CVE-2025-12661 is a stored Cross-Site Scripting (XSS) vulnerability identified in the qzzr Pollcaster Shortcode Plugin for WordPress, specifically affecting all versions up to and including 1.0. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The issue resides in the 'height' parameter of the 'pollcaster' shortcode, where insufficient input sanitization and lack of output escaping allow authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently within the WordPress site content and executes in the context of any user who views the affected page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability does not require user interaction beyond visiting the compromised page and does not affect availability but impacts confidentiality and integrity. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. No known exploits have been reported in the wild yet. The vulnerability highlights the risk posed by plugins that do not properly sanitize user input, especially in environments where multiple users have content editing capabilities. The lack of a patch at the time of reporting necessitates immediate risk mitigation through access control and monitoring.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of web applications running WordPress with the Pollcaster Shortcode Plugin installed. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed under the victim's credentials. This can undermine user trust, lead to data breaches, and damage organizational reputation. Since the vulnerability requires authenticated access, the risk is higher in environments with numerous contributors or where account compromise is possible. The impact is particularly significant for organizations relying on WordPress for public-facing websites, intranets, or customer portals. Additionally, the cross-site scripting flaw could be leveraged as a stepping stone for further attacks, including phishing or malware distribution. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

1. Immediately restrict contributor-level and higher user permissions to trusted personnel only, minimizing the risk of malicious input injection. 2. Monitor and audit user-generated content, especially any changes involving the 'pollcaster' shortcode or the 'height' parameter, to detect suspicious activity. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the affected parameter. 4. Apply strict input validation and output encoding on all shortcode attributes, particularly the 'height' parameter, either by updating the plugin when a patch is released or by custom code modifications. 5. Educate content contributors about the risks of injecting untrusted code and enforce secure content creation policies. 6. Regularly update WordPress core, plugins, and themes to incorporate security patches promptly. 7. Consider temporarily disabling or removing the Pollcaster Shortcode Plugin if immediate patching is not possible and the plugin is not critical to operations. 8. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites.