CVE-2025-12651 identifies a stored Cross-Site Scripting (XSS) vulnerability in the eggemplo Live Photos on WordPress plugin, versions up to and including 0.1. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'video_src', 'img_src', and 'class' parameters within the livephotos_photo shortcode. This improper neutralization allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into WordPress pages. When other users, including administrators or editors, access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is classified under CWE-79, indicating a failure to properly neutralize input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and a scope change due to impact on other components. No public exploits have been reported yet, but the vulnerability poses a significant risk given WordPress's widespread use and the plugin's functionality. The lack of available patches at the time of publication necessitates immediate attention to access controls and input validation measures.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress sites, compromising user sessions, leaking sensitive information, and enabling further attacks such as privilege escalation or defacement. Since the attack requires contributor-level access, insider threats or compromised accounts pose a significant risk. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initial plugin, potentially impacting the entire WordPress site and its users. This can undermine trust in corporate websites, disrupt business operations, and expose organizations to regulatory penalties under GDPR if personal data is compromised. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially for high-profile targets. Organizations relying on WordPress for public-facing or internal sites must consider the potential for reputational damage and operational disruption.

1. Immediately review and restrict contributor-level access to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit user-generated content that utilizes the livephotos_photo shortcode for suspicious or unexpected script content. 3. Implement Web Application Firewall (WAF) rules to detect and block attempts to inject scripts via the vulnerable parameters. 4. Apply strict input validation and output encoding on all user-supplied attributes related to the plugin, ideally through custom filters or security plugins until an official patch is released. 5. Keep WordPress core, themes, and plugins updated, and subscribe to vendor advisories for prompt patch deployment once available. 6. Educate content contributors about secure content practices and the risks of embedding untrusted code. 7. Consider temporarily disabling or removing the eggemplo Live Photos plugin if feasible until a secure version is released. 8. Conduct regular security assessments and penetration tests focusing on XSS vulnerabilities in user-generated content areas.