CVE-2025-12067 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the jonua Table Field Add-on for the Advanced Custom Fields (ACF) and Smart Custom Fields (SCF) WordPress plugins. This vulnerability exists in all plugin versions up to and including 1.3.30. The root cause is insufficient sanitization of user input and lack of proper output escaping in the table cell content feature. Authenticated users with Author-level or higher privileges can inject arbitrary JavaScript code into table cells, which is then stored persistently in the WordPress database. When any user accesses a page containing the injected table, the malicious script executes in their browser context. This can lead to session hijacking, privilege escalation, unauthorized actions on behalf of users, or defacement of the website. The vulnerability requires the attacker to have authenticated access with at least Author privileges, which limits exposure but still poses a significant risk in multi-author environments. The CVSS v3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and no user interaction required. The vulnerability impacts confidentiality and integrity but not availability. No public exploits are known at this time, but the vulnerability is published and should be addressed promptly. The lack of a patch link indicates that a fix may not yet be available, necessitating interim mitigation strategies.

For European organizations, this vulnerability poses a risk primarily to websites using WordPress with the jonua Table Field Add-on for ACF and SCF, especially those with multiple content authors or contributors. Exploitation could allow attackers to execute malicious scripts in the browsers of site visitors or administrators, potentially leading to theft of authentication cookies, unauthorized actions, or defacement. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Sectors such as media, e-commerce, education, and government websites that rely on WordPress for content management are particularly vulnerable. The impact is heightened in environments where sensitive user data or administrative functions are accessible via the affected pages. Since the vulnerability requires authenticated access with Author-level privileges, insider threats or compromised accounts increase risk. The medium severity score indicates a moderate but actionable threat that should be prioritized in patch management and security reviews.

1. Monitor the jonua plugin repository and vendor announcements closely for an official patch and apply it immediately upon release. 2. Until a patch is available, restrict Author-level and higher privileges to trusted users only and review user roles to minimize unnecessary elevated access. 3. Implement additional input validation and output escaping at the application or web server level for table cell content fields to prevent script injection. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script payloads in POST requests related to table content updates. 5. Conduct regular security audits and code reviews of custom WordPress plugins and themes to identify similar injection points. 6. Educate content authors about the risks of injecting untrusted content and enforce strict content policies. 7. Enable Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 8. Monitor logs for unusual activity indicative of exploitation attempts, such as unexpected script injections or anomalous user behavior. 9. Consider isolating or sandboxing high-risk content areas to limit the impact of potential XSS attacks.