CVE-2025-12823 is a stored Cross-Site Scripting (XSS) vulnerability identified in the CSV to SortTable plugin for WordPress, which is widely used to convert CSV data into sortable tables on websites. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes in the 'csv' shortcode. This flaw allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all plugin versions up to and including 4.2. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the vulnerable component. No patches or exploit code are currently publicly available, and no known exploitation in the wild has been reported. The vulnerability was reserved and published in November 2025 by Wordfence. Given the nature of WordPress plugins and the common use of contributor roles in content management, this vulnerability poses a realistic threat to websites that use this plugin and allow multiple contributors to add content via shortcodes.

For European organizations, this vulnerability can lead to significant risks including session hijacking, unauthorized actions performed by attackers on behalf of legitimate users, and potential defacement or data theft from affected websites. Organizations relying on WordPress for public-facing websites or intranet portals that use the CSV to SortTable plugin are particularly vulnerable if they allow contributor-level users to add or edit content. The stored XSS can compromise the confidentiality and integrity of user data and website content. While availability impact is low, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data exposure could be substantial. Attackers exploiting this vulnerability could target organizations in sectors such as media, education, government, and e-commerce, where WordPress is prevalent. The requirement for contributor-level access limits the attack surface but does not eliminate risk, especially in environments with many content editors or weak internal access controls.

European organizations should immediately audit their WordPress installations to identify usage of the CSV to SortTable plugin and verify the plugin version. Until an official patch is released, restrict contributor-level user permissions to prevent shortcode insertion or editing of pages containing the 'csv' shortcode. Implement strict content review and approval workflows to detect and block malicious shortcode content. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections in shortcode parameters. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor website logs and user activities for unusual behavior indicative of XSS exploitation. Educate content contributors about the risks of injecting untrusted data. Once patches become available, prioritize immediate updates of the plugin. Additionally, consider isolating or disabling the plugin if it is not essential to reduce attack surface.