CVE-2025-12096 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Simple Excel Pricelist for WooCommerce plugin for WordPress, specifically in versions up to and including 1.13. The vulnerability arises from improper neutralization of user-supplied input within the 'pricelist' shortcode, where insufficient sanitization and output escaping allow authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user accesses the affected page, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed in the context of the victim's browser session. The attack vector requires authentication but no user interaction beyond page viewing, and the scope includes all installations of the plugin up to the specified version. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. The vulnerability impacts confidentiality and integrity but not availability. No patches or known exploits have been reported at the time of publication, but the risk remains significant due to the widespread use of WooCommerce in e-commerce environments. The vulnerability is classified under CWE-79, highlighting the failure to properly sanitize input during web page generation.

For European organizations, this vulnerability poses a risk primarily to e-commerce platforms using WordPress with the Simple Excel Pricelist for WooCommerce plugin. Exploitation could lead to unauthorized disclosure of customer data, session hijacking, and potential defacement or manipulation of web content, undermining customer trust and regulatory compliance, particularly under GDPR. The requirement for authenticated access limits the attack surface but insider threats or compromised contributor accounts could be leveraged. The persistent nature of the stored XSS means that multiple users can be affected over time, increasing the potential damage. Given the importance of e-commerce in countries like Germany, the UK, France, and the Netherlands, organizations in these regions could face reputational damage, financial losses, and legal consequences if exploited. Additionally, attackers could use this vulnerability as a foothold for further attacks within the network or to distribute malware to site visitors.

Organizations should monitor for updates from the plugin vendor and apply patches promptly once available. Until a patch is released, administrators should restrict Contributor-level permissions to trusted users only and audit existing user roles to minimize risk. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs can provide interim protection. Additionally, applying manual input validation and output encoding on shortcode parameters within the plugin code can mitigate the vulnerability if custom development resources are available. Regular security reviews and monitoring for unusual activity on affected sites are recommended. Organizations should also educate content contributors about the risks of injecting untrusted content and enforce strict content policies. Finally, consider disabling or replacing the vulnerable plugin if immediate patching is not feasible.