CVE-2025-12371 is a stored cross-site scripting (XSS) vulnerability identified in the Nari Accountant plugin for WordPress, affecting all versions up to and including 1.0.12. The root cause is improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in the account settings functionality. This flaw allows authenticated attackers with editor-level permissions or higher to inject arbitrary JavaScript code that is stored persistently and executed whenever any user accesses the compromised page. The vulnerability is constrained to multi-site WordPress installations or single-site setups where the unfiltered_html capability is disabled, which restricts the ability to post unfiltered HTML content. The CVSS 3.1 base score is 4.4 (medium severity), reflecting network attack vector, high attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. The scope is changed because the vulnerability affects resources beyond the attacker’s privileges, potentially impacting other users. No public exploits have been reported, and no patches are currently available, increasing the urgency for administrators to apply compensating controls. The vulnerability stems from the plugin’s failure to properly sanitize and escape user input before rendering it in web pages, a classic CWE-79 issue. This can lead to session hijacking, unauthorized actions, or redirection attacks against users who view the infected content.

The primary impact of CVE-2025-12371 is the potential compromise of user accounts and site integrity through the execution of malicious scripts in the context of authenticated users. Attackers with editor-level access can leverage this vulnerability to inject persistent scripts that execute when other users visit affected pages, potentially stealing session cookies, performing actions on behalf of users, or defacing content. Although the vulnerability does not affect availability, it undermines confidentiality and integrity, which can lead to data breaches or unauthorized administrative actions. Organizations running multi-site WordPress environments with the Nari Accountant plugin are at particular risk, especially if they have multiple users with editor or higher privileges. The exploitation complexity is high due to required privileges, limiting exposure to insider threats or compromised accounts. However, the widespread use of WordPress and the plugin in certain regions could amplify the impact if exploited at scale. The lack of patches and known exploits means attackers may develop weaponized code, increasing future risk. Overall, this vulnerability threatens organizational reputation, user trust, and data security.

To mitigate CVE-2025-12371, organizations should first identify if they are running the Nari Accountant plugin version 1.0.12 or earlier in multi-site WordPress installations or with unfiltered_html disabled. Until an official patch is released, administrators should restrict editor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script payloads in account settings inputs can reduce exploitation chances. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing user roles and permissions to enforce the principle of least privilege is critical. Monitoring logs for unusual activity or script injections in account settings pages can provide early detection. Finally, maintain backups and prepare incident response plans to quickly remediate any exploitation attempts. Once a vendor patch is available, prioritize immediate update of the plugin.