CVE-2025-12885 is a stored Cross-Site Scripting vulnerability identified in the WordPress plugin 'Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files' developed by awsmin. The vulnerability stems from improper neutralization of input during web page generation, specifically due to a regex bypass in the sanitize_pdf_src function that fails to adequately sanitize and escape user input. This flaw allows authenticated attackers with at least Contributor-level privileges to inject arbitrary JavaScript code into pages where documents are embedded. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability affects all plugin versions up to and including 2.7.10. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. Although no public exploits have been reported, the risk is significant given the common use of this plugin in WordPress environments. The vulnerability is particularly concerning because Contributor-level users are often trusted content creators, making exploitation feasible without elevated administrative rights. The flaw highlights the importance of robust input validation and output encoding in web applications, especially those handling embedded content. Organizations relying on this plugin should monitor for updates and consider temporary mitigations such as restricting Contributor permissions or disabling document embedding until patched.

For European organizations, this vulnerability poses a risk of unauthorized script execution on websites using the affected plugin, potentially leading to session hijacking, data theft, defacement, or unauthorized actions performed in the context of legitimate users. Since the attack requires authenticated Contributor-level access, insider threats or compromised contributor accounts could be leveraged to exploit this vulnerability. The impact is heightened for organizations with public-facing WordPress sites that embed documents for clients, partners, or employees, as malicious scripts could affect a broad user base. Confidentiality and integrity of user data and site content may be compromised, undermining trust and potentially leading to reputational damage and regulatory consequences under GDPR if personal data is exposed. Availability is not directly impacted, but indirect effects such as site defacement or user lockout could occur. The medium severity score suggests a moderate but actionable risk, especially for sectors with high web presence like e-commerce, media, education, and government services in Europe.

1. Monitor the plugin vendor’s official channels for security updates and apply patches immediately once available. 2. Until a patch is released, restrict Contributor-level permissions to trusted users only and audit existing Contributor accounts for suspicious activity. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns related to document embedding URLs. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. Conduct regular security reviews and code audits of customizations involving document embedding. 6. Consider disabling the 'Embed Any Document' plugin temporarily if the risk is unacceptable and no patch is available. 7. Educate content contributors about the risks of uploading or embedding untrusted documents or scripts. 8. Use security plugins that provide XSS protection and input sanitization enhancements for WordPress. 9. Monitor logs for unusual activities related to document embedding or Contributor user actions. 10. Maintain regular backups of website content to enable recovery in case of compromise.