CVE-2025-12710 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the Pet-Manager – Petfinder plugin for WordPress, affecting all versions up to and including 3.6.1. The root cause is insufficient sanitization and escaping of user-supplied attributes in the kwm-petfinder shortcode, which is used to embed pet-finder related content on WordPress pages. Authenticated attackers with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts via the shortcode attributes. Because the malicious script is stored persistently, it executes in the context of any user who views the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the infected page but does require the attacker to have some authenticated access, limiting remote anonymous exploitation. The CVSS v3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to impact on other users. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the risks of improper input validation in WordPress plugins, especially those that allow user-generated content or shortcode attributes.

The primary impact of CVE-2025-12710 is the compromise of confidentiality and integrity on affected WordPress sites using the Pet-Manager – Petfinder plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of site visitors, which can lead to session hijacking, theft of sensitive information such as cookies or credentials, defacement of site content, or redirection to malicious sites. Since the vulnerability requires authenticated access at Contributor level or above, the risk is higher in environments where multiple users have content creation privileges. The vulnerability does not directly affect availability but can indirectly cause reputational damage and loss of user trust. For organizations relying on this plugin for pet management or adoption services, exploitation could disrupt business operations and expose user data. The scope includes all websites running vulnerable versions of the plugin, which may be widespread given WordPress’s popularity. Although no known exploits exist currently, the medium CVSS score and ease of exploitation by authenticated users make this a significant threat that should be addressed promptly.

1. Immediate mitigation involves restricting Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious shortcode injection. 2. Site administrators should monitor and audit content created via the kwm-petfinder shortcode for suspicious scripts or unexpected content. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script patterns in shortcode attributes. 4. Disable or remove the Pet-Manager – Petfinder plugin if not essential, or replace it with alternatives that follow secure coding practices. 5. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 6. Regularly update WordPress core and plugins when official patches become available for this vulnerability. 7. Educate content creators about the risks of injecting untrusted input and enforce input validation policies. 8. Use security plugins that scan for stored XSS vulnerabilities and alert administrators. These steps go beyond generic advice by focusing on permission management, monitoring shortcode usage, and leveraging layered defenses.