CVE-2025-12660 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Padlet Shortcode plugin for WordPress, developed by coffeebite. This vulnerability affects all versions up to and including version 1.3. The root cause is insufficient sanitization and escaping of user-supplied input in the 'key' parameter of the 'wallwisher' shortcode, which is used to embed Padlet content. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. When other users, including administrators or editors, access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk in environments where multiple users have content editing capabilities. The lack of a patch at the time of disclosure necessitates immediate mitigation steps to reduce exposure.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected WordPress sites. Malicious scripts injected via the 'key' parameter can steal session cookies, enabling attackers to impersonate users with elevated privileges. This can lead to unauthorized content modification, data leakage, or further exploitation of the site. Since the vulnerability requires contributor-level access, it mainly threatens sites with multiple authenticated users who have editing rights, such as collaborative blogs, educational platforms, or corporate intranets. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting site-wide content and user trust. Although availability is not directly affected, the reputational damage and potential data breaches can have severe operational and legal consequences. Organizations relying on the Padlet Shortcode plugin should consider the risk of persistent XSS attacks that can be difficult to detect and remediate once exploited.

1. Immediate mitigation involves restricting contributor-level access to trusted users only, minimizing the risk of malicious input injection. 2. Disable or remove the Padlet Shortcode plugin until a vendor patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'key' parameter in the 'wallwisher' shortcode. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. Regularly audit user-generated content for suspicious scripts or anomalies, especially in pages using the shortcode. 6. Monitor logs for unusual activities from authenticated users with editing permissions. 7. Once available, promptly apply official patches or updates from coffeebite addressing this vulnerability. 8. Educate content editors about the risks of injecting untrusted code and enforce strict input validation policies. 9. Consider implementing additional plugin-level input sanitization or escaping via custom code if immediate patching is not feasible.