CVE-2025-12645 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Inline frame – Iframe plugin for WordPress, developed by karthiksg. This vulnerability exists in all versions up to and including 0.1 due to insufficient sanitization and escaping of user-supplied input in the 'embedsite' shortcode attributes. Specifically, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages via this shortcode. Because the malicious script is stored, it executes whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where multiple contributors publish content. The plugin’s widespread use in WordPress sites makes this a relevant threat for web administrators. The lack of available patches at the time of publication requires organizations to implement compensating controls until updates are released.

For European organizations, this vulnerability can lead to unauthorized script execution on websites that use the Inline frame – Iframe plugin, potentially resulting in session hijacking, theft of sensitive user data, defacement, or unauthorized actions performed under the context of legitimate users. This can damage organizational reputation, lead to data breaches involving personal or business-critical information, and violate data protection regulations such as GDPR. Organizations relying on contributor-generated content are particularly at risk because contributors can inject malicious code. The impact is more severe for public-facing websites with high user interaction or e-commerce platforms. Additionally, compromised sites may be used as vectors for further attacks or phishing campaigns targeting European users. The medium severity score indicates a significant but not critical risk, emphasizing the need for timely mitigation to prevent exploitation.

1. Restrict contributor-level access strictly to trusted users and review contributor permissions regularly to minimize the risk of malicious input. 2. Implement strict input validation and output encoding for all shortcode attributes, especially the 'embedsite' parameter, to prevent injection of executable scripts. 3. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads related to the Inline frame – Iframe plugin. 4. Monitor website content and logs for unusual shortcode usage or unexpected script injections. 5. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 6. Until an official patch is released, consider disabling or removing the vulnerable plugin from production environments. 7. Educate content contributors about secure content practices and the risks of injecting untrusted code. 8. Regularly update WordPress core and plugins to the latest versions once patches become available. 9. Conduct security audits focusing on user-generated content and shortcode usage to detect potential exploitation attempts.