CVE-2025-12067 identifies a stored cross-site scripting vulnerability in the jonua Table Field Add-on for ACF and SCF WordPress plugin, present in all versions up to and including 1.3.30. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of user-supplied content in table cells. Authenticated users with Author-level access or higher can inject arbitrary JavaScript code into table cell content fields. This malicious code is stored persistently and executed in the context of any user who views the affected page, enabling attacks such as session hijacking, defacement, or further privilege escalation. The vulnerability requires no user interaction beyond page access but does require authenticated access with elevated privileges, which limits the attack surface to users who can create or edit content. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to potential impact on other users. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple authors or contributors. The lack of available patches at the time of publication necessitates immediate mitigation steps to reduce risk.

The primary impact of this vulnerability is the potential for persistent cross-site scripting attacks on WordPress sites using the affected plugin. Successful exploitation can lead to theft of user credentials, session tokens, or other sensitive information, enabling attackers to impersonate legitimate users. It can also facilitate defacement, unauthorized actions on behalf of users, or pivoting to more severe attacks such as privilege escalation or malware deployment. Since the vulnerability requires Author-level access, attackers must first compromise or have legitimate access to an account with content creation privileges, which may be common in multi-user environments. The scope change in the CVSS vector indicates that the vulnerability can affect other users beyond the attacker, increasing risk to site integrity and user trust. Organizations relying on this plugin for content management face reputational damage, data leakage, and potential regulatory compliance issues if exploited. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly once disclosed.

1. Immediately restrict Author-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2. Implement strict input validation and output encoding on table cell content fields, either through custom code or security plugins that enforce sanitization. 3. Monitor WordPress user activity logs for unusual content submissions or script injections in table fields. 4. Apply web application firewall (WAF) rules to detect and block common XSS payloads targeting the affected plugin. 5. Regularly update the plugin once a security patch is released by the vendor; if no patch is available, consider disabling or replacing the plugin with a secure alternative. 6. Educate content authors on safe content practices and the risks of injecting untrusted code. 7. Conduct periodic security audits and vulnerability scans focusing on WordPress plugins and user-generated content areas. 8. Use Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting script execution sources.