CVE-2025-12662 is a stored cross-site scripting vulnerability identified in the Coon Google Maps plugin for WordPress, affecting all versions up to and including 1.0. The vulnerability stems from improper neutralization of user-supplied input in the 'height' parameter of the 'map' shortcode, where insufficient input sanitization and output escaping allow malicious scripts to be stored within WordPress pages. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed in the context of the victim's session. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level, with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is considered changed (S:C) because the vulnerability affects components beyond the initially compromised user. While no public exploits have been reported, the risk remains significant due to the common use of WordPress and the plugin's functionality. The lack of available patches necessitates immediate mitigation efforts by administrators. This vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation, a common vector for XSS attacks.

The primary impact of CVE-2025-12662 is the potential compromise of user confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors or administrators, enabling session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed on behalf of victims. This can lead to account takeover, defacement, or further compromise of the website. Although availability is not directly impacted, the reputational damage and trust erosion from successful attacks can be severe. Organizations relying on the Coon Google Maps plugin risk exposure of internal user data and potential lateral movement if administrative accounts are compromised. The medium CVSS score reflects the need for timely remediation, especially in environments where contributor access is common or where sensitive data is handled. The vulnerability also increases the attack surface for social engineering and phishing campaigns leveraging the compromised site content.

To mitigate CVE-2025-12662 effectively, organizations should immediately restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. Implement strict input validation and output encoding on all user-supplied shortcode parameters, especially the 'height' attribute, to prevent injection of executable code. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable parameter. Monitor site content and logs for unusual script insertions or modifications indicative of exploitation attempts. Until an official patch is released, consider disabling or removing the Coon Google Maps plugin if feasible, or replace it with alternative, actively maintained plugins with secure coding practices. Educate content contributors about the risks of injecting untrusted content and enforce security policies around content creation. Regularly update WordPress core and plugins to incorporate security fixes promptly. Finally, conduct periodic security assessments and penetration testing to identify and remediate similar vulnerabilities proactively.