CVE-2025-12880 is a stored cross-site scripting vulnerability identified in the Progress Bar Blocks for Gutenberg plugin for WordPress, affecting all versions up to and including 1.0.0. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of SVG file uploads. Authenticated users with Author-level access or higher can upload crafted SVG files containing malicious JavaScript code. When these SVG files are rendered on pages viewed by other users, the embedded scripts execute in the context of the victim's browser, potentially allowing session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability requires authentication and user interaction (viewing the malicious SVG), limiting its exploitation scope but still posing a significant risk, especially in multi-user environments. The CVSS 3.1 base score of 5.4 reflects a medium severity, with network attack vector, low attack complexity, privileges required, and user interaction necessary. No patches or public exploits are currently available, highlighting the need for proactive mitigation. This vulnerability is categorized under CWE-79, indicating a classic cross-site scripting flaw. The issue is particularly relevant for WordPress sites that allow SVG uploads via this plugin, which is used to create progress bar blocks in Gutenberg editor pages.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted WordPress environments, compromising user sessions, leaking sensitive information, or enabling further attacks such as privilege escalation or defacement. Organizations relying on WordPress for public-facing or internal sites that use the Progress Bar Blocks for Gutenberg plugin are at risk of targeted attacks by malicious insiders or compromised accounts with Author-level privileges. The impact on confidentiality and integrity is moderate, as attackers can inject scripts that may steal cookies or manipulate content, but availability is not directly affected. The requirement for authenticated access limits mass exploitation but does not eliminate risk in environments with multiple content editors or contributors. Given the widespread use of WordPress across Europe, especially in sectors like media, education, and government, exploitation could undermine trust and lead to reputational damage or regulatory scrutiny under GDPR if personal data is exposed.

European organizations should immediately audit their WordPress installations for the presence of the Progress Bar Blocks for Gutenberg plugin and restrict SVG file uploads to trusted users only. Implement strict input validation and sanitization on SVG uploads, possibly by disabling SVG uploads entirely if not required. Employ Content Security Policy (CSP) headers to limit script execution contexts and reduce XSS impact. Regularly review user roles and permissions to minimize the number of users with Author-level or higher access. Monitor logs for unusual upload activity or script execution attempts. Since no official patch is currently available, consider temporarily disabling or removing the vulnerable plugin until a fix is released. Additionally, educate content editors about the risks of uploading untrusted files and enforce multi-factor authentication to reduce the risk of compromised accounts. Finally, keep WordPress core and all plugins updated to benefit from future security patches.