CVE-2025-12644 identifies a stored cross-site scripting (XSS) vulnerability in the Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress, versions up to and including 1.0.11. The vulnerability arises from insufficient sanitization and escaping of user-supplied input in custom fields rendered by the 'nonaki' shortcode. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or theft of sensitive information. The vulnerability requires no user interaction beyond viewing the infected page and does not require elevated privileges beyond contributor access, making it relatively easy to exploit in environments with multiple content contributors. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, and a scope change with low impact on confidentiality and integrity but no impact on availability. No patches or known exploits have been reported at the time of publication, but the vulnerability's presence in a widely used WordPress plugin underscores the need for immediate attention.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress sites, potentially compromising user accounts, stealing session cookies, or defacing websites. Organizations that rely on the Nonaki plugin for email template building and newsletters are at risk of having their web presence exploited to distribute malicious content or conduct phishing attacks. The impact is particularly significant for organizations with multiple contributors or editors, as any authenticated contributor can inject malicious scripts. This could result in reputational damage, data breaches involving user information, and disruption of communication channels. Since WordPress is widely used across Europe, especially among SMEs and public sector entities, the risk is non-trivial. The vulnerability's exploitation could also be leveraged as a foothold for further attacks within the network if attackers escalate privileges or move laterally. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially as exploit code may emerge.

European organizations should immediately audit their WordPress installations to identify the presence of the Nonaki plugin and its version. Until an official patch is released, organizations should consider disabling or uninstalling the plugin to eliminate the attack vector. Restrict contributor-level permissions to trusted users only and review existing content for suspicious scripts or injected code. Implement Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'nonaki' shortcode. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Regularly monitor logs and user activity for signs of exploitation attempts. Educate contributors on safe content practices and the risks of injecting untrusted code. Once a patch is available, prioritize timely updates. Additionally, consider isolating WordPress instances and limiting plugin usage to reduce the attack surface.