CVE-2025-12650 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Simple post listing plugin for WordPress, affecting all versions up to and including 0.2. The root cause is insufficient input sanitization and output escaping of the 'class_name' parameter within the postlist shortcode. This parameter accepts user-supplied input that is directly embedded into web pages without proper neutralization, enabling attackers with contributor-level or higher privileges to inject arbitrary JavaScript code. Because the vulnerability is stored, the malicious payload persists in the database and executes whenever any user accesses the compromised page and interacts with it via mouse actions. The vulnerability requires authentication at a contributor level, does not require user interaction for exploitation beyond mouse interaction on the page, and impacts confidentiality and integrity by potentially allowing session hijacking, credential theft, or unauthorized actions on behalf of users. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. No patches or known exploits are currently reported, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or editors. The CWE classification is CWE-79, indicating improper neutralization of input during web page generation. The vulnerability was published on December 12, 2025, with the CVE reserved on November 3, 2025.

The impact of CVE-2025-12650 is primarily on the confidentiality and integrity of affected WordPress sites. An attacker with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, or defacement. While availability is not directly impacted, the compromise of user accounts or site integrity can lead to reputational damage and loss of user trust. Organizations relying on the Simple post listing plugin, particularly those with multiple contributors or editors, face increased risk of internal threat exploitation. The vulnerability could be leveraged in targeted attacks against organizations with sensitive data or high-value web properties. Since exploitation requires authenticated access, the risk is somewhat mitigated by access controls, but insider threats or compromised contributor accounts increase the attack surface. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks once the vulnerability becomes widely known.

To mitigate CVE-2025-12650, organizations should first check for updates or patches from the sgcoskey vendor and apply them promptly once available. In the absence of official patches, administrators should implement strict input validation and output encoding for the 'class_name' parameter in the postlist shortcode to neutralize malicious scripts. Restrict contributor-level access to trusted users only and monitor user activities for suspicious behavior. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads in WordPress plugin parameters. Regularly audit installed plugins and remove or replace those that are unmaintained or vulnerable. Educate contributors about the risks of injecting untrusted content and enforce the principle of least privilege. Additionally, enable Content Security Policy (CSP) headers to reduce the impact of injected scripts. Continuous monitoring and incident response readiness are recommended to detect and respond to any exploitation attempts.