CVE-2025-12672 is a stored cross-site scripting vulnerability identified in the Flickr Show plugin for WordPress, affecting all versions up to and including 1.5. The root cause is insufficient sanitization and output escaping of the 'div_height' parameter within the 'flickrshow' shortcode. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts that use this shortcode. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requires low attack complexity, and privileges at the contributor level, but no user interaction is needed for exploitation. The scope is changed because the vulnerability affects other users beyond the attacker. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and the plugin’s functionality. The lack of patches at the time of publication necessitates immediate mitigation steps to reduce exposure.

For European organizations, this vulnerability poses a risk primarily to websites using the Flickr Show plugin on WordPress, especially those with multiple contributors or editors who have the ability to add or modify shortcode parameters. Successful exploitation can lead to the execution of malicious scripts in the browsers of site visitors, which may result in theft of session cookies, defacement, unauthorized actions, or distribution of malware. This can damage organizational reputation, lead to data breaches involving user information, and potentially violate GDPR requirements regarding data protection and breach notification. The medium severity score reflects moderate impact on confidentiality and integrity, with no direct impact on availability. However, the cross-site scripting nature means that attackers can pivot to further attacks such as phishing or privilege escalation. Organizations relying on WordPress for public-facing or internal sites should consider this a significant threat vector.

1. Immediately audit user roles and restrict Contributor-level permissions to trusted users only, minimizing the number of users who can exploit this vulnerability. 2. Implement strict input validation and output encoding for the 'div_height' parameter in the shortcode, either by applying custom filters or using security plugins that sanitize shortcode inputs. 3. Monitor WordPress posts and pages for suspicious or unexpected shortcode usage, especially any unusual values in 'div_height'. 4. Disable or remove the Flickr Show plugin if it is not essential to reduce attack surface. 5. Stay alert for official patches or updates from the vendor and apply them promptly once available. 6. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 7. Use Web Application Firewalls (WAFs) that can detect and block XSS payloads targeting this plugin. 8. Educate contributors about secure content practices and the risks of injecting untrusted inputs. 9. Regularly back up website content to enable quick restoration if an attack occurs.