CVE-2025-12715 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Canadian Nutrition Facts Label plugin for WordPress, developed by emaude. This vulnerability affects all versions up to and including 3.0. The root cause is improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of the 'percentage' field within the Nutrition Label custom post type. Authenticated users with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'percentage' field. Because the vulnerability is stored, the malicious script persists in the database and executes in the context of any user who views the affected page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The CVSS 3.1 base score of 6.4 reflects that the attack vector is network-based (remote), with low attack complexity, requiring privileges (authenticated contributor access), no user interaction beyond viewing the page, and impacts confidentiality and integrity with no availability impact. No public exploits are currently known, but the vulnerability poses a moderate risk due to the common use of WordPress and the plugin in content management scenarios. The vulnerability was published on December 6, 2025, and no official patches have been linked yet, indicating that organizations must proactively mitigate the risk. The vulnerability's scope is limited to sites using this specific plugin and having users with contributor or higher roles who can input data into the vulnerable field.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress sites, potentially compromising user accounts, stealing sensitive information, or enabling further attacks such as privilege escalation or phishing. Organizations with multiple contributors or collaborative content management workflows are particularly at risk, as contributors can inject malicious code. The impact is heightened for sites with high traffic or those serving sensitive user data, such as healthcare, nutrition, or e-commerce platforms. Exploitation could damage organizational reputation, lead to data breaches under GDPR regulations, and cause operational disruptions. Since the vulnerability affects confidentiality and integrity but not availability, the primary risks involve data theft and unauthorized actions rather than service downtime. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once patches are released or if the vulnerability becomes widely known.

1. Immediately restrict Contributor-level user permissions to trusted individuals only, minimizing the risk of malicious input. 2. Monitor and audit all inputs in the 'percentage' field within the Nutrition Label custom post type for suspicious or unexpected content. 3. Implement additional server-side input validation and output encoding for the affected field to sanitize inputs and prevent script injection, even if patches are not yet available. 4. Apply security plugins or Web Application Firewalls (WAFs) that can detect and block XSS payloads targeting this plugin. 5. Regularly update the Canadian Nutrition Facts Label plugin as soon as the vendor releases a patch addressing CVE-2025-12715. 6. Educate content contributors about safe input practices and the risks of injecting untrusted content. 7. Consider temporarily disabling or replacing the plugin if immediate patching is not possible and the risk is unacceptable. 8. Conduct security testing and code review of custom post types and input handling in WordPress environments to identify similar vulnerabilities.