CVE-2025-12090 is a stored Cross-Site Scripting (XSS) vulnerability categorized under CWE-79, found in the Employee Spotlight – Team Member Showcase & Meet the Team plugin for WordPress, developed by emarket-design. This vulnerability affects all plugin versions up to and including 5.1.2. The root cause is insufficient sanitization and output escaping of user-supplied input in social URL fields, which allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, defacement, or unauthorized actions within the WordPress environment. The attack vector is network-based, with low complexity, requiring authenticated access but no user interaction beyond viewing the infected page. The vulnerability impacts confidentiality and integrity but does not affect availability. No public exploits have been reported yet, but the presence of this vulnerability in a widely used content management system plugin poses a significant risk. The CVSS 3.1 score of 6.4 reflects these factors, indicating a medium severity level. The vulnerability was publicly disclosed on November 1, 2025, with no official patches available at the time of reporting, necessitating immediate mitigation efforts by administrators.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of WordPress-based websites that utilize the affected plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized content modification, or further exploitation of the site’s trust relationships. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Given WordPress’s popularity in Europe, especially among small and medium enterprises, and the plugin’s use for team and employee showcases, the vulnerability could be exploited to target internal communications or public-facing corporate sites. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once the vulnerability is public. Organizations failing to address this issue may face compliance challenges under GDPR if personal data is compromised through exploitation.

1. Immediately restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input. 2. Apply any available updates or patches from the plugin vendor as soon as they are released; monitor vendor channels closely. 3. If patches are not yet available, consider temporarily disabling the plugin or removing the social URL input fields to prevent exploitation. 4. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the plugin’s input fields. 5. Conduct regular security audits and code reviews of custom plugins and themes to ensure proper input sanitization and output encoding. 6. Educate site administrators and content contributors about the risks of injecting untrusted content and the importance of secure coding practices. 7. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 8. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources. 9. Backup website data regularly to enable rapid recovery in case of compromise.