CVE-2025-12118 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Schema Scalpel plugin for WordPress, affecting all versions up to and including 1.6.1. The root cause is insufficient sanitization and escaping of user-supplied post titles when these are embedded into JSON-LD schema markup on web pages. JSON-LD is commonly used to provide structured data to search engines, and in this case, the plugin outputs the post title directly into the JSON-LD without properly neutralizing potentially malicious input. An attacker with Contributor-level or higher privileges can inject arbitrary JavaScript code into the post title, which is then stored persistently and executed in the browsers of any users viewing the affected page. This stored XSS can lead to session hijacking, credential theft, defacement, or pivoting to other attacks. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity with network attack vector, low complexity, privileges required, no user interaction, and a scope change due to the potential impact on other users. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be treated seriously. The plugin is widely used in WordPress environments, which are prevalent in many European organizations for content management and e-commerce. The vulnerability highlights the risks of insufficient input validation in plugins that integrate user content into structured data formats.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications running WordPress with the Schema Scalpel plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and reputational damage. This can affect customer trust and lead to regulatory scrutiny under GDPR if personal data is compromised. The persistent nature of stored XSS means that the malicious payload remains active until removed, increasing the window of exposure. Organizations relying on WordPress for public-facing websites, blogs, or e-commerce platforms are particularly vulnerable. The attack vector requires authentication but no user interaction, making it easier for insiders or compromised accounts to exploit. The medium severity score reflects a moderate but non-trivial risk that should be addressed promptly to prevent escalation or chaining with other vulnerabilities.

1. Monitor for and apply official patches or updates from the Schema Scalpel plugin vendor as soon as they become available. 2. Until a patch is released, restrict Contributor-level and higher privileges to trusted users only to reduce the risk of malicious input. 3. Implement manual input validation and sanitization on post titles, ensuring that any user-supplied content is properly escaped before being embedded into JSON-LD schema markup. 4. Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection patterns in post titles or JSON-LD outputs. 5. Conduct regular security audits and code reviews of WordPress plugins, especially those handling user-generated content in structured data formats. 6. Educate content contributors about the risks of injecting scripts and enforce strict content policies. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on web pages. 8. Monitor logs and user activity for signs of exploitation attempts or unusual behavior from users with Contributor or higher roles.