CVE-2025-12710 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, present in the Pet-Manager – Petfinder plugin for WordPress. This vulnerability arises from improper neutralization of user-supplied input within the kwm-petfinder shortcode, where insufficient sanitization and output escaping allow authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code. When other users access pages containing the injected shortcode, the malicious script executes in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or defacement. The vulnerability affects all versions up to and including 3.6.1, with no patches currently available. The CVSS 3.1 base score is 6.4, reflecting a medium severity due to network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed as the vulnerability can affect other users beyond the attacker. No known exploits have been reported in the wild, but the risk remains significant for sites that allow Contributor-level users to add or edit content using the vulnerable shortcode. The plugin’s widespread use in WordPress sites for pet management increases the attack surface. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that accept user-generated content.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Pet-Manager – Petfinder plugin on WordPress. Exploitation could lead to theft of user credentials, session hijacking, unauthorized actions performed on behalf of users, and defacement of public-facing pages, damaging brand reputation and user trust. Organizations relying on Contributor-level users to manage content are particularly vulnerable, as these users can inject malicious scripts. The impact on confidentiality and integrity is moderate, while availability is not affected. Given the plugin’s niche market, the overall impact is limited to organizations in pet services, veterinary clinics, or animal shelters using this plugin. However, compromised sites could be leveraged as a foothold for broader attacks within an organization’s network. Compliance with GDPR and other data protection regulations may be at risk if personal data is exposed or manipulated via this vulnerability.

1. Immediately review and restrict Contributor-level user permissions to trusted personnel only, minimizing the risk of malicious shortcode injection. 2. Implement strict input validation and output encoding for all user-supplied attributes in the kwm-petfinder shortcode, possibly via custom filters or security plugins that sanitize shortcode inputs. 3. Monitor website content for unexpected or suspicious shortcode usage and injected scripts using security scanning tools tailored for WordPress. 4. Disable or remove the Pet-Manager – Petfinder plugin if it is not essential, or replace it with a more secure alternative. 5. Keep WordPress core and all plugins updated; monitor vendor announcements for patches addressing this vulnerability. 6. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 7. Educate content contributors about the risks of injecting untrusted code and enforce strict content review processes. 8. Use Web Application Firewalls (WAF) that can detect and block XSS payloads targeting this plugin’s shortcode parameters. 9. Regularly audit user roles and capabilities to ensure no privilege escalation has occurred. 10. Prepare incident response plans to quickly address any detected exploitation attempts.