CVE-2025-12499 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the 'Rich Shortcodes for Google Reviews' WordPress plugin developed by widgetpack. This plugin integrates Google Reviews into WordPress sites using shortcodes. The vulnerability arises due to insufficient sanitization and escaping of the Google Review content before rendering it on web pages. Specifically, malicious scripts embedded within a Google Review can be stored and later executed in the browsers of any users visiting the compromised pages. The vulnerability impacts all plugin versions up to and including 6.8, with only a partial patch applied in version 6.6.2, indicating that the issue remains exploitable in later versions. The attack vector requires no authentication or user interaction, making it trivially exploitable remotely by unauthenticated attackers. The CVSS v3.1 score is 7.2 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change, with impacts on confidentiality and integrity but not availability. The vulnerability can lead to session hijacking, theft of sensitive information, defacement, or further exploitation via injected scripts. No known exploits have been reported in the wild yet, but the widespread use of WordPress and this plugin increases the risk. The vulnerability was reserved and published in late 2025, indicating recent discovery and disclosure. The lack of an official patch link suggests that a complete fix may not yet be available, necessitating interim mitigations.

For European organizations, this vulnerability poses significant risks, especially those relying on WordPress sites with the Rich Shortcodes for Google Reviews plugin to display customer feedback. Exploitation can lead to unauthorized disclosure of user session cookies, enabling account takeover or impersonation. Attackers can also manipulate site content, damaging brand reputation and user trust. E-commerce platforms, service providers, and public-facing websites are particularly vulnerable to customer data theft or fraudulent transactions resulting from session hijacking. The vulnerability's ability to execute scripts in the context of any user visiting the site means that both employees and customers could be targeted, potentially leading to broader organizational compromise. Additionally, regulatory frameworks such as GDPR impose strict data protection requirements; a breach resulting from this vulnerability could lead to legal and financial penalties. The ease of exploitation and lack of required authentication increase the likelihood of attacks, especially in high-traffic sites. The partial patch in version 6.6.2 indicates that even some updated sites remain at risk until a full fix is deployed.

European organizations should immediately audit their WordPress installations to identify the presence of the Rich Shortcodes for Google Reviews plugin and its version. Until a fully patched version is released, organizations should consider disabling the plugin or removing it if feasible. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections in Google Review content can provide interim protection. Site administrators should enforce strict Content Security Policies (CSP) to restrict script execution sources and reduce the impact of injected scripts. Regularly scanning website content for malicious code and monitoring logs for unusual activity is critical. Additionally, organizations should educate content moderators and users about the risks of untrusted input and review third-party content carefully. Once a complete patch is available, prompt updating is essential. Employing security plugins that sanitize user-generated content and leveraging security headers can further mitigate risks. Finally, backing up website data and having an incident response plan ready will help manage potential exploitation consequences.