CVE-2025-12711 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Share to Google Classroom plugin for WordPress, developed by pritenhshah. The vulnerability exists in all versions up to and including 1.0 due to insufficient sanitization and escaping of user-supplied attributes within the share_to_google shortcode. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the shortcode parameters. Because the malicious script is stored persistently, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security issue. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No patches or fixes have been published yet, and no known exploits are currently observed in the wild. The vulnerability affects WordPress sites using this plugin, which is likely deployed in educational environments leveraging Google Classroom integration. The persistent nature of the XSS increases the risk of widespread impact if exploited.

The impact of CVE-2025-12711 can be significant for organizations using the Share to Google Classroom plugin on WordPress, especially educational institutions and organizations integrating Google Classroom functionalities. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts that execute in the browsers of any users viewing the compromised pages. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the vulnerability affects confidentiality and integrity but not availability, the primary risks are data exposure and trust erosion. The requirement for authenticated access limits the attack surface but does not eliminate risk, as contributor-level accounts are common in collaborative environments. The scope includes any WordPress site using this plugin, which could be global given WordPress's widespread adoption. Without mitigation, attackers could leverage this vulnerability to escalate privileges or move laterally within affected networks, especially in education sectors where Google Classroom is prevalent.

To mitigate CVE-2025-12711, organizations should first check for any official patches or updates from the plugin developer and apply them immediately once available. In the absence of patches, administrators should consider disabling or removing the Share to Google Classroom plugin to eliminate the attack vector. Restricting Contributor-level permissions to trusted users only can reduce the risk of exploitation. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections in shortcode parameters can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers can limit the execution of unauthorized scripts in browsers. Regularly auditing user roles and monitoring for unusual shortcode usage or injected content can help detect exploitation attempts. Educating users about the risks of XSS and maintaining up-to-date backups will aid in recovery if an attack occurs. Finally, developers should review and improve input validation and output encoding practices in the plugin code to prevent similar vulnerabilities.