CVE-2025-10129: 
WordPress vulnerability analysis and mitigation

The WordPress Live Webcam Widget & Shortcode plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-10129) affecting all versions up to and including 1.2. The vulnerability was discovered and disclosed on October 10, 2025. This security issue affects the plugin's 'webcam' shortcode functionality and impacts WordPress installations using the vulnerable plugin versions (NVD CVE, Wordfence Intel).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'webcam' shortcode. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to theft of sensitive information or manipulation of page content (NVD CVE).

Users should update to a version newer than 1.2 when available. Until a patch is released, site administrators should consider restricting access to the plugin's functionality to trusted users only or temporarily disabling the plugin (Wordfence Intel).