CVE-2025-12904 identifies a stored Cross-Site Scripting (XSS) vulnerability in the SNORDIAN's H5PxAPIkatchu plugin for WordPress, present in all versions up to and including 0.4.17. The vulnerability arises from insufficient sanitization and escaping of user-supplied input submitted via the 'insert_data' AJAX endpoint. Because the endpoint does not properly neutralize malicious input, attackers can inject arbitrary JavaScript code that is stored persistently on the server. When any user accesses a page containing the injected script, the malicious code executes in their browser context. This can lead to theft of authentication cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the user. The vulnerability requires no authentication or user interaction to exploit, increasing its risk. The CVSS 3.1 score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) indicates network exploitable, low attack complexity, no privileges or user interaction needed, with a scope change and partial confidentiality and integrity impact but no availability impact. Although no known exploits are reported, the widespread use of WordPress and the plugin's presence in multiple sites make this a significant threat. No official patches or updates have been published at the time of disclosure, necessitating immediate defensive actions.

The impact of this vulnerability is significant for organizations running WordPress sites with the SNORDIAN's H5PxAPIkatchu plugin. Successful exploitation allows attackers to execute arbitrary scripts in users' browsers, potentially leading to credential theft, session hijacking, defacement, or distribution of malware. This compromises the confidentiality and integrity of user data and site content. Since the vulnerability is exploitable without authentication or user interaction, automated attacks and widespread exploitation campaigns are feasible. For organizations, this can result in reputational damage, loss of customer trust, regulatory penalties due to data breaches, and operational disruptions if attackers leverage the vulnerability for further compromise. E-commerce, government, and high-traffic websites are particularly at risk. The scope of affected systems is broad due to the plugin's availability and WordPress's global market share, increasing the likelihood of targeted attacks.

1. Immediately audit all WordPress installations to identify the presence of the SNORDIAN's H5PxAPIkatchu plugin and its version. 2. If possible, disable or uninstall the plugin until a secure patched version is released. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'insert_data' AJAX endpoint, focusing on script injection patterns. 4. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 5. Monitor web server and application logs for unusual requests or payloads targeting the vulnerable endpoint. 6. Educate site administrators about the risk and encourage prompt updates once a patch is available. 7. Consider deploying runtime application self-protection (RASP) solutions to detect and block XSS attacks in real time. 8. Review and harden input validation and output encoding practices in custom code interacting with the plugin. 9. Regularly back up website data to enable quick recovery if compromise occurs. 10. Coordinate with the plugin vendor and WordPress security community for updates and advisories.