CVE-2025-12660

Name of the Vulnerable Software and Affected Versions Padlet Shortcode plugin for WordPress versions prior to 1.4

Description The software contains a Stored Cross-Site Scripting issue due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. The vulnerability exists via the key parameter in the 'wallwisher' shortcode.

Recommendations Update the Padlet Shortcode plugin to version 1.4 or later.