CVE-2025-12672 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Flickr Show plugin for WordPress, developed by nuvuscripts. This vulnerability exists in all versions up to and including 1.5 and stems from improper neutralization of input during web page generation, specifically related to the 'div_height' parameter in the 'flickrshow' shortcode. The root cause is insufficient input sanitization and output escaping, allowing authenticated users with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the injected scripts are stored, they execute every time a user accesses the affected page, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability has a CVSS v3.1 base score of 6.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant because Contributor-level users are common in WordPress environments, and stored XSS can be leveraged for persistent attacks affecting multiple users. The flaw is categorized under CWE-79, which covers improper neutralization of input leading to XSS. Organizations using this plugin should be aware of the risk and monitor for updates or apply manual mitigations.

The primary impact of CVE-2025-12672 is on the confidentiality and integrity of affected WordPress sites using the Flickr Show plugin. Exploitation allows authenticated contributors or higher to inject malicious scripts that execute in the context of any user viewing the compromised page. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and defacement of website content. Since the vulnerability does not affect availability, denial of service is unlikely. However, the persistent nature of stored XSS increases the risk of widespread compromise across site visitors and administrators. Organizations relying on this plugin for content display may face reputational damage, data breaches, and potential regulatory consequences if user data is exposed. The requirement for Contributor-level access limits exploitation to insiders or compromised accounts, but given the commonality of such roles in WordPress sites, the risk remains substantial. The absence of known exploits in the wild suggests limited current active attacks, but the vulnerability should be treated proactively to prevent future exploitation.

To mitigate CVE-2025-12672, organizations should first check for and apply any official patches or updates from the nuvuscripts vendor once available. In the absence of patches, administrators should restrict Contributor-level access to trusted users only and audit existing contributors for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'div_height' parameter can provide temporary protection. Site owners can also sanitize and validate input parameters manually by modifying plugin code to enforce strict type and content checks on 'div_height', ensuring only numeric values are accepted. Regularly scanning the site for injected scripts and monitoring logs for unusual behavior is recommended. Additionally, educating contributors about secure content practices and limiting the use of shortcodes that accept user input can reduce risk. Employing Content Security Policy (CSP) headers to restrict script execution sources can help mitigate the impact of injected scripts. Finally, maintaining regular backups ensures recovery if exploitation occurs.