CVE-2025-12651 is a stored cross-site scripting (XSS) vulnerability identified in the eggemplo Live Photos on WordPress plugin, which is used to embed live photo content via the livephotos_photo shortcode. The vulnerability exists due to insufficient sanitization and output escaping of three parameters: 'video_src', 'img_src', and 'class'. These parameters accept user-supplied input that is embedded directly into web pages without proper neutralization, allowing an attacker with contributor-level or higher privileges to inject arbitrary JavaScript code. This malicious code is stored persistently in the WordPress database and executed in the browsers of users who visit the compromised pages. The vulnerability does not require user interaction to trigger once the malicious content is loaded, and it affects all versions of the plugin up to and including 0.1. The CVSS 3.1 base score of 6.4 reflects a medium severity, with attack vector being network-based, low attack complexity, privileges required at the contributor level, no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The impact primarily affects confidentiality and integrity, enabling potential session hijacking, defacement, or unauthorized actions performed in the context of the victim user. No public exploits have been reported yet, but the presence of this vulnerability in a popular CMS plugin makes it a significant risk for WordPress sites using this plugin. The vulnerability was published on November 11, 2025, and no patches or updates have been linked yet, emphasizing the need for immediate attention from site administrators.

The primary impact of CVE-2025-12651 is the potential for attackers to execute arbitrary JavaScript in the context of users visiting affected WordPress sites. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and website defacement. Since the vulnerability requires contributor-level access, attackers must first compromise or have legitimate access to an account with these privileges, which may be easier in environments with weak access controls or social engineering risks. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the plugin itself, potentially impacting the entire WordPress site and its users. Organizations relying on the eggemplo Live Photos plugin risk reputational damage, data breaches, and loss of user trust if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once the vulnerability is public. The vulnerability affects all versions up to 0.1, so any site using this plugin version is at risk. Given WordPress’s widespread use globally, the potential impact is significant for websites that utilize this plugin for multimedia content.

1. Immediate mitigation involves removing or disabling the eggemplo Live Photos plugin until a patched version is released. 2. Restrict contributor-level access strictly to trusted users and review existing user privileges to minimize the risk of insider threats or compromised accounts. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious input patterns targeting the 'video_src', 'img_src', and 'class' parameters in the livephotos_photo shortcode. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and reduce the impact of any injected code. 5. Monitor logs for unusual activity related to shortcode usage or unexpected script injections. 6. Educate content contributors about safe input practices and the risks of injecting untrusted content. 7. Once a patch is available, promptly update the plugin to the fixed version. 8. Conduct regular security audits and vulnerability scans focusing on WordPress plugins to detect similar issues proactively. 9. Consider implementing multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of account compromise. 10. Backup website data regularly to enable quick recovery in case of successful exploitation.