CVE-2025-12125 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the HTML Forms – Simple WordPress Forms Plugin developed by linksoftware. This vulnerability exists in all versions up to and including 1.5.5. The root cause is insufficient input sanitization and output escaping in the plugin's admin settings, which allows authenticated users with administrator-level permissions or higher to inject arbitrary JavaScript code into pages. The vulnerability specifically impacts WordPress multi-site installations where the unfiltered_html capability is disabled, which restricts users from posting unfiltered HTML content. When a malicious script is injected, it executes in the context of any user who visits the affected page, potentially enabling session hijacking, privilege escalation, or other malicious actions. The CVSS 3.1 base score is 4.4, reflecting a medium severity due to the requirement for high privileges (administrator access), no user interaction needed, and network attack vector. The scope is changed because the vulnerability affects multiple sites within a WordPress multi-site environment. Currently, there are no known exploits in the wild, and no official patches have been linked yet. The vulnerability was publicly disclosed on November 8, 2025, with the initial reservation date on October 23, 2025.

The primary impact of this vulnerability is the potential for stored XSS attacks within WordPress multi-site environments using the affected plugin. An attacker with administrator privileges can inject malicious scripts that execute in the browsers of users who visit the compromised pages. This can lead to theft of authentication cookies, enabling session hijacking, unauthorized actions performed on behalf of users, or further compromise of the WordPress environment. Since the vulnerability requires administrator-level access, the risk is somewhat mitigated by the need for high privileges; however, if an attacker gains such access (e.g., via credential theft or insider threat), the impact can be significant. Multi-site installations are often used by organizations managing multiple websites, increasing the potential scope of compromise. The vulnerability does not affect availability directly but compromises confidentiality and integrity of user sessions and data. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly known.

1. Restrict administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privilege escalation or credential compromise. 2. Monitor and audit multi-site WordPress installations regularly for unusual administrator activity or unauthorized changes in plugin settings. 3. Temporarily disable or remove the HTML Forms – Simple WordPress Forms Plugin in multi-site environments until a patch or update is released by the vendor. 4. If disabling the plugin is not feasible, consider enabling the unfiltered_html capability cautiously or applying custom input sanitization and output escaping measures within the plugin code as a temporary workaround. 5. Keep WordPress core and all plugins updated to the latest versions once the vendor releases a security patch addressing this vulnerability. 6. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting WordPress admin interfaces. 7. Educate administrators about the risks of stored XSS and safe handling of plugin settings to avoid inadvertent script injection.