The Canadian Nutrition Facts Label plugin for WordPress, developed by emaude, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-12715. This vulnerability exists due to improper neutralization of input during web page generation, specifically in the 'percentage' field of the Nutrition Label custom post type. All plugin versions up to and including 3.0 are affected. The root cause is insufficient input sanitization and lack of output escaping, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. When other users access the compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or delivery of further malware. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability can affect other users beyond the attacker. No public exploits have been reported yet. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow content creation by multiple user roles. The plugin is used primarily in contexts related to food and nutrition labeling, which may be relevant for websites in the health, retail, and regulatory sectors.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information, or defacement of web content. This can damage organizational reputation, lead to regulatory compliance issues (especially under GDPR if personal data is compromised), and disrupt business operations. Organizations in sectors such as food retail, health services, and regulatory bodies that use this plugin for nutrition labeling are particularly at risk. The vulnerability could also be leveraged as a foothold for further attacks within the network if combined with other vulnerabilities or social engineering. Although no known exploits are currently in the wild, the medium severity and ease of exploitation by authenticated users warrant proactive mitigation. The impact on availability is low, but the potential for data leakage and integrity compromise is moderate.

1. Immediately restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious content injection. 2. Monitor and audit existing content in the 'percentage' field of the Nutrition Label custom post type for suspicious or unexpected scripts. 3. Apply patches or updates from the plugin vendor as soon as they become available to address the input sanitization and output escaping flaws. 4. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting this plugin’s fields. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 6. Educate content creators and administrators about the risks of injecting untrusted content and enforce strict input validation policies. 7. Consider disabling or replacing the plugin if timely patches are not available and the risk is unacceptable. 8. Regularly scan WordPress installations with security tools to detect anomalies or malicious code injections related to this vulnerability.