CVE-2025-12753 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Chart Expert plugin for WordPress, developed by sagortouch. The vulnerability exists in all versions up to and including 1.0 due to improper neutralization of script-related HTML tags (CWE-80) in the 'pmzez_chart' shortcode attributes. Specifically, the plugin fails to adequately sanitize and escape user-supplied input within shortcode attributes, allowing an authenticated attacker with contributor-level or higher privileges to inject arbitrary JavaScript code into WordPress pages. This malicious script is stored persistently and executed in the context of any user who views the compromised page, enabling theft of cookies, session tokens, or other sensitive information, and potentially facilitating further attacks such as privilege escalation or site defacement. The attack vector requires no user interaction beyond page viewing but does require authenticated access with contributor or higher permissions, which are commonly granted to content creators. The CVSS 3.1 base score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to potential impact on other users. No official patches or exploit code are currently available, but the vulnerability is publicly disclosed and should be considered a significant risk for affected WordPress sites.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Chart Expert plugin on WordPress, especially those that allow contributor-level users to add or edit content. Exploitation could lead to unauthorized script execution in the browsers of site visitors, resulting in theft of session cookies, user impersonation, and potential data leakage. This can undermine the confidentiality and integrity of user data and website content. While availability is not directly impacted, reputational damage and loss of user trust can have significant business consequences. Organizations in sectors such as e-commerce, media, education, and government that rely on WordPress for public-facing content are particularly vulnerable. The requirement for authenticated access limits the attack surface but does not eliminate risk, as insider threats or compromised contributor accounts could be leveraged. Given the widespread use of WordPress in Europe, the vulnerability could affect a large number of sites, increasing the potential for targeted attacks or automated exploitation once proof-of-concept code becomes available.

To mitigate CVE-2025-12753, organizations should first verify if the Chart Expert plugin is installed and in use on their WordPress sites. Since no official patches are currently available, immediate mitigation steps include restricting contributor-level access to trusted users only and auditing existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections in shortcode parameters can reduce risk. Site administrators should also enforce strict input validation and output encoding practices in any custom code interacting with shortcodes. Monitoring logs for unusual shortcode usage or unexpected content changes can help detect exploitation attempts early. Additionally, organizations should prepare to apply patches promptly once released by the vendor and consider alternative plugins with better security track records if feasible. Regular security training for content contributors to recognize phishing and social engineering attacks can prevent account compromise that might lead to exploitation.