CVE-2025-12379 is a stored Cross-Site Scripting vulnerability identified in the 'Shortcodes and extra features for Phlox theme' WordPress plugin developed by averta. The vulnerability arises from improper neutralization of input during web page generation, specifically through insufficient sanitization and output escaping of the 'tag' and 'title_tag' parameters. This flaw allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious scripts are stored persistently, they execute every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability affects all versions up to and including 2.17.13. The CVSS v3.1 score is 6.4, reflecting medium severity with network attack vector, low attack complexity, requiring privileges (Contributor or higher), no user interaction, and a scope change. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in late 2025 and published in early 2026. The plugin is commonly used in WordPress sites employing the Phlox theme, which is popular among European small and medium enterprises and bloggers. The vulnerability's exploitation could lead to partial confidentiality and integrity loss but does not affect availability. The lack of output escaping and input sanitization is a common CWE-79 weakness, emphasizing the need for secure coding practices in plugin development.

For European organizations, this vulnerability poses a significant risk primarily to websites using the Phlox theme with the vulnerable plugin. Exploitation can lead to session hijacking, unauthorized actions on behalf of users, theft of sensitive information such as authentication tokens, and potential defacement or redirection attacks. Organizations relying on WordPress sites for customer engagement, e-commerce, or internal communications may suffer reputational damage, data breaches, and compliance violations under GDPR if personal data is compromised. The requirement for Contributor-level access reduces the attack surface but does not eliminate risk, especially in environments with multiple content editors or where account compromise is possible. The medium severity score indicates a moderate but actionable threat. Since the vulnerability does not require user interaction, automated exploitation is feasible once an attacker gains the necessary privileges. The absence of known exploits in the wild suggests a window for proactive mitigation. European SMEs and public sector entities using WordPress extensively are particularly vulnerable due to widespread adoption and sometimes limited security resources.

1. Monitor for and apply official patches or updates from averta for the 'Shortcodes and extra features for Phlox theme' plugin as soon as they are released. 2. Until patches are available, restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 3. Implement Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads, especially targeting the 'tag' and 'title_tag' parameters. 4. Conduct regular security audits and code reviews of WordPress plugins and themes to identify and remediate insecure input handling. 5. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content validation policies. 7. Use security plugins that provide XSS protection and input sanitization enhancements. 8. Monitor logs for unusual activity related to page edits or script injections. 9. Consider temporarily disabling the vulnerable plugin if immediate patching is not possible and the plugin is not critical. 10. Maintain regular backups to enable recovery in case of successful exploitation.