CVE-2025-12717 is a stored cross-site scripting vulnerability classified under CWE-79 affecting the List Attachments Shortcode plugin for WordPress, versions up to and including 0.4.1a. The vulnerability stems from insufficient sanitization and escaping of the 'before_list' parameter within the [list-attachments] shortcode, allowing authenticated users with Author-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is exploitable remotely over the network without user interaction beyond page viewing. The CVSS 3.1 base score is 6.4, reflecting a medium severity with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change (affecting other users). No patches are currently linked, and no known exploits have been observed in the wild. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that handle user-generated content or shortcode parameters.

This vulnerability allows authenticated attackers with Author-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users viewing those pages. The impact includes potential theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, and exposure of sensitive information. While it does not directly affect system availability, the compromise of user accounts and data integrity can lead to reputational damage, loss of user trust, and compliance violations. Organizations relying on the affected plugin for content management or document attachment listing are at risk of targeted attacks, especially if they have multiple users with elevated privileges. The scope of impact extends beyond the attacker’s own account, affecting all visitors or users who access the infected pages. Given the medium CVSS score, the threat is significant but requires authenticated access, limiting exposure to internal or trusted users with sufficient privileges.

To mitigate this vulnerability, organizations should immediately upgrade the List Attachments Shortcode plugin to a version that addresses the issue once available. Until a patch is released, administrators should restrict Author-level and higher privileges to trusted users only and review existing content for injected scripts. Implementing Web Application Firewall (WAF) rules that detect and block suspicious script tags or unusual shortcode parameters can help reduce risk. Additionally, applying Content Security Policy (CSP) headers to restrict execution of inline scripts and untrusted sources can mitigate exploitation impact. Developers maintaining the plugin should apply proper input validation and output escaping techniques, such as sanitizing the 'before_list' parameter using WordPress’s built-in functions like esc_html() or wp_kses(). Regular security audits of plugins and limiting plugin usage to trusted and actively maintained ones are recommended. Monitoring logs for unusual shortcode usage or script injections can provide early detection of exploitation attempts.