CVE-2025-12324 is a stored Cross-Site Scripting (XSS) vulnerability found in the TablePress – Tables in WordPress made easy plugin, which is widely used to create and manage tables within WordPress sites. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically in the handling of the plugin's `table` shortcode attributes. All versions up to and including 3.2.3 are affected. The root cause is insufficient sanitization and output escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. These malicious scripts are stored persistently and executed in the browsers of any users who visit the infected pages, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the initially compromised component. No public exploits are known yet, but the vulnerability's presence in a popular WordPress plugin makes it a credible threat. The vulnerability was published on November 4, 2025, and was assigned by Wordfence. No official patches or updates are linked yet, so mitigation may require manual intervention or plugin updates once released.

For European organizations, this vulnerability poses a significant risk to websites using the TablePress plugin, especially those that allow contributor-level users to add or edit content. Exploitation can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware through injected scripts. This can damage organizational reputation, lead to data breaches involving user credentials or personal data, and cause compliance issues under GDPR due to unauthorized data exposure or processing. The persistent nature of the stored XSS means that once exploited, multiple users can be affected over time. Organizations relying on WordPress for public-facing or internal portals are at risk, particularly those with collaborative content management workflows. The medium severity score indicates moderate impact, but the ease of exploitation by authenticated users elevates the threat in environments with multiple contributors. Additionally, the scope change means the vulnerability can affect other components or users beyond the initial attacker’s privileges, increasing potential damage.

European organizations should immediately audit their WordPress installations to identify the presence of the TablePress plugin and its version. Until an official patch is released, restrict contributor-level permissions to trusted users only and consider temporarily disabling the plugin if feasible. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute patterns that may contain script tags or event handlers. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Conduct regular security reviews of user-generated content and sanitize inputs at the application level where possible. Monitor logs for unusual activity or unexpected content changes in pages using TablePress. Once a patched version is available, prioritize updating the plugin promptly. Educate content contributors about the risks of injecting untrusted code and enforce strict content moderation policies. For high-value targets, consider deploying runtime application self-protection (RASP) solutions to detect and block XSS attempts dynamically.