), specifically insufficient input sanitization and output escaping in the plugin's admin settings interface. Authenticated attackers with administrator-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages managed by the plugin. The injected scripts execute whenever a user accesses the compromised page, potentially allowing session hijacking, privilege escalation, or unauthorized actions within the WordPress admin environment. However, this vulnerability only affects multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting its scope. The CVSS 3.1 base score is 4.4, reflecting a medium severity due to the requirement for high privileges (PR:H), network attack vector (AV:N), no user interaction (UI:N), and partial impact on confidentiality and integrity (C:L/I:L). No known public exploits have been reported as of the publication date, November 21, 2025. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling administrative functions in multi-site environments.

The primary impact of CVE-2025-12066 is the potential for attackers with administrator-level access to inject malicious scripts that execute in the context of the WordPress admin interface. This can lead to session hijacking, theft of sensitive administrative data, or unauthorized actions performed with elevated privileges. Although the vulnerability does not directly affect availability, it compromises the integrity and confidentiality of the affected sites. Since exploitation requires high privileges, the threat is limited to insiders or attackers who have already breached lower-level defenses. However, in multi-site installations, the impact can be amplified as multiple sites may be affected by a single injection. Organizations relying on this plugin in multi-site or restricted unfiltered_html environments face increased risk of administrative compromise, potentially leading to broader site defacement, data leakage, or further malware deployment.

To mitigate CVE-2025-12066, organizations should first update the WP Delete Post Copies plugin to a patched version once available. In the absence of an official patch, administrators should restrict plugin usage to trusted personnel only and audit admin settings for suspicious scripts or inputs. Enabling strict Content Security Policy (CSP) headers can help limit the impact of injected scripts. Additionally, reviewing and hardening user permissions to minimize the number of users with administrator-level access reduces exploitation risk. For multi-site installations, consider isolating critical sites or disabling the plugin where not essential. Implementing web application firewalls (WAFs) with rules targeting XSS payloads in admin interfaces can provide an additional layer of defense. Regular security audits and monitoring for anomalous admin activity will help detect exploitation attempts early.