CVE-2025-12649 is a stored Cross-Site Scripting (XSS) vulnerability identified in the SortTable Post plugin for WordPress, developed by sscovil. This vulnerability affects all versions up to and including 4.2. The root cause is insufficient sanitization and escaping of user-supplied input, specifically the 'id' parameter within the sorttablepost shortcode. Authenticated users with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. When other users visit these pages and interact with the injected content (via mouse actions), the malicious scripts execute in their browsers. This can lead to theft of session cookies, defacement, or unauthorized actions performed on behalf of the victim user. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector over the network, low complexity, requiring privileges (PR:L), no user interaction (UI:N), and a scope change (S:C) indicating that the vulnerability affects resources beyond the initially vulnerable component. No public exploits have been reported yet, but the vulnerability's nature and ease of exploitation make it a significant risk for WordPress sites using this plugin. The lack of patches at the time of reporting increases the urgency for mitigation. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS issues. The vulnerability enables persistent script injection, which is more dangerous than reflected XSS due to its lasting presence on the site.

The impact of CVE-2025-12649 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or site defacement. This can erode user trust, damage brand reputation, and lead to data breaches. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by the need for contributor privileges; however, many WordPress sites allow multiple contributors, increasing the attack surface. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the plugin itself, potentially compromising the entire site. The absence of known exploits in the wild currently reduces immediate risk, but the medium severity and ease of exploitation suggest that attackers could develop exploits quickly. Organizations relying on the SortTable Post plugin should consider the threat significant, especially those with multiple contributors or less stringent access controls.

1. Immediately restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. 2. Monitor and audit all shortcode usage, especially the 'sorttablepost' shortcode, for suspicious or unexpected 'id' parameter values. 3. Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the 'id' parameter in the shortcode. 4. If possible, disable or remove the SortTable Post plugin until a security patch is released. 5. Encourage plugin developers or site administrators to apply strict input validation and output escaping on all user-supplied shortcode attributes. 6. Educate content contributors about the risks of injecting untrusted content and enforce content review workflows. 7. Regularly update WordPress core and plugins to receive security patches promptly once available. 8. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 9. Conduct periodic security scans focusing on stored XSS vulnerabilities to detect any existing malicious injections. 10. Prepare incident response plans to quickly address any exploitation attempts or detected compromises.