CVE-2025-12717 is a stored Cross-Site Scripting vulnerability identified in the List Attachments Shortcode plugin for WordPress, affecting all versions up to and including 0.4.1a. The vulnerability stems from insufficient sanitization and escaping of the 'before_list' parameter used within the [list-attachments] shortcode. This parameter can be manipulated by authenticated users with Author-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or escalate privileges within the WordPress environment. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector over the network, low attack complexity, requiring privileges (Author or higher), no user interaction, and affecting confidentiality and integrity with a scope change. No public exploits have been reported yet. The vulnerability is particularly dangerous because it allows persistent script injection, affecting all visitors to the compromised pages. The root cause is the plugin's failure to properly neutralize input during web page generation, a classic CWE-79 issue. Since the plugin is widely used in WordPress sites to manage attachment listings, the exposure can be significant if not remediated promptly.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of web applications running WordPress with the affected plugin. Attackers with Author-level access can inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, unauthorized actions, or data theft. This can damage organizational reputation, lead to data breaches, and compromise user trust. Since WordPress powers a substantial portion of websites in Europe, including corporate, governmental, and non-profit sectors, the impact can be widespread. The vulnerability does not affect availability directly but can facilitate further attacks that might. Organizations with multi-user WordPress environments where multiple authors contribute content are at higher risk. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, increasing potential damage. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially once exploit code becomes available.

1. Immediately restrict Author-level and higher privileges to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit user-generated content, especially content that uses the [list-attachments] shortcode with the 'before_list' parameter. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns targeting this parameter. 4. Apply strict input validation and output escaping in any custom code interacting with the plugin or shortcode parameters. 5. Regularly update the List Attachments Shortcode plugin once the vendor releases a patched version addressing this vulnerability. 6. Educate content authors about the risks of injecting untrusted content and enforce content submission policies. 7. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 8. Conduct penetration testing focused on XSS vulnerabilities in WordPress environments to identify and remediate similar issues proactively.