CVE-2025-12379 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the 'Shortcodes and extra features for Phlox theme' WordPress plugin developed by averta. This vulnerability exists in all versions up to and including 2.17.13 due to improper neutralization of input during web page generation. Specifically, the 'tag' and 'title_tag' parameters are not sufficiently sanitized or escaped before being rendered on pages, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. When a user accesses a page containing the injected script, the malicious code executes in their browser context. The vulnerability requires authentication but no additional user interaction, and the attack surface includes any site using the vulnerable plugin with these user roles. The CVSS 3.1 base score is 6.4, indicating medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact includes potential theft of session cookies, defacement, or unauthorized actions performed on behalf of users. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the risks of insufficient input validation and output escaping in WordPress plugins, especially those that allow user-generated content or parameters to be rendered in pages.

The vulnerability allows authenticated users with Contributor-level access or higher to inject persistent malicious scripts into web pages generated by the vulnerable plugin. This can lead to session hijacking, enabling attackers to impersonate other users, including administrators, potentially leading to full site compromise. It can also facilitate defacement, phishing, or distribution of malware to site visitors. Since the injected scripts execute in the context of the affected website, they can bypass same-origin policies and access sensitive data or perform unauthorized actions. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the attacker’s privileges, increasing the risk. Organizations relying on this plugin for WordPress sites, especially those with multiple contributors or public-facing content, face risks to confidentiality and integrity of data and user accounts. Although availability impact is not indicated, reputational damage and loss of user trust can be significant. The lack of known exploits in the wild suggests limited active exploitation currently, but the medium severity and ease of exploitation by authenticated users make timely remediation critical.

1. Upgrade the 'Shortcodes and extra features for Phlox theme' plugin to a fixed version once available from the vendor. Monitor vendor announcements for patches. 2. Until a patch is released, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 3. Implement additional input validation and output escaping at the application or web server level, especially for the 'tag' and 'title_tag' parameters, to neutralize potentially malicious input. 4. Employ a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injection attempts targeting these parameters. 5. Conduct regular security audits and code reviews of plugins and themes to identify similar input sanitization issues. 6. Educate site administrators and contributors about the risks of XSS and safe content practices. 7. Monitor site logs and user activity for unusual behavior indicative of exploitation attempts. 8. Consider disabling or replacing the vulnerable plugin with alternatives that follow secure coding practices if immediate patching is not feasible.