Cybersecurity Vulnerabilities

Critical Security Alert: Stored XSS Vulnerability Found in VK All in One Expansion Unit WordPress Plugin (CVE-2025-11265)

November 18, 2025 - By 

Overview

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the VK All in One Expansion Unit plugin for WordPress. This vulnerability, tracked as CVE-2025-11265, affects versions up to and including 9.112.1. Successful exploitation of this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses the compromised page.

Technical Details

The vulnerability lies within the plugin’s call-to-action (CTA) functionality. Specifically, the ‘vkExUnit_cta_url’ and ‘vkExUnit_cta_button_text’ parameters are susceptible to XSS injection. The root cause is a logic error in the CTA save function. The code incorrectly reads sanitization callbacks from the $custom_field_name variable instead of the correct $custom_field_options variable. This results in the sanitization process being skipped entirely, leaving the input fields vulnerable to malicious script injection.

The relevant code snippets where the vulnerability manifests are located at:

CVSS Analysis

This vulnerability has been assigned a CVSS score of 6.4 (Medium).

  • CVSS Vector: (Will depend on the calculation but based on the information provided something like:) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Possible Impact

A successful XSS attack can have significant consequences:

  • Account Takeover: An attacker could potentially steal a user’s session cookie and hijack their account.
  • Malware Distribution: Malicious scripts could be injected to redirect users to websites hosting malware.
  • Defacement: An attacker could modify the content of the affected pages, defacing the website.
  • Data Theft: Sensitive information, such as user credentials or personal data, could be harvested.

Mitigation or Patch Steps

The vulnerability has been addressed in subsequent versions of the VK All in One Expansion Unit plugin. It is strongly recommended that all users update to the latest version of the plugin as soon as possible. You can update the plugin through the WordPress admin dashboard.

The fix was implemented in this changeset: Plugin Changeset

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *