CVE-2025-12712 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Shouty plugin for WordPress, maintained by gungorbudak. The flaw exists in all versions up to and including 0.2.1 and stems from insufficient sanitization and escaping of user-supplied attributes in the shouty shortcode. Authenticated users with Contributor-level permissions or higher can exploit this vulnerability by injecting arbitrary JavaScript code into pages or posts that utilize the shortcode. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially allowing attackers to hijack user sessions, steal cookies, perform actions on behalf of users, or deliver further payloads. The vulnerability requires authentication but no user interaction to trigger once the malicious content is stored. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. No public exploits have been reported yet, but the risk remains significant for sites with multiple contributors. The lack of patch links suggests a fix may not yet be available, emphasizing the need for immediate mitigation steps.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the Shouty plugin installed. The ability for low-privileged authenticated users to inject persistent scripts can lead to compromised user accounts, data leakage, and unauthorized actions performed under the guise of legitimate users. This is particularly concerning for organizations with collaborative content management workflows involving multiple contributors. The impact extends to the integrity and confidentiality of web content and user data, potentially damaging organizational reputation and leading to regulatory compliance issues under GDPR if personal data is exposed. Availability is not directly impacted. Given the widespread use of WordPress across Europe, especially in sectors like media, education, and SMEs, the threat could affect a broad range of entities. The absence of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks.

European organizations should immediately audit their WordPress installations to identify the presence of the Shouty plugin, especially versions up to 0.2.1. If found, they should disable or remove the plugin until a secure update is released. In the interim, restrict Contributor-level permissions to trusted users only and monitor for unusual shortcode usage or injected content. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections in shortcode attributes. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Regularly review user roles and permissions to minimize the number of users who can inject content. Additionally, educate content contributors about the risks of injecting untrusted code and establish strict content review processes. Once a patch is available, apply it promptly and verify that input sanitization and output escaping are correctly enforced.