CVE-2025-12475 is a stored Cross-Site Scripting vulnerability identified in the Blocksy Companion plugin for WordPress, specifically in the 'blocksy_newsletter_subscribe' shortcode. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes, allowing an attacker with contributor-level or higher privileges to inject arbitrary JavaScript code into pages generated by the plugin. Since the malicious script is stored persistently, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 2.1.14. Exploitation requires authenticated access but no user interaction beyond visiting the infected page. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact. No patches or known exploits are currently available, increasing the urgency for administrators to monitor and apply updates once released. The flaw is classified under CWE-79, indicating improper neutralization of input during web page generation, a common and impactful web vulnerability.

The impact of this vulnerability is significant for organizations using the Blocksy Companion plugin on WordPress sites. An attacker with contributor-level access can inject persistent malicious scripts, which execute in the context of any user visiting the affected pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential site defacement or redirection to malicious sites. Since contributor-level access is often granted to content creators or editors, the risk of insider threats or compromised accounts is elevated. The vulnerability compromises confidentiality and integrity but does not affect availability. Exploitation could damage organizational reputation, lead to data breaches, and facilitate further attacks within the network. Given WordPress's widespread use globally, the threat could affect a large number of websites, especially those relying on this plugin for newsletter subscription functionality.

To mitigate this vulnerability, organizations should immediately restrict contributor-level access to trusted users and monitor for suspicious activity related to the 'blocksy_newsletter_subscribe' shortcode. Until an official patch is released, consider disabling or removing the Blocksy Companion plugin if feasible. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting this shortcode. Conduct thorough code reviews and sanitize all user inputs rigorously, applying output escaping on all dynamic content. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly audit user roles and permissions to minimize the risk of privilege abuse. Once a patch is available, apply it promptly and verify the fix. Additionally, educate content contributors about the risks of injecting untrusted content and monitor logs for anomalous behavior indicative of exploitation attempts.