CVE-2025-6012 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Auto Attachments plugin for WordPress, developed by kaisercrazy. This vulnerability exists in all versions up to and including 1.8.5. The root cause is insufficient input sanitization and output escaping in the plugin's handling of admin settings, which allows authenticated users with administrator-level permissions or higher to inject arbitrary JavaScript code into pages. These malicious scripts execute whenever any user accesses the compromised page. The vulnerability specifically affects WordPress multi-site installations or single-site installations where the 'unfiltered_html' capability has been disabled, limiting the ability of administrators to input raw HTML. The CVSS v3.1 base score is 5.5, indicating a medium severity level. The attack vector is network-based (remote), but requires high complexity due to the need for administrator privileges and no user interaction is required for exploitation once the malicious script is injected. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes low confidentiality, integrity, and availability losses, as the injected scripts can steal session cookies, perform actions on behalf of users, or deface content, but only within the context of the affected WordPress sites. There are no known exploits in the wild at the time of publication, and no official patches have been released yet. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation leading to XSS.

For European organizations using WordPress with the Auto Attachments plugin, especially in multi-site configurations or with restricted HTML capabilities, this vulnerability poses a risk of persistent XSS attacks. Attackers with administrator access can inject malicious scripts that execute in the browsers of site visitors or other administrators, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. This can compromise the confidentiality of sensitive data, integrity of website content, and availability if the injected scripts disrupt normal operations. Given WordPress's widespread use in Europe for corporate websites, e-commerce, and public sector portals, exploitation could lead to reputational damage, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and financial losses. The requirement for administrator-level access limits the risk to insider threats or attackers who have already compromised admin credentials, but the multi-site context increases the potential impact by affecting multiple sites under one installation. The lack of user interaction needed for script execution means that once injected, any visitor to the affected pages is at risk. Organizations with high-value targets or sensitive data hosted on WordPress multi-sites should consider this vulnerability significant despite its medium CVSS score.

1. Immediate mitigation should include restricting administrator access to trusted personnel only and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Review and audit all administrator-level accounts and their recent activities to detect any unauthorized changes or script injections. 3. Temporarily disable or restrict the use of the Auto Attachments plugin in multi-site environments until a patch is available. 4. Implement Web Application Firewall (WAF) rules specifically targeting known XSS payload patterns related to this plugin to block malicious requests. 5. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the affected sites. 6. Monitor logs for unusual admin setting changes or injection attempts. 7. Once available, promptly apply official patches or updates from the plugin vendor. 8. Educate administrators on secure input handling and the risks of XSS vulnerabilities. 9. For organizations unable to immediately patch, consider isolating multi-site installations or limiting the use of unfiltered_html capabilities to reduce attack surface.