CVE-2025-12186 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Weekly Planner plugin for WordPress developed by michael_j_reid. The flaw arises from improper input sanitization and insufficient output escaping in the plugin's admin settings interface, which allows authenticated administrators or higher privileged users to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user accesses the affected pages, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability specifically affects multisite WordPress installations or those where the unfiltered_html capability is disabled, limiting the attack surface to environments with stricter content filtering. The CVSS 3.1 base score of 4.4 reflects a medium severity, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), requiring high privileges (PR:H), no user interaction (UI:N), and a scope change (S:C) with low confidentiality and integrity impact (C:L/I:L) and no availability impact (A:N). There are no patches or known exploits publicly available at this time, but the vulnerability is published and should be addressed promptly to prevent potential exploitation.

For European organizations, the impact of this vulnerability is primarily on the confidentiality and integrity of data within WordPress multisite environments using the Weekly Planner plugin. Attackers with administrator privileges could inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, unauthorized actions, or data leakage. Although the vulnerability requires high privileges, insider threats or compromised admin accounts could exploit it to escalate damage. The absence of availability impact reduces the risk of service disruption, but the integrity and confidentiality risks remain significant, especially for organizations handling sensitive data or operating critical websites. Given the widespread use of WordPress in Europe, particularly in sectors like education, government, and small to medium enterprises, this vulnerability could facilitate targeted attacks or lateral movement within compromised networks.

European organizations should immediately audit their WordPress installations to identify multisite environments using the Weekly Planner plugin. Since no official patch is currently available, administrators should consider disabling or removing the plugin until a fix is released. Restricting administrator access and enforcing strong authentication mechanisms can reduce the risk of exploitation. Additionally, enabling web application firewalls (WAFs) with rules to detect and block suspicious script injections in admin settings can provide temporary protection. Organizations should also review and tighten content filtering settings, ensuring unfiltered_html is enabled only where absolutely necessary. Regular monitoring of logs for unusual admin activity and user behavior analytics can help detect early signs of exploitation. Finally, maintaining an incident response plan tailored to web application attacks will improve readiness in case of compromise.