CVE-2025-12118 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Schema Scalpel plugin for WordPress, versions up to and including 1.6.1. The vulnerability stems from insufficient input sanitization and output escaping when user-supplied data, specifically the post title, is embedded into JSON-LD schema markup on web pages. This improper neutralization allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into posts. Because the malicious script is stored in the post title and rendered in the schema markup, it executes automatically whenever any user, including administrators or visitors, accesses the compromised page. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with attack vector as network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change (affecting other components). The impact affects confidentiality and integrity but not availability. No public exploits are known currently, but the vulnerability poses a significant risk due to the ease of exploitation by authenticated users and the potential for widespread impact through stored XSS. The plugin is widely used in WordPress environments, which are popular globally, making the vulnerability relevant to many organizations. The vulnerability was published on November 1, 2025, and assigned by Wordfence. No official patches or fixes have been linked yet, so mitigation requires careful access control and input validation.

The primary impact of CVE-2025-12118 is the potential for attackers with Contributor-level access to inject persistent malicious scripts into WordPress pages via the Schema Scalpel plugin. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, and defacement of websites. Since the malicious code executes in the context of the victim's browser, it can bypass same-origin policies and access sensitive information or perform actions with the victim's privileges. The vulnerability affects the confidentiality and integrity of user data and site content but does not directly impact availability. Organizations relying on WordPress sites with this plugin are at risk of reputational damage, data breaches, and potential compliance violations. The requirement for authenticated access limits exposure but does not eliminate risk, especially in environments with many contributors or where contributor accounts may be compromised. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the plugin itself, potentially impacting the broader WordPress site ecosystem.

1. Immediately restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input. 2. Implement strict input validation and sanitization on post titles and any user-supplied data before it is embedded into JSON-LD schema markup. 3. Apply output escaping techniques specifically for JSON-LD contexts to prevent script injection. 4. Monitor and audit posts and pages for suspicious or unexpected script content, especially in schema markup sections. 5. Disable or remove the Schema Scalpel plugin until an official patch or update is released by the vendor. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting JSON-LD or schema markup. 7. Educate content contributors about the risks of injecting untrusted content and enforce security best practices in content management. 8. Keep WordPress core and all plugins updated to the latest versions to reduce exposure to known vulnerabilities. 9. Consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the site. 10. Regularly back up website data to enable quick recovery in case of compromise.