CVE-2025-12715 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Canadian Nutrition Facts Label plugin for WordPress, developed by emaude. This vulnerability arises from improper neutralization of input during web page generation (CWE-79). Specifically, the 'percentage' field within the Nutrition Label custom post type fails to adequately sanitize and escape user-supplied input before rendering it on web pages. As a result, authenticated attackers with Contributor-level permissions or higher can inject arbitrary JavaScript code into the plugin's pages. When other users access these compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed in the context of the victim's session. The vulnerability affects all plugin versions up to and including 3.0. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The vector metrics indicate network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), scope changed (S:C), and partial impact on confidentiality and integrity (C:L/I:L), with no impact on availability (A:N). No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was reserved on November 4, 2025, and published on December 6, 2025. This issue is critical for WordPress sites using this plugin, especially those allowing Contributor-level users to create or edit Nutrition Label posts.

The primary impact of CVE-2025-12715 is the potential compromise of user confidentiality and integrity on affected WordPress sites. An attacker with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of victims, or defacement of site content. Since the vulnerability requires authenticated access, the risk is somewhat limited to environments where Contributor or higher roles are assigned to users who may be untrusted or compromised. However, many WordPress sites allow multiple contributors, increasing the attack surface. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the attacker's privileges, amplifying the risk. Although no availability impact is noted, the integrity and confidentiality risks can lead to reputational damage, loss of user trust, and potential regulatory consequences for organizations handling sensitive data. Given the widespread use of WordPress and the plugin's niche for Canadian nutrition labeling, organizations in food, health, and regulatory sectors using this plugin are particularly at risk.

To mitigate CVE-2025-12715, organizations should first check for and apply any official patches or updates from the emaude plugin developer once available. In the absence of a patch, administrators should restrict Contributor-level access to trusted users only, minimizing the risk of malicious input. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the 'percentage' field can provide temporary protection. Site owners can also sanitize and validate input on the server side by customizing the plugin code or using additional security plugins that enforce strict input validation and output escaping. Regular security audits and monitoring for unusual user activity or injected scripts in Nutrition Label posts are recommended. Additionally, educating content contributors about safe input practices and limiting the use of HTML or script tags in user-generated content can reduce exploitation chances. Finally, consider disabling or replacing the plugin if it is not critical to site functionality until a secure version is released.