Overview
CVE-2025-12660 is a security vulnerability affecting the Padlet Shortcode plugin for WordPress. Specifically, it’s a Stored Cross-Site Scripting (XSS) vulnerability found in versions up to and including 1.3. This flaw allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into pages. When other users, including administrators, visit these compromised pages, the injected scripts execute, potentially leading to account compromise, data theft, or other malicious activities.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping of the ‘key’ parameter within the wallwisher shortcode. The plugin fails to properly validate and encode user-supplied attributes passed to this shortcode. This allows an attacker to inject arbitrary HTML and JavaScript code through the ‘key’ parameter. The vulnerable code resides in the wallwisher.php file.
Example Shortcode Usage (Vulnerable):
[wallwisher key="<script>alert('XSS');</script>"]The injected script will then be stored in the WordPress database and executed whenever a user views the page containing the malicious shortcode.
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 6.4
This CVSS score reflects the potential for significant impact due to the possibility of account compromise and data theft. Although the attacker needs to be authenticated, contributor-level access is often relatively easy to obtain, making this vulnerability a serious concern.
Possible Impact
Successful exploitation of this vulnerability can have severe consequences:
- Account Compromise: An attacker could hijack administrator accounts, gaining full control over the WordPress site.
- Data Theft: Sensitive information, such as user credentials or customer data, could be stolen.
- Malware Distribution: The injected script could redirect users to malicious websites or initiate drive-by downloads of malware.
- Defacement: The website could be defaced, damaging the site’s reputation.
Mitigation and Patch Steps
The most important step is to remove the ‘wallwisher-shortcode’ plugin. Since there is no patch or later version with the fix available from the developers, discontinuing use of this plugin is the only viable solution.
Important: After deactivating and deleting the plugin, carefully review your website content for any instances of the [wallwisher] shortcode. Manually remove these shortcodes from your posts and pages, as they may contain malicious code that persists even after the plugin is removed.
General WordPress Security Best Practices:
- Keep your WordPress core, themes, and plugins up to date.
- Use strong and unique passwords.
- Implement a web application firewall (WAF).
- Regularly scan your website for malware.
