CVE-2025-12118: 
WordPress vulnerability analysis and mitigation

The Schema Scalpel WordPress plugin contains a Stored Cross-Site Scripting vulnerability (CVE-2025-12118) affecting all versions up to and including 1.6.1. The vulnerability was discovered and reported by Wordfence, with public disclosure on October 31, 2025. The issue exists due to insufficient input sanitization and output escaping when handling user-supplied data in JSON-LD schema markup (NVD CVE).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 6.4 (Medium). The technical issue stems from improper sanitization of post titles when outputting them into JSON-LD schema markup. The vulnerability has been assigned the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges (NVD CVE, Wordfence Report).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to data theft, session hijacking, or other client-side attacks (NVD CVE).

A security fix has been implemented in the project repository that includes sanitizing page titles using sanitize_text_field() before JSON encoding and implementing wp_json_encode() with JSON_HEX_* flags for safe output escaping (GitHub Commit).