CVE-2025-12184 is a stored Cross-Site Scripting (XSS) vulnerability identified in the MeetingList plugin for WordPress, versions up to and including 0.11. The vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient input sanitization and output escaping in the plugin's admin settings. This flaw allows authenticated users with administrator-level permissions or higher to inject arbitrary JavaScript code into pages managed by the plugin. The malicious scripts are stored persistently and execute whenever any user accesses the infected page, potentially leading to session hijacking, credential theft, or unauthorized actions performed under the victim's context. The vulnerability is constrained to multi-site WordPress installations where the unfiltered_html capability is disabled, limiting the attack surface. The CVSS v3.1 base score is 4.4 (medium severity), with vector AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, high attack complexity, required high privileges, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability's presence in a widely used CMS plugin makes it a potential target for future exploitation. The vulnerability was published on November 4, 2025, and is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of web applications running WordPress multi-site installations with the MeetingList plugin. Attackers with administrator privileges can inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, theft of sensitive information, or unauthorized administrative actions. While availability is not impacted, the breach of trust and data confidentiality can have regulatory consequences under GDPR, especially if personal data is compromised. Organizations relying on WordPress multi-site setups for internal or external communications are particularly vulnerable. The requirement for high privileges and disabled unfiltered_html reduces the likelihood of widespread exploitation but does not eliminate risk from insider threats or compromised admin accounts. The absence of known exploits in the wild suggests a window for proactive mitigation before active attacks emerge.

1. Immediately update the MeetingList plugin to a patched version once available; monitor vendor announcements for patches. 2. Until a patch is released, restrict administrator-level access strictly to trusted personnel and audit admin accounts for suspicious activity. 3. Enable and enforce strict input validation and output escaping in WordPress and plugin configurations, especially for multi-site environments. 4. Consider disabling or limiting the use of the MeetingList plugin in multi-site installations if not critical. 5. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS payloads by restricting script execution sources. 6. Regularly scan WordPress sites with security tools capable of detecting stored XSS vulnerabilities. 7. Educate administrators on the risks of stored XSS and the importance of secure plugin management. 8. Review and adjust the unfiltered_html capability settings carefully, balancing functionality and security. 9. Monitor logs for unusual admin activity or unexpected script injections. 10. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense.