CVE-2025-12880 is a stored cross-site scripting (XSS) vulnerability identified in the Progress Bar Blocks for Gutenberg plugin for WordPress, which is used to add progress bar blocks to Gutenberg-based WordPress sites. The vulnerability exists due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape SVG file uploads, allowing authenticated users with Author-level access or higher to upload SVG files containing malicious JavaScript payloads. When these SVG files are rendered on pages, the embedded scripts execute in the context of any user viewing the page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The vulnerability affects all versions up to and including 1.0.0. The CVSS v3.1 base score is 5.4, indicating medium severity, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, meaning the attack is network-based, requires low attack complexity, privileges at the Author level, user interaction, and results in partial confidentiality and integrity impact with no availability impact. No patches or official fixes are currently available, and no known exploits have been reported in the wild. The vulnerability's exploitation requires an authenticated user with Author or higher privileges, which limits the attack surface but still poses a significant risk, especially on multi-user WordPress sites where authors can upload media. The issue highlights the importance of proper input validation and output encoding when handling user-uploaded SVG files, which can contain embedded scripts.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the vulnerable Progress Bar Blocks for Gutenberg plugin installed. Exploitation can lead to session hijacking, unauthorized actions, and potential data leakage through the execution of malicious scripts in users' browsers. This can undermine user trust, lead to data breaches involving personal data protected under GDPR, and cause reputational damage. Organizations with multi-author WordPress sites, such as media companies, educational institutions, and e-commerce platforms, are particularly at risk since attackers need Author-level access to exploit the vulnerability. The vulnerability does not directly affect availability but compromises confidentiality and integrity of user sessions and data. Given the widespread use of WordPress across Europe, the impact could be significant if exploited at scale, especially in countries with high WordPress market penetration and large online user bases.

European organizations should immediately audit their WordPress installations for the presence of the Progress Bar Blocks for Gutenberg plugin and restrict Author-level privileges to trusted users only. Since no official patch is currently available, organizations should consider temporarily disabling or removing the plugin to eliminate the attack vector. Implement strict SVG upload policies, such as disabling SVG uploads or using plugins that sanitize SVG files to remove embedded scripts. Employ Web Application Firewalls (WAFs) with rules to detect and block malicious SVG payloads and suspicious script execution patterns. Monitor user activity logs for unusual upload behavior or privilege escalations. Educate content authors about the risks of uploading untrusted SVG files. Once a patch becomes available, apply it promptly. Additionally, implement Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS attacks.