CVE-2025-12118 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Schema Scalpel plugin for WordPress, affecting all versions up to and including 1.6.1. The root cause is insufficient sanitization and escaping of user input, specifically the post title, when it is embedded into JSON-LD schema markup on web pages. JSON-LD is commonly used to provide structured data to search engines, and the plugin outputs user-supplied post titles directly into this markup without proper neutralization. An authenticated attacker with at least Contributor-level privileges can exploit this by injecting malicious JavaScript code into the post title. When any user, including administrators or visitors, accesses the affected page, the injected script executes in their browser context. This can lead to session hijacking, unauthorized actions, or data theft. The vulnerability has a CVSS v3.1 score of 6.4, reflecting a medium severity level. The attack vector is network-based, with low complexity, requiring privileges but no user interaction. The scope is changed because the vulnerability affects data that can impact other users viewing the page. No known exploits are currently reported in the wild, but the risk remains significant due to the widespread use of WordPress and the plugin. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The lack of a patch at the time of reporting necessitates immediate mitigation steps to reduce risk.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Schema Scalpel plugin on WordPress, particularly those that allow Contributor-level users to create or edit posts. Exploitation can lead to the execution of arbitrary scripts in the browsers of site visitors and administrators, potentially resulting in session hijacking, defacement, or unauthorized actions performed on behalf of users. This can undermine trust, damage reputation, and lead to data breaches involving personal or sensitive information. The impact on confidentiality and integrity is partial but significant, while availability is not directly affected. Organizations with public-facing WordPress sites that rely on structured data for SEO and user engagement are especially vulnerable. Since the attack requires authenticated access, insider threats or compromised Contributor accounts increase risk. The vulnerability could also be leveraged as a foothold for more advanced attacks or lateral movement within an organization's web infrastructure. Given the interconnected nature of European digital services, exploitation could have cascading effects on business operations and compliance with data protection regulations such as GDPR.

1. Monitor for and apply any official patches or updates released by the Schema Scalpel plugin developers immediately once available. 2. In the interim, restrict Contributor-level permissions to trusted users only and consider temporarily disabling the plugin if feasible. 3. Implement additional input validation and output encoding on the post title field at the application or web server level to neutralize potentially malicious scripts. 4. Employ Web Application Firewalls (WAFs) with rules targeting JSON-LD injection patterns to detect and block suspicious payloads. 5. Conduct regular audits of user-generated content, especially post titles, to identify and remove injected scripts. 6. Educate content contributors about safe content practices and the risks of injecting scripts. 7. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 8. Monitor logs and user activity for signs of exploitation attempts or unusual behavior. 9. Consider implementing multi-factor authentication (MFA) for all authenticated users to reduce the risk of account compromise. 10. Review and harden WordPress security configurations and ensure all plugins and themes are kept up to date.