CVE-2025-12122 is a stored cross-site scripting (XSS) vulnerability classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) affecting the 'Popup Box – Easily Create WordPress Popups' plugin for WordPress. The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes within the 'iframeBox' shortcode, which allows authenticated users with contributor-level privileges or higher to inject malicious JavaScript code. This injected script is stored persistently and executed whenever any user accesses the affected page, enabling attackers to hijack user sessions, perform actions on behalf of users, or deliver further payloads. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change due to impact on other components. While no public exploits are reported yet, the vulnerability’s presence in all plugin versions up to 3.2.12 means a wide range of WordPress sites could be vulnerable. The plugin is popular for creating popups, which are often embedded in high-traffic pages, increasing the potential impact. The vulnerability’s exploitation does not affect availability but compromises confidentiality and integrity of user sessions and data. The lack of a patch link suggests that remediation may require vendor action or manual mitigation by administrators.

For European organizations, this vulnerability poses a significant risk to websites using the affected WordPress plugin, especially those with contributor-level user roles such as content creators or editors. Exploitation could lead to session hijacking, unauthorized actions on behalf of users, defacement, or distribution of malware through injected scripts. This can damage brand reputation, lead to data breaches involving personal or customer data, and potentially violate GDPR requirements due to unauthorized data access or processing. Organizations in sectors like e-commerce, media, education, and government that rely on WordPress for public-facing websites are particularly vulnerable. The persistent nature of stored XSS increases the risk of widespread impact across multiple users. Additionally, the scope change in the CVSS vector indicates that the vulnerability could affect components beyond the plugin itself, potentially impacting the broader WordPress environment. The medium severity rating suggests that while the vulnerability is not critical, it is sufficiently serious to warrant immediate attention to prevent exploitation.

1. Monitor the vendor’s official channels for an official patch and apply it immediately upon release. 2. Until a patch is available, restrict contributor-level user permissions to trusted individuals only, minimizing the risk of malicious shortcode injection. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'iframeBox' shortcode attributes. 4. Use security plugins that provide XSS protection and sanitize user inputs at the application level. 5. Conduct regular security audits and code reviews of custom shortcode usage to ensure proper input validation and output escaping. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission policies. 7. Consider disabling or removing the vulnerable plugin if it is not essential or replace it with a more secure alternative. 8. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. 9. Regularly backup website data to enable quick restoration in case of compromise. 10. Monitor website traffic and logs for unusual activity that could indicate exploitation attempts.