CVE-2025-12660 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Padlet Shortcode plugin for WordPress, developed by coffeebite. The flaw exists in the handling of the 'key' parameter within the 'wallwisher' shortcode, where insufficient input sanitization and output escaping allow an authenticated attacker with contributor-level or higher privileges to inject arbitrary JavaScript code. This malicious script is stored persistently and executes whenever any user accesses the infected page, potentially leading to session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser session. The vulnerability affects all versions up to and including 1.3 of the plugin. The CVSS 3.1 score of 6.4 reflects a medium severity, with an attack vector over the network, low complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability can affect other users beyond the attacker. No patches or fixes have been published yet, and no known exploits have been reported in the wild. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks. Given that WordPress is widely used for content management and that contributor-level users often have permissions to add or edit content, this vulnerability can be exploited to compromise the integrity and confidentiality of website visitors and administrators.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted websites, compromising user accounts, stealing sensitive information, or performing actions on behalf of users without their consent. Organizations relying on WordPress sites with collaborative content creation, such as educational institutions, media companies, and public sector websites, are particularly at risk. The stored nature of the XSS means that once injected, the malicious code can affect all visitors to the compromised page, amplifying the impact. Confidentiality is primarily impacted through session hijacking or data theft, while integrity is affected by unauthorized content manipulation. Availability is less impacted as the vulnerability does not directly cause denial of service. The requirement for contributor-level access limits the attack surface but does not eliminate risk, especially in environments with many contributors or weak internal controls. The medium severity rating suggests a significant but not critical threat, warranting timely remediation to prevent exploitation.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict contributor-level access on WordPress sites using the Padlet Shortcode plugin to trusted users only. 2) Monitor and review all content submissions involving the 'wallwisher' shortcode for suspicious or unexpected 'key' parameter values. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script patterns in shortcode parameters. 4) Apply strict input validation and output escaping in custom code or plugins that interact with shortcodes, ideally contributing fixes or patches to the plugin if possible. 5) Maintain up-to-date backups of website content to enable quick restoration if compromise occurs. 6) Educate content contributors about the risks of injecting untrusted code and enforce content submission policies. 7) Track vendor updates for the Padlet Shortcode plugin and apply patches promptly once available. 8) Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. These measures go beyond generic advice by focusing on access control, monitoring, and layered defenses tailored to the specific vulnerability vector.