CVE-2025-6012 is a stored Cross-Site Scripting vulnerability classified under CWE-79, found in the Auto Attachments plugin for WordPress developed by kaisercrazy. This vulnerability exists in all versions up to and including 1.8.5 due to insufficient input sanitization and output escaping in the plugin’s admin settings interface. An attacker with authenticated administrator-level permissions or higher can inject arbitrary JavaScript code into pages generated by the plugin. These scripts execute whenever any user accesses the compromised page, potentially allowing session hijacking, defacement, or other malicious actions. The vulnerability specifically affects multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting the contexts in which it can be exploited. The CVSS 3.1 vector indicates a network attack vector (AV:N), high attack complexity (AC:H), requiring high privileges (PR:H), no user interaction (UI:N), with a scope change (S:C), and low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). No patches or fixes have been published at the time of disclosure, and no known exploits are currently active in the wild. The vulnerability was reserved and published in June 2025 by Wordfence. The core issue is the improper neutralization of input during web page generation, allowing stored XSS payloads to persist in the plugin’s settings and execute in the context of site visitors or administrators.

The primary impact of CVE-2025-6012 is the potential for stored XSS attacks that can compromise the confidentiality and integrity of user sessions and data. An attacker with administrator privileges can inject malicious scripts that execute in the browsers of users who visit the affected pages, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of users. Although the attack requires high privileges, the scope change means that the vulnerability can affect multiple sites in a multi-site WordPress environment, increasing the potential impact. The availability impact is low but could include defacement or disruption of site functionality. Organizations running multi-site WordPress installations with the Auto Attachments plugin and disabled unfiltered_html are at risk of persistent cross-site scripting attacks that could undermine trust and lead to data breaches or further compromise. The lack of known exploits in the wild suggests limited active exploitation currently, but the vulnerability’s presence in a widely used CMS plugin makes it a notable risk for targeted attacks.

To mitigate CVE-2025-6012, organizations should immediately audit their WordPress environments to identify installations of the Auto Attachments plugin, especially multi-site setups or those with unfiltered_html disabled. Since no official patch is currently available, administrators should consider temporarily disabling or uninstalling the plugin to eliminate the attack vector. If disabling is not feasible, restrict administrator access to trusted personnel only and monitor admin settings for unauthorized changes. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the plugin’s settings pages. Additionally, enforce Content Security Policy (CSP) headers to limit the execution of injected scripts. Regularly review user privileges to ensure that only necessary users have administrator-level access. Once a patch is released, apply it promptly. Finally, educate administrators about the risks of stored XSS and encourage the use of security plugins that sanitize inputs and outputs more robustly.