CVE-2025-12660 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Padlet Shortcode plugin for WordPress developed by coffeebite. The vulnerability exists in all versions up to and including 1.3 due to insufficient sanitization and escaping of user-supplied input in the 'key' parameter of the 'wallwisher' shortcode. Authenticated users with contributor-level or higher privileges can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users to malicious sites, or performing unauthorized actions on behalf of the victim. The vulnerability requires no user interaction beyond page access and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity and privileges required at the contributor level. The scope is changed as the vulnerability affects the confidentiality and integrity of user data across the site. No patches have been officially released yet, and no exploits are known in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content to be embedded in pages.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the Padlet Shortcode plugin installed. The ability for authenticated contributors to inject persistent malicious scripts can lead to session hijacking, defacement, or unauthorized actions, undermining user trust and potentially exposing sensitive data. Educational institutions, media companies, and collaborative platforms using this plugin are at particular risk due to the common use of contributor roles. The impact includes potential data confidentiality breaches and integrity violations, though availability is not directly affected. Exploitation could facilitate further attacks such as phishing or lateral movement within the affected network. Given the medium CVSS score and the requirement for contributor-level access, the threat is significant but not critical. However, the widespread use of WordPress in Europe and the plugin’s presence in various sectors increase the potential attack surface.

Organizations should immediately audit their WordPress installations to identify the presence of the Padlet Shortcode plugin and assess user roles with contributor-level or higher privileges. Until an official patch is released, restrict contributor permissions to trusted users only and consider temporarily disabling the plugin if feasible. Implement web application firewalls (WAFs) with rules to detect and block malicious script injections targeting the 'key' parameter in the 'wallwisher' shortcode. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs for unusual activity indicative of exploitation attempts. Educate content contributors on safe input practices and enforce strict input validation on all user-supplied data. Plan for prompt application of patches once available and maintain an incident response plan tailored to web application attacks.