CVE-2025-12711 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Share to Google Classroom plugin for WordPress, developed by pritenhshah. This vulnerability exists in all versions up to and including 1.0 due to improper neutralization of user-supplied input in the share_to_google shortcode. Specifically, the plugin fails to adequately sanitize and escape attributes provided by authenticated users with Contributor-level privileges or higher. As a result, these users can inject arbitrary JavaScript code that is persistently stored and executed in the context of any user who visits the affected page. The vulnerability leverages CWE-79, a common web application security weakness related to improper input validation during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The impact primarily affects confidentiality and integrity, as attackers can steal session tokens, perform actions on behalf of other users, or manipulate page content. Availability is not impacted. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The vulnerability is particularly concerning in environments where multiple users have Contributor or higher roles, such as educational or collaborative websites using Google Classroom integration.

For European organizations, especially educational institutions and businesses utilizing WordPress with the Share to Google Classroom plugin, this vulnerability poses a significant risk to data confidentiality and integrity. Attackers with relatively low privileges can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, unauthorized actions, defacement, or distribution of malware. This can result in data breaches, loss of user trust, and compliance violations under regulations like GDPR. Since the plugin integrates with Google Classroom, which is widely used in European education sectors, the impact could extend to sensitive student and staff information. The vulnerability does not directly affect availability but can disrupt normal operations through indirect means such as phishing or malware spread. The requirement for authenticated access limits exposure but does not eliminate risk, especially in environments with many contributors or weak access controls.

1. Immediately audit user roles and permissions on WordPress sites using the Share to Google Classroom plugin, restricting Contributor-level access to trusted users only. 2. Monitor and review all content created using the share_to_google shortcode for suspicious or unexpected scripts. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious script injections targeting the shortcode parameters. 4. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Encourage plugin developers or maintainers to release a patch that properly sanitizes and escapes all user inputs in the shortcode attributes; deploy such patches promptly once available. 6. Educate site administrators and contributors about the risks of injecting untrusted content and enforce secure content creation policies. 7. Regularly update WordPress core and all plugins to minimize exposure to known vulnerabilities. 8. Consider disabling or replacing the vulnerable plugin if immediate patching is not feasible, especially in high-risk environments.