CVE-2025-12368 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Sermon Manager plugin for WordPress, a tool commonly used by churches and religious organizations to manage and display sermons. The vulnerability exists in all versions up to and including 2.30.0 and is caused by insufficient sanitization and escaping of user-supplied attributes in the `sermon-views` shortcode. Specifically, authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into pages via this shortcode. Because the injected scripts are stored persistently, they execute every time a user accesses the infected page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability does not require user interaction beyond visiting the compromised page and does not require higher privileges than Contributor, which is a relatively low-level role in WordPress. The CVSS 3.1 score of 6.4 reflects a medium severity, considering the network attack vector, low attack complexity, and the requirement for some privileges but no user interaction. Currently, no public exploits have been reported, but the vulnerability poses a significant risk to websites using this plugin. The lack of available patches at the time of publication means that mitigation must rely on access control and monitoring until a fix is released.

For European organizations, particularly religious institutions, community groups, and non-profits using WordPress with the Sermon Manager plugin, this vulnerability can lead to unauthorized script execution in users' browsers. This can result in theft of login credentials, session cookies, or other sensitive information, enabling attackers to escalate privileges or impersonate users. The compromise of user accounts could lead to defacement, misinformation dissemination, or unauthorized administrative actions. Given the persistent nature of stored XSS, the impact extends beyond a single visit and can affect all visitors to the infected pages. This undermines trust in the affected organizations' websites and may lead to reputational damage. Additionally, GDPR considerations apply if personal data is exposed or compromised, potentially resulting in regulatory penalties. The medium severity indicates a moderate but tangible risk that requires timely attention to prevent exploitation.

1. Immediately restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. 2. Implement strict input validation and output escaping on all user-supplied content, especially in shortcodes and dynamic page elements. 3. Monitor website content for unusual or suspicious script tags or JavaScript code injections, using automated scanning tools or manual audits. 4. Disable or remove the Sermon Manager plugin if it is not essential until a patched version is released. 5. Apply security headers such as Content Security Policy (CSP) to limit the execution of unauthorized scripts. 6. Keep WordPress core, themes, and all plugins updated to the latest versions to reduce exposure to known vulnerabilities. 7. Educate site administrators and contributors about the risks of XSS and safe content management practices. 8. Once a patch is available, promptly update the Sermon Manager plugin to the fixed version. 9. Consider implementing Web Application Firewalls (WAFs) that can detect and block XSS payloads targeting the site.