CVE-2025-12710 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Pet-Manager – Petfinder plugin for WordPress, affecting all versions up to and including 3.6.1. The root cause is insufficient sanitization and escaping of user-supplied attributes in the kwm-petfinder shortcode, which allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the browsers of any users who visit the compromised pages. The vulnerability does not require user interaction beyond page access and can lead to partial compromise of confidentiality and integrity, such as session hijacking, defacement, or unauthorized actions performed on behalf of other users. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network exploitable with low attack complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity with scope change. No patches are currently linked, and no known exploits are reported in the wild, but the risk remains significant for sites that allow multiple contributors. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that process user-generated content. Organizations relying on this plugin should audit their user roles and content submission workflows to mitigate risk until an official patch is available.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Pet-Manager – Petfinder plugin on WordPress that allow Contributor-level or higher user roles. Exploitation could lead to unauthorized script execution in users' browsers, resulting in session hijacking, theft of sensitive information, or unauthorized actions performed with the victim's privileges. This can damage organizational reputation, lead to data breaches, and potentially violate GDPR requirements concerning data protection and breach notification. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts increase risk. The scope includes any organization running vulnerable versions of the plugin, especially those with active user-generated content or multiple contributors. The impact on availability is minimal, but confidentiality and integrity risks are moderate. Given the widespread use of WordPress in Europe and the popularity of pet-related websites, the threat could affect a broad range of small to medium enterprises, NGOs, and community platforms. The absence of known exploits reduces immediate urgency but does not eliminate the risk of future attacks.

1. Immediately restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2. Implement strict input validation and output escaping on all user-supplied data, especially within the kwm-petfinder shortcode, to prevent script injection. 3. Monitor website content for suspicious or unexpected script tags or inline JavaScript that could indicate exploitation. 4. Disable or remove the Pet-Manager – Petfinder plugin if it is not essential to business operations until a security patch is released. 5. Employ Web Application Firewalls (WAFs) with rules targeting common XSS payloads to provide an additional layer of defense. 6. Educate content contributors about safe content submission practices and the risks of injecting scripts. 7. Regularly audit user roles and permissions to ensure least privilege principles are enforced. 8. Stay updated with vendor announcements and apply patches promptly once available. 9. Consider implementing Content Security Policy (CSP) headers to restrict script execution sources on affected sites. 10. Conduct security testing and code reviews on custom shortcodes or plugins that handle user input.