CVE-2025-12499 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Rich Shortcodes for Google Reviews WordPress plugin developed by widgetpack. This vulnerability affects all versions up to and including 6.8 due to insufficient sanitization and escaping of user-supplied content embedded within Google Reviews displayed on websites. Specifically, the plugin fails to properly neutralize malicious JavaScript code that can be injected into the review content, which is then stored and rendered on web pages. When a user visits a page containing the injected script, it executes in their browser context, potentially allowing attackers to steal cookies, session tokens, or perform actions on behalf of the user without their consent. The vulnerability requires no authentication or user interaction, increasing its risk profile. Although a partial fix was introduced in version 6.6.2, the issue persists in subsequent versions up to 6.8, indicating incomplete remediation. The CVSS v3.1 base score is 7.2, reflecting high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change affecting confidentiality and integrity but not availability. No public exploit code or active exploitation has been reported to date. The vulnerability's root cause lies in improper input validation and output encoding during web page generation, a common weakness in web applications that handle dynamic content from external sources.

The impact of CVE-2025-12499 is significant for organizations using the affected WordPress plugin, especially those relying on Google Reviews to display customer feedback. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of the affected website, compromising user confidentiality by exposing sensitive information such as authentication cookies, personal data, or session tokens. Attackers may also manipulate the integrity of the website by injecting misleading content or redirecting users to malicious sites. Although availability is not directly impacted, the reputational damage and potential data breaches can have severe business consequences. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by remote attackers scanning for vulnerable sites. This poses a risk to e-commerce platforms, service providers, and any organization leveraging this plugin for customer engagement, potentially affecting millions of users globally. The partial patch in version 6.6.2 suggests that some risk remains even for sites that have updated, emphasizing the need for comprehensive remediation. The absence of known exploits in the wild currently limits immediate impact but does not preclude future attacks, especially as exploit code may be developed following public disclosure.

To mitigate CVE-2025-12499, organizations should immediately upgrade the Rich Shortcodes for Google Reviews plugin to a version beyond 6.8 once a fully patched release is available, as the current versions up to 6.8 remain vulnerable despite partial fixes. Until an official patch is released, site administrators can implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the risk of XSS exploitation. Additionally, sanitizing and validating all user-generated content, including Google Review inputs, at the application level can provide an extra layer of defense. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting the plugin’s endpoints is recommended. Regularly monitoring website logs and user reports for unusual behavior or script injections can help detect exploitation attempts early. Disabling or removing the plugin temporarily may be necessary for high-risk environments until a secure version is confirmed. Finally, educating content managers and developers about secure coding practices related to input handling and output encoding will help prevent similar vulnerabilities in the future.