CVE-2025-12393 is a stored cross-site scripting (XSS) vulnerability identified in the Free Quotation plugin for WordPress, developed by kris_iv. This vulnerability exists in all versions up to and including 3.1.6 due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in the plugin's admin settings. The flaw allows authenticated attackers with administrator-level permissions or higher to inject arbitrary JavaScript code into pages. These scripts execute whenever any user accesses the infected page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of users. The vulnerability is constrained to multi-site WordPress installations or single-site installations where the unfiltered_html capability is disabled, limiting the attack surface. The CVSS v3.1 base score is 4.4, indicating medium severity, with the vector reflecting network attack vector, high attack complexity, high privileges required, no user interaction, and a scope change with low confidentiality and integrity impacts but no availability impact. No public exploits are known at this time. The vulnerability stems from CWE-79, highlighting improper input validation and output encoding during dynamic web content generation. This issue underscores the importance of secure coding practices in WordPress plugins, especially those handling administrator inputs in multi-site environments.

The primary impact of CVE-2025-12393 is on the confidentiality and integrity of affected WordPress sites using the Free Quotation plugin in multi-site or restricted HTML environments. An attacker with administrator privileges can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of users. While availability is not directly affected, the compromise of administrative accounts or user sessions can lead to broader security breaches, including site defacement, data leakage, or pivoting to other internal systems. Organizations relying on multi-site WordPress deployments with this plugin are at increased risk, especially if administrator accounts are not tightly controlled. The requirement for high privileges and the absence of public exploits reduce immediate widespread impact but do not eliminate the risk of targeted attacks or insider threats. Failure to address this vulnerability could erode user trust and lead to regulatory or compliance issues if sensitive data is exposed.

To mitigate CVE-2025-12393, organizations should first update the Free Quotation plugin to a patched version once available, as no patch links are currently provided. Until a patch is released, administrators should restrict plugin usage to trusted users only and enforce strict access controls on administrator accounts to minimize the risk of malicious script injection. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious script injections in admin settings can provide interim protection. Additionally, enabling Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script sources. Regularly auditing multi-site configurations and ensuring that unfiltered_html capabilities are granted only to trusted roles will reduce the attack surface. Security teams should monitor logs for unusual administrative activity and conduct periodic vulnerability scans focusing on plugin security. Finally, educating administrators about the risks of XSS and safe input handling practices is essential to prevent exploitation.