CVE-2025-12754 is a stored cross-site scripting vulnerability identified in the rampantlogic Geopost plugin for WordPress, affecting all versions up to and including 1.2. The root cause is insufficient sanitization and escaping of user-supplied input, specifically the 'height' parameter within the 'geopost' shortcode. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute in the context of any user who views the compromised page, potentially leading to session hijacking, user impersonation, or unauthorized actions performed on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring only low complexity and privileges of an authenticated contributor, but no user interaction is needed for the payload to execute once injected. The scope is changed, as the vulnerability affects other users beyond the attacker. While no availability impact is noted, confidentiality and integrity can be partially compromised. No patches or known exploits are currently reported, but the vulnerability poses a tangible risk to WordPress sites using this plugin. The issue underscores the importance of proper input validation and output encoding in web applications to prevent XSS attacks.

For European organizations, this vulnerability poses a risk primarily to websites using the Geopost plugin on WordPress platforms. Exploitation could lead to unauthorized script execution in users' browsers, enabling theft of session cookies, redirection to malicious sites, or unauthorized actions performed with the victim's privileges. This can result in data leakage, user account compromise, and damage to organizational reputation. Since contributors can exploit the vulnerability, insider threats or compromised contributor accounts increase risk. The impact is particularly significant for organizations relying on WordPress for public-facing or internal portals where user trust and data confidentiality are critical. GDPR implications arise if personal data is exposed or manipulated, potentially leading to regulatory penalties. Although no availability impact is expected, the integrity and confidentiality breaches can disrupt business operations and erode customer trust. Organizations with high web traffic or sensitive user data are at elevated risk.

Organizations should immediately audit their WordPress installations to identify the presence of the Geopost plugin and its version. Since no official patch is currently available, temporary mitigations include disabling the plugin or restricting contributor-level access until a fix is released. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections targeting the 'height' parameter can reduce exploitation risk. Conduct thorough input validation and output encoding on all user-supplied data within custom code or plugins. Educate contributors about the risks of injecting untrusted content. Monitor logs for unusual activity or attempts to exploit the shortcode. Once a vendor patch is released, prioritize prompt application of updates. Additionally, consider employing Content Security Policy (CSP) headers to restrict execution of unauthorized scripts. Regularly review user roles and permissions to minimize the number of users with contributor or higher privileges.