CVE-2025-12753 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Chart Expert plugin for WordPress, developed by sagortouch. This vulnerability exists in all versions up to and including 1.0 and is due to insufficient input sanitization and output escaping of user-supplied attributes within the 'pmzez_chart' shortcode. Specifically, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages or posts by manipulating shortcode parameters. Because the malicious script is stored persistently in the WordPress database, it executes every time a user accesses the infected page, potentially affecting site administrators, editors, and visitors. The vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a common XSS category. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. Although no public exploits are currently known, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin. The lack of patches or official fixes at the time of disclosure necessitates immediate mitigation efforts by site administrators.

The exploitation of this stored XSS vulnerability can lead to several adverse impacts on affected organizations. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of any user viewing the compromised content, including administrators. This can result in session hijacking, theft of authentication cookies, defacement of website content, redirection to malicious sites, or the execution of further attacks such as privilege escalation or malware distribution. The integrity and confidentiality of user data and site content are at risk, while availability is less directly impacted. Given WordPress's extensive global usage, especially in small to medium enterprises and content-driven websites, the vulnerability could facilitate widespread compromise if exploited. The requirement for contributor-level privileges limits exposure but does not eliminate risk, as many sites allow user-generated content from trusted users. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the initially vulnerable component, increasing potential impact.

To mitigate CVE-2025-12753 effectively, organizations should first check for and apply any official patches or updates from sagortouch once available. In the absence of patches, site administrators should implement strict input validation and output encoding on all shortcode attributes, especially those processed by 'pmzez_chart'. Employing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections in shortcode parameters can provide interim protection. Restrict contributor-level access to trusted users only and audit existing content for injected scripts. Additionally, enabling Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script execution sources. Regularly monitoring logs and user activity for anomalies related to shortcode usage is advised. Finally, educating content contributors about secure input practices and the risks of injecting untrusted code can reduce accidental exploitation.