CVE-2025-12662 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 found in the Coon Google Maps plugin for WordPress. The vulnerability exists due to insufficient input sanitization and output escaping of the 'height' parameter within the 'map' shortcode. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially enabling session hijacking, credential theft, or unauthorized actions within the context of the affected site. The vulnerability affects all versions up to and including 1.0 of the plugin. The CVSS 3.1 score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability can affect other users beyond the attacker. No known public exploits have been reported yet. The root cause is the failure to properly neutralize user input in the shortcode attribute, a common issue in WordPress plugins that handle user-generated content. This vulnerability is particularly dangerous in multi-user WordPress environments where contributors can add content but are not fully trusted. Attackers can leverage this to escalate privileges or compromise site visitors. The lack of patches at the time of reporting necessitates immediate mitigation steps.

For European organizations, especially those operating WordPress sites with the Coon Google Maps plugin installed, this vulnerability poses a significant risk. Exploitation can lead to unauthorized script execution in the browsers of site visitors and administrators, resulting in session hijacking, theft of sensitive information, or defacement. This can damage organizational reputation, lead to data breaches, and potentially violate GDPR requirements concerning data protection and breach notification. The requirement for contributor-level access limits the attack surface but does not eliminate risk, as many organizations allow multiple contributors or editors. The vulnerability could be exploited internally by malicious insiders or compromised contributor accounts. Given the widespread use of WordPress in Europe, particularly among SMEs and public sector websites, the impact could be broad. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network or to distribute malware to site visitors. The absence of known exploits reduces immediate risk but does not preclude future active exploitation.

1. Immediately audit user roles and permissions in WordPress to ensure that only trusted users have contributor-level or higher access. 2. Temporarily disable or remove the Coon Google Maps plugin until a security patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'height' parameter in the 'map' shortcode. 4. Enforce strict input validation and output escaping in any custom code interacting with the plugin or similar shortcodes. 5. Monitor logs for unusual activity from contributor accounts, including unexpected shortcode usage or content changes. 6. Educate content contributors about the risks of injecting untrusted content and the importance of security hygiene. 7. Once available, promptly apply vendor patches or updates addressing this vulnerability. 8. Consider deploying Content Security Policy (CSP) headers to limit the impact of potential XSS attacks. 9. Regularly back up WordPress sites to enable quick restoration if compromise occurs. 10. Use security plugins that can scan for malicious code injections and alert administrators.