CVE-2025-12186 is a stored cross-site scripting vulnerability identified in the Weekly Planner plugin for WordPress, developed by michael_j_reid. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping in the plugin's admin settings. It affects all versions up to and including 1.0. The flaw allows authenticated attackers with administrator-level permissions or higher to inject arbitrary JavaScript code into pages managed by the plugin. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is constrained to multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting its attack surface. The CVSS v3.1 base score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, and requiring high privileges but no user interaction. No public exploits have been reported, and no official patches are currently available. The vulnerability was reserved on October 24, 2025, and published on December 5, 2025. The issue underscores the importance of proper input validation and output encoding in plugin development, especially for administrative interfaces in multi-site environments.

The primary impact of CVE-2025-12186 is the potential execution of arbitrary JavaScript code within the context of affected WordPress sites, which can compromise user confidentiality and integrity. Attackers with administrator privileges can inject malicious scripts that execute when other users visit the affected pages, potentially leading to session hijacking, unauthorized actions, or data leakage. Although the vulnerability does not directly affect availability, the integrity and confidentiality risks can be significant, especially in multi-site environments where multiple sites share the same WordPress installation. The requirement for high privileges limits the threat to insiders or compromised administrator accounts, reducing the likelihood of widespread exploitation. However, if exploited, it could facilitate further attacks such as privilege escalation or persistent backdoors. Organizations relying on the Weekly Planner plugin in multi-site setups are at risk of targeted attacks that could undermine trust and data security.

To mitigate CVE-2025-12186, organizations should first verify whether they use the Weekly Planner plugin in multi-site WordPress installations or have unfiltered_html disabled. Immediate steps include restricting administrator access to trusted personnel only and auditing existing admin settings for suspicious scripts. Since no official patch is currently available, consider temporarily disabling or uninstalling the plugin in sensitive environments. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the plugin's admin pages. Additionally, enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs for unusual administrator activity and conduct security reviews of all plugins, especially those with admin interfaces. When a patch is released, apply it promptly. Finally, educate administrators on safe input practices and the risks of stored XSS in multi-site WordPress contexts.