CVE-2025-12649 is a stored Cross-Site Scripting (XSS) vulnerability identified in the SortTable Post plugin for WordPress, affecting all versions up to and including 4.2. The vulnerability stems from insufficient sanitization and escaping of the 'id' parameter within the sorttablepost shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. When other users visit these pages and interact with the injected content (e.g., via mouse actions), the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. No patches or official fixes have been published yet, and no known exploits are reported in the wild. The vulnerability is particularly concerning for multi-user WordPress environments where contributors can add or edit content but do not have full administrative rights. The lack of output escaping and input validation in the plugin’s shortcode handling is the root cause, making it possible to embed malicious scripts that persist in the content database.

For European organizations, this vulnerability poses a significant risk to websites running WordPress with the SortTable Post plugin installed. The ability for contributors to inject persistent XSS payloads can lead to session hijacking, defacement, unauthorized actions, and data leakage. This can undermine user trust, cause reputational damage, and potentially violate GDPR requirements concerning data protection and breach notification. Organizations relying on contributor-level users for content management are particularly vulnerable. The impact is amplified in sectors with high web presence such as media, education, and e-commerce. Additionally, the cross-site scripting can be leveraged as a foothold for further attacks within the network if administrative users are targeted. Given the medium CVSS score and the requirement for authenticated access, the threat is moderate but non-negligible, especially in environments with many contributors or less stringent access controls.

1. Immediately audit WordPress sites for the presence of the SortTable Post plugin and identify versions up to 4.2. 2. Restrict contributor-level permissions to trusted users only and review user roles to minimize unnecessary privileges. 3. Implement web application firewalls (WAFs) with rules to detect and block malicious scripts in shortcode parameters. 4. Apply manual input validation and output escaping in shortcode processing if custom development is possible. 5. Monitor site content for unusual or suspicious shortcode usage and injected scripts. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Follow vendor announcements closely for patches or updates and apply them promptly once available. 8. Consider disabling or replacing the vulnerable plugin with a secure alternative until a fix is released.