CVE-2025-12368 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Sermon Manager plugin for WordPress, developed by wpforchurch. This vulnerability affects all versions up to and including 2.30.0. The root cause is insufficient sanitization and escaping of user-supplied input within the `sermon-views` shortcode, which is used to display sermon-related content on WordPress sites. An attacker with authenticated Contributor-level access or higher can inject arbitrary JavaScript code that is stored persistently in the plugin's data and executed in the browsers of users who visit the affected pages. This can lead to session hijacking, defacement, or unauthorized actions performed in the context of the victim user. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (authenticated Contributor or above), no user interaction, and a scope change due to potential impact on other users. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. The lack of a patch at the time of reporting means that affected sites remain vulnerable until updates are released or mitigations applied.

For European organizations, the impact of this vulnerability can be significant, particularly for those operating WordPress sites with the Sermon Manager plugin installed. Religious institutions, community organizations, and churches that use this plugin to manage and display sermon content are the primary targets. Successful exploitation can lead to theft of user credentials, session tokens, or other sensitive information, enabling attackers to impersonate users or escalate privileges. It can also facilitate phishing attacks or malware distribution by injecting malicious scripts. The compromise of user trust and potential data breaches could result in reputational damage and legal consequences under GDPR if personal data is exposed. Although the vulnerability does not directly affect availability, the integrity and confidentiality of the affected websites and their users are at risk. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with many contributors or weak access controls.

1. Monitor for and apply security updates from wpforchurch promptly once a patch for this vulnerability is released. 2. Until a patch is available, restrict Contributor-level and higher permissions to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 3. Implement strict input validation and output encoding on any custom code interacting with the `sermon-views` shortcode or similar features. 4. Deploy Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting WordPress plugins. 5. Conduct regular security audits and penetration testing focusing on user input handling in WordPress plugins. 6. Educate site administrators and contributors about the risks of XSS and safe content management practices. 7. Consider disabling or replacing the Sermon Manager plugin with alternative solutions if immediate patching is not feasible. 8. Monitor logs for suspicious activity related to shortcode usage or unexpected script injections.