CVE-2025-12393 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Free Quotation plugin for WordPress, developed by kris_iv. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping in the plugin's admin settings interface. It affects all versions up to and including 3.1.6. The flaw allows authenticated attackers with administrator-level permissions or higher to inject arbitrary JavaScript code into pages within multi-site WordPress installations or installations where the unfiltered_html capability is disabled. When other users access these injected pages, the malicious scripts execute in their browsers, potentially enabling session hijacking, credential theft, or unauthorized actions within the affected site context. The vulnerability requires high privileges (administrator access) and does not require user interaction to trigger once the malicious script is stored. The CVSS v3.1 base score is 4.4, indicating medium severity, with vector AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N, reflecting network attack vector, high attack complexity, high privileges required, no user interaction, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No public exploits have been reported to date. The vulnerability is particularly relevant for multi-site WordPress environments, which are common in enterprise or managed hosting scenarios, and where unfiltered_html is disabled to restrict HTML content. Lack of patch links suggests a fix is pending or not yet publicly released. The vulnerability was reserved on 2025-10-28 and published on 2025-11-04.

For European organizations, the impact of CVE-2025-12393 depends largely on their use of the Free Quotation plugin within multi-site WordPress installations or configurations with unfiltered_html disabled. Exploitation could lead to unauthorized script execution in the context of trusted users, potentially resulting in credential theft, session hijacking, or unauthorized administrative actions. This could compromise the confidentiality and integrity of sensitive business data, customer information, or internal communications. Although the vulnerability requires administrator-level access to exploit, insider threats or compromised admin accounts could be leveraged to launch attacks. The medium CVSS score reflects limited impact scope and exploitation complexity, but the potential for lateral movement or privilege escalation within affected environments remains a concern. Given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the vulnerability could affect a significant number of sites if unpatched. Multi-site installations are common in organizations managing multiple domains or subsidiaries, increasing the risk surface. Additionally, regulatory frameworks such as GDPR impose strict data protection requirements, and exploitation leading to data breaches could result in legal and financial penalties.

1. Monitor the Free Quotation plugin vendor's official channels for security updates and apply patches immediately once available. 2. Restrict administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 3. Review and harden WordPress multi-site configurations, ensuring unfiltered_html capability is enabled only where absolutely necessary. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections or anomalous admin panel activities. 5. Conduct regular security audits and code reviews of installed plugins, especially those with admin interface exposure. 6. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 7. Educate administrators on the risks of stored XSS and safe input handling practices. 8. Consider isolating critical WordPress instances or using containerization to limit the blast radius of potential compromises. 9. Maintain comprehensive logging and monitoring to detect unusual behavior indicative of exploitation attempts. 10. Backup WordPress sites regularly to enable rapid restoration in case of compromise.