CVE-2025-12178 is a stored Cross-Site Scripting (XSS) vulnerability identified in the SpiceForms Form Builder plugin for WordPress, developed by aankit. This vulnerability affects all versions up to and including 1.0. The root cause is improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of user-supplied attributes within the 'spiceforms' shortcode. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into form shortcodes embedded in WordPress pages or posts. When any user accesses a page containing the injected shortcode, the malicious script executes in their browser context. This can lead to session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability does not require user interaction beyond page access and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based (remote), with low attack complexity and requiring privileges (authenticated contributor or above). The scope is changed because the vulnerability can affect other users viewing the injected content. No public exploits or patches are currently available, increasing the risk of exploitation once weaponized. The vulnerability was reserved in October 2025 and published in January 2026. Given the widespread use of WordPress and the plugin’s availability, this vulnerability poses a significant risk to websites relying on SpiceForms for form creation and management.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted websites, compromising user sessions and potentially leaking sensitive data. Organizations with contributor-level users who can add or edit content are particularly vulnerable, as these users could inject malicious scripts that affect all visitors. This could result in reputational damage, data breaches, and regulatory non-compliance under GDPR if personal data is exposed. The attack could also facilitate further attacks such as phishing or malware distribution targeting European users. Websites critical to business operations or public services using this plugin may face service disruption or loss of user trust. The medium severity score indicates a moderate risk, but the potential for widespread impact on confidentiality and integrity is significant, especially in sectors like finance, healthcare, and government where WordPress is commonly used for public-facing sites.

European organizations should immediately audit their WordPress installations to identify the presence of the SpiceForms Form Builder plugin. Restrict contributor-level permissions to trusted users only and consider temporarily disabling the plugin or removing the 'spiceforms' shortcode usage until a patch is released. Implement strict content review processes for user-generated content that includes shortcodes. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute patterns indicative of XSS payloads. Monitor logs for unusual shortcode edits or injections. Encourage plugin developers or vendors to release a security update with proper input sanitization and output escaping. In the interim, organizations can apply manual code fixes by sanitizing shortcode attributes using WordPress’s built-in functions like esc_attr() and wp_kses(). Conduct user awareness training to recognize potential phishing or script injection symptoms. Regularly update WordPress core and plugins to minimize exposure to known vulnerabilities.