CVE-2025-12712 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Shouty plugin for WordPress, maintained by gungorbudak. The flaw exists in all versions up to and including 0.2.1 due to insufficient sanitization and escaping of user-supplied attributes within the shouty shortcode. This vulnerability allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No patches or known exploits are currently reported, but the vulnerability's presence in a popular CMS plugin makes it a notable risk. The vulnerability highlights the importance of rigorous input validation and output encoding in web applications, especially those allowing user-generated content. The scope includes all installations of the Shouty plugin up to version 0.2.1, which may be present on numerous WordPress sites worldwide.

The primary impact of this vulnerability is the compromise of confidentiality and integrity of user data on affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of users with higher privileges. This can lead to account takeover, data leakage, and erosion of user trust. Since WordPress powers a significant portion of the web, sites using the Shouty plugin are at risk of targeted attacks, especially if Contributor access is granted to untrusted users. The vulnerability does not affect availability directly but can facilitate further attacks that degrade service or lead to site defacement. Organizations relying on WordPress for content management, especially those with multiple contributors, face increased risk of internal threat exploitation or compromised user accounts. The absence of known exploits in the wild suggests limited current exploitation but also indicates a window of opportunity for attackers once exploit code becomes available.

1. Immediately restrict Contributor-level access to trusted users only, minimizing the risk of malicious shortcode injection. 2. Monitor and audit usage of the shouty shortcode across the site to detect suspicious or unexpected attribute values. 3. Disable or remove the Shouty plugin until a security patch or update addressing this vulnerability is released by the vendor. 4. Implement Web Application Firewall (WAF) rules to detect and block malicious script injections targeting the shouty shortcode parameters. 5. Educate content contributors about safe content practices and the risks of injecting untrusted code. 6. Once a patch is available, promptly apply updates to the plugin to ensure proper input sanitization and output escaping. 7. Consider employing Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script execution sources. 8. Regularly review user roles and permissions to ensure least privilege principles are enforced. 9. Conduct security scans and penetration tests focusing on shortcode and user-generated content injection points.