CVE-2025-12885 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the WordPress plugin 'Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files' developed by awsmin. The vulnerability exists in all versions up to and including 2.7.10 due to inadequate sanitization and escaping of user-supplied input in the sanitize_pdf_src function. This function attempts to sanitize input URLs for embedded documents but contains a regex bypass that allows malicious JavaScript code to be injected and stored persistently within WordPress pages or posts. An attacker with Contributor-level access or higher can exploit this by embedding crafted payloads that execute arbitrary scripts in the context of any user viewing the infected page. The vulnerability does not require user interaction beyond page access and can compromise confidentiality and integrity by stealing cookies, session tokens, or performing actions on behalf of users. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those allowing multiple contributors or editors. The flaw highlights the importance of robust input validation and output encoding in web applications, particularly in plugins handling embedded content.

The impact of CVE-2025-12885 on organizations worldwide can be significant, especially for those relying on the affected WordPress plugin to embed documents. Successful exploitation allows attackers with relatively low privileges (Contributor role) to inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to session hijacking, unauthorized actions performed with victim credentials, defacement, or distribution of malware. The confidentiality of user data and site integrity are at risk, potentially damaging organizational reputation and trust. Since WordPress powers a large portion of the web, including many business and government sites, the scope of affected systems is broad. The vulnerability can be exploited remotely over the network without user interaction, increasing the risk of automated or targeted attacks. Organizations with multi-user WordPress environments, especially those with contributors or editors, face higher exposure. Although no known exploits are currently in the wild, the medium severity score and ease of exploitation warrant prompt attention to prevent future attacks.

To mitigate CVE-2025-12885, organizations should immediately update the 'Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files' plugin to a patched version once released by the vendor. Until a patch is available, administrators should restrict Contributor-level access or higher to trusted users only, minimizing the risk of malicious content injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in document embed URLs can provide interim protection. Site owners should audit existing pages and posts for suspicious embedded content and remove any unauthorized scripts. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the domains from which scripts can be loaded, reducing the impact of injected scripts. Regularly review user roles and permissions to enforce the principle of least privilege. Additionally, security teams should monitor logs for unusual activity related to document embedding or script execution. Finally, educating content contributors about safe practices and the risks of embedding untrusted content can help prevent exploitation.