CVE-2025-12823 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the CSV to SortTable plugin for WordPress. This plugin enables users to convert CSV data into sortable HTML tables via a shortcode mechanism. The vulnerability exists due to insufficient sanitization and escaping of user-supplied attributes passed through the 'csv' shortcode. Specifically, authenticated users with Contributor-level permissions or higher can embed arbitrary JavaScript code within these attributes. When a page containing the malicious shortcode is accessed by any user, the injected script executes in their browser context, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability affects all versions of the plugin up to and including version 4.2. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The impact primarily compromises confidentiality and integrity, without affecting availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. However, the vulnerability's nature and ease of exploitation by authenticated users make it a significant risk for WordPress sites using this plugin, especially those allowing multiple contributors or editors.

The vulnerability allows authenticated users with Contributor-level access or higher to inject persistent malicious scripts into WordPress pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of other users, and potential defacement or manipulation of website content. Since the injected scripts execute in the context of any user visiting the compromised page, including administrators, the confidentiality and integrity of the site and its users are at risk. Organizations relying on the CSV to SortTable plugin may face reputational damage, data breaches, and potential compliance violations if exploited. The scope of impact extends to any WordPress site using this plugin, particularly those with multiple contributors or editors, increasing the attack surface. Although availability is not directly affected, the indirect consequences of exploitation can disrupt normal operations and trust in the affected websites.

1. Immediate mitigation involves restricting Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious shortcode injection. 2. Site administrators should monitor and audit content created or edited by contributors for suspicious shortcode usage. 3. Implement a Web Application Firewall (WAF) with rules to detect and block malicious script patterns in shortcode attributes. 4. If possible, disable or remove the CSV to SortTable plugin until a security patch is released. 5. Encourage plugin developers or maintainers to release an update that properly sanitizes and escapes all user-supplied inputs in the shortcode. 6. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 7. Educate contributors about safe content creation practices and the risks of embedding untrusted code. 8. Regularly back up website data to enable quick restoration in case of compromise. These steps go beyond generic advice by focusing on access control, monitoring, and layered defenses tailored to this specific plugin vulnerability.