CVE-2025-12644 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress, developed by wpcox. This vulnerability exists in all versions up to and including 1.0.11. The root cause is insufficient input sanitization and output escaping of user-supplied custom field values that are processed and rendered by the 'nonaki' shortcode. Because of this, an authenticated attacker with contributor-level privileges or higher can inject arbitrary JavaScript code into pages generated by the plugin. When any user accesses a page containing the injected script, the malicious code executes in their browser context. This can lead to a range of attacks including session hijacking, privilege escalation, defacement, or redirection to malicious sites. The vulnerability requires no user interaction beyond page access but does require the attacker to have contributor or higher access, which is a moderate barrier. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet. The vulnerability is significant because WordPress is a widely used CMS, and plugins like Nonaki are popular for email template building and newsletters, making many websites potentially vulnerable. The lack of official patches at the time of disclosure increases risk. The vulnerability is tracked under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. The scope is limited to sites using this specific plugin and versions up to 1.0.11. The vulnerability was reserved on November 3, 2025, and published on November 11, 2025.

The impact of CVE-2025-12644 is primarily on the confidentiality and integrity of affected WordPress sites using the Nonaki plugin. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts that execute in the context of any user visiting the infected page. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Although availability is not directly affected, the reputational damage and potential data breaches can be severe. Organizations relying on this plugin for email template management or newsletters risk compromise of their website user accounts and visitor trust. Since contributor-level access is required, the threat is heightened in environments with multiple content editors or less strict access controls. The vulnerability could be leveraged as part of a broader attack chain to escalate privileges or pivot within a network. Given WordPress's global popularity, the potential attack surface is large, especially for small to medium businesses and content-heavy sites. The absence of known exploits reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly after disclosure. The medium severity score reflects these factors, indicating a need for timely remediation to prevent exploitation.

To mitigate CVE-2025-12644, organizations should first verify if they use the Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress and identify the version in use. Until an official patch is released, the following specific actions are recommended: 1) Restrict contributor-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2) Implement strict input validation and sanitization on custom fields used by the 'nonaki' shortcode, either by applying custom code or using security plugins that enforce output escaping. 3) Monitor website pages that use the 'nonaki' shortcode for unexpected or suspicious script injections, using web application firewalls (WAFs) or security scanners. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5) Regularly audit user accounts and permissions to detect any unauthorized privilege escalations. 6) Backup website data frequently to enable recovery in case of compromise. 7) Stay informed about vendor updates and apply official patches immediately once available. 8) Consider temporarily disabling or replacing the plugin if the risk is unacceptable and no patch is available. These measures go beyond generic advice by focusing on access control, monitoring, and proactive input handling specific to this vulnerability.