CVE-2025-12661 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Pollcaster Shortcode Plugin for WordPress, specifically affecting all versions up to and including 1.0. The root cause is insufficient sanitization and escaping of user-supplied input in the 'height' parameter of the 'pollcaster' shortcode. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages or posts. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet. The vulnerability affects all versions of the Pollcaster Shortcode Plugin up to 1.0, which is used to embed polls via shortcodes in WordPress sites. Since WordPress powers a significant portion of the web, and contributor-level users are common in multi-author blogs and organizational sites, this vulnerability poses a meaningful risk if left unmitigated.

The primary impact of CVE-2025-12661 is the potential compromise of user confidentiality and integrity within affected WordPress sites. Exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any user viewing the infected pages. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, or redirection to malicious sites. Although availability is not directly impacted, the trustworthiness and security posture of the affected websites can be severely damaged. Organizations relying on the Pollcaster Shortcode Plugin may face reputational damage, data breaches, and potential compliance violations if sensitive user data is exposed. Since the attack requires authenticated access, insider threats or compromised contributor accounts are the most likely vectors. The scope of affected systems is limited to WordPress sites using this specific plugin, but given WordPress's widespread use, the absolute number of vulnerable sites could be substantial. The lack of public exploits currently reduces immediate risk but also means defenders should act proactively.

To mitigate CVE-2025-12661, organizations should first check for and apply any available patches or updates from the plugin vendor once released. In the absence of official patches, administrators should consider temporarily disabling or removing the Pollcaster Shortcode Plugin to eliminate the attack surface. Restrict contributor-level permissions to trusted users only and audit existing contributor accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'height' parameter in the 'pollcaster' shortcode. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Educate content contributors about safe input practices and monitor site content for unexpected script injections. Regularly review and sanitize user-generated content before publishing. Finally, consider using security plugins that provide enhanced input validation and output escaping for shortcodes and user inputs in WordPress.