CVE-2025-12667

Root

Cause The GitHub Gist Shortcode Plugin for WordPress, in all versions up to and including 0.2, suffers from a stored cross-site scripting (XSS) vulnerability. The plugin fails to properly sanitize user-supplied input and escape output when processing the 'id' parameter of the 'gist' shortcode. This allows malicious input to be rendered as executable JavaScript within the page context [1].

Exploitation

To exploit this vulnerability, an attacker must first obtain authenticated access as a user with at least Contributor-level permissions. This role is lower than Administrator, making it a more common attack surface. The attacker then submits content containing a crafted 'gist' shortcode with malicious JavaScript embedded in the 'id' parameter. Because the plugin does not sanitize or escape the parameter, the injected script is stored on the server and executed each time any user views the compromised page. No additional user interaction is required beyond visiting the page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the affected site. This can lead to theft of session cookies, redirection to malicious sites, defacement, or other actions that compromise the integrity and confidentiality of the WordPress installation. The scope of impact is limited to the browser session of users who access the infected page [1].

Mitigation

The plugin has been closed as of November 7, 2025, and is no longer available for download [1]. Users are strongly advised to remove the vulnerable plugin from their WordPress installations. As a workaround, administrators may implement a web application firewall rule to block requests containing malicious shortcode parameters, though complete remediation requires uninstalling the plugin.