CVE-2025-12096 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Simple Excel Pricelist for WooCommerce plugin for WordPress, specifically in versions up to and including 1.13. The vulnerability stems from improper neutralization of user-supplied input in the 'pricelist' shortcode attributes, where insufficient sanitization and output escaping allow authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who accesses the affected page, enabling potential session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The attack vector requires no user interaction beyond visiting the compromised page, and the vulnerability affects confidentiality and integrity but not availability. The CVSS 3.1 base score is 6.4 (medium severity), with an attack vector of network, low attack complexity, privileges required at the level of a contributor, no user interaction, and scope changed due to the impact on other users. No known exploits have been reported in the wild yet. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content to be embedded in pages. Since WooCommerce is widely used in e-commerce, this vulnerability can be leveraged to target online stores, potentially leading to customer data exposure or site defacement. The lack of a current patch necessitates immediate mitigation steps to prevent exploitation.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the Simple Excel Pricelist plugin, this vulnerability poses a significant risk to the confidentiality and integrity of their websites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to theft of authentication cookies, unauthorized actions, or defacement. This can damage customer trust, lead to data breaches involving personal or payment information, and cause reputational harm. Since the vulnerability does not affect availability directly, denial-of-service is less of a concern, but the broader impact on data security and compliance with GDPR is critical. Organizations with multiple content contributors or less restrictive access controls are particularly vulnerable. The medium severity rating suggests a moderate risk, but the potential for chained attacks or privilege escalation increases the threat level. The absence of known exploits in the wild provides a window for proactive mitigation.

1. Monitor for and apply official patches or updates from the plugin vendor as soon as they become available. 2. Until a patch is released, restrict Contributor-level and higher user permissions to trusted personnel only, minimizing the risk of malicious input. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns in shortcode attributes. 4. Employ strict input validation and output encoding on all user-supplied shortcode attributes, either via custom code or security plugins that sanitize inputs. 5. Conduct regular security audits of WordPress plugins and user roles to identify and remediate potential abuse vectors. 6. Educate content contributors about the risks of injecting untrusted content and enforce content submission policies. 7. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 8. Monitor logs and website behavior for unusual activity indicative of exploitation attempts. 9. Consider temporarily disabling the affected shortcode if feasible until a patch is applied. 10. Maintain regular backups to enable recovery in case of compromise.