CVE-2025-12590 is a vulnerability in the YSlider WordPress plugin developed by andreaferracani, affecting all versions up to and including 1.1. The flaw arises from missing nonce verification on the plugin's content configuration page combined with inadequate input sanitization and output escaping. This creates a Cross-Site Request Forgery (CSRF) vector that enables unauthenticated attackers to craft malicious requests that, when executed by an administrator (via clicking a link or visiting a malicious page), inject stored Cross-Site Scripting (XSS) payloads into the website content. These injected scripts persist and execute in the context of any user visiting the infected page, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deliver further malware. The vulnerability does not require prior authentication but does require user interaction from an administrator, making social engineering a likely exploitation method. The CVSS 3.1 score of 6.1 reflects a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change indicating the vulnerability affects components beyond the initially vulnerable plugin. No patches or known exploits are currently reported, but the risk remains significant due to the widespread use of WordPress and the plugin. The vulnerability is classified under CWE-352 (CSRF).

For European organizations, this vulnerability poses a moderate risk primarily to websites using the YSlider plugin on WordPress. Successful exploitation can lead to persistent XSS attacks, enabling attackers to hijack user sessions, deface websites, or conduct phishing campaigns leveraging the trusted domain. This can damage brand reputation, lead to data leakage, and potentially facilitate further network intrusion if administrative credentials or session tokens are compromised. Since the attack requires tricking an administrator, organizations with less stringent administrative security awareness or lacking multi-factor authentication are more vulnerable. The impact on availability is minimal, but confidentiality and integrity of web content and user data are at risk. Given the popularity of WordPress in Europe, especially among SMEs and public sector websites, the threat could affect a broad range of sectors including government, education, and commerce. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code may emerge.

1. Immediately audit all WordPress sites for the presence of the YSlider plugin and identify versions in use. 2. Disable or remove the YSlider plugin until a security patch is released. 3. Implement strict input validation and output escaping on all plugin-managed content fields to prevent script injection. 4. Add nonce verification to all state-changing requests in the plugin to prevent CSRF attacks. 5. Educate administrators on phishing and social engineering risks to reduce the likelihood of clicking malicious links. 6. Enforce multi-factor authentication (MFA) for WordPress admin accounts to limit the impact of compromised credentials. 7. Monitor web server logs and admin activity for suspicious requests or unusual behavior. 8. Use web application firewalls (WAFs) with rules to detect and block CSRF and XSS attack patterns targeting the plugin. 9. Keep WordPress core and all plugins updated regularly to reduce exposure to known vulnerabilities. 10. Consider restricting administrative access by IP or VPN to reduce attack surface.