CVE-2025-12667 is a stored cross-site scripting vulnerability identified in the paul1999 GitHub Gist Shortcode Plugin for WordPress, present in all versions up to and including 0.2. The vulnerability stems from improper neutralization of input during web page generation, specifically inadequate sanitization and escaping of the 'id' parameter within the 'gist' shortcode. Authenticated attackers with Contributor-level or higher privileges can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize the shortcode. Because the malicious script is stored persistently, it executes in the context of any user who views the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or known exploits are currently reported, but the risk remains significant due to the widespread use of WordPress and the plugin's functionality. The vulnerability is classified under CWE-79, highlighting improper input validation leading to cross-site scripting. The flaw's exploitation could facilitate further attacks such as privilege escalation or phishing within the affected sites.

The primary impact of CVE-2025-12667 is the compromise of confidentiality and integrity within WordPress sites using the vulnerable plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, defacement, or distribution of malware. This can erode user trust, damage brand reputation, and lead to data breaches. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts pose a significant risk. The scope change in the CVSS vector indicates that the attack can affect resources beyond the initial vulnerable component, potentially impacting other parts of the website or connected systems. Organizations relying on this plugin for embedding GitHub Gists may face increased risk of targeted attacks, especially if they have a large user base or handle sensitive information. Although no known exploits are reported, the medium severity and ease of exploitation by authenticated users make timely remediation critical to prevent escalation or lateral movement within the site environment.

To mitigate CVE-2025-12667, organizations should immediately assess their use of the paul1999 GitHub Gist Shortcode Plugin and upgrade to a patched version once available. In the absence of an official patch, administrators should implement strict input validation and output encoding on the 'id' parameter to neutralize malicious scripts. Restrict Contributor-level and higher privileges to trusted users only, and regularly audit user roles and permissions to minimize the risk of insider exploitation. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode inputs. Monitor website logs and user activity for unusual behavior indicative of XSS exploitation attempts. Educate content contributors about the risks of injecting untrusted content. Additionally, consider disabling or replacing the plugin with alternatives that follow secure coding practices. Regularly update WordPress core and all plugins to reduce exposure to known vulnerabilities.