CVE-2025-12661 is a stored cross-site scripting vulnerability identified in the Pollcaster Shortcode Plugin for WordPress, specifically related to the 'height' parameter within the 'pollcaster' shortcode. The root cause is insufficient sanitization and escaping of user-supplied input, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability affects all versions up to and including 1.0 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The scope is changed (S:C) because the vulnerability can affect resources beyond the vulnerable component. Confidentiality and integrity impacts are low, with no impact on availability. No patches are currently available, and no known exploits have been reported in the wild. The vulnerability highlights a common weakness (CWE-79) in web applications where improper neutralization of input during web page generation leads to persistent XSS. This can be exploited by malicious insiders or compromised contributor accounts to affect site visitors.

For European organizations, this vulnerability could lead to unauthorized script execution on corporate or public-facing WordPress sites, potentially compromising user sessions, stealing sensitive information, or defacing content. Organizations relying on the Pollcaster Shortcode Plugin for interactive polls or surveys may face reputational damage and loss of user trust if exploited. Since the attack requires contributor-level access, insider threats or compromised contributor accounts pose a significant risk. The vulnerability can also facilitate further attacks such as phishing or malware distribution by injecting malicious payloads into trusted websites. Given the widespread use of WordPress across Europe, especially in sectors like media, education, and government, the impact could be broad. However, the lack of known exploits and the requirement for authenticated access somewhat limit immediate risk. Still, the persistent nature of stored XSS means that once exploited, the malicious code can affect all visitors to the infected pages, amplifying the potential damage.

European organizations should immediately audit their WordPress installations to identify the presence of the Pollcaster Shortcode Plugin and its version. Until an official patch is released, restrict contributor-level permissions to trusted users only and consider temporarily disabling the plugin if feasible. Implement web application firewalls (WAFs) with rules to detect and block suspicious script injections targeting the 'height' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Conduct regular security training for contributors to recognize phishing and social engineering attempts that could lead to account compromise. Monitor website content for unauthorized changes or injected scripts. Once a patch becomes available, prioritize its deployment. Additionally, developers should review and improve input validation and output encoding practices in custom shortcodes and plugins to prevent similar vulnerabilities.