Urgent Security Alert: Stored XSS Found in Surbma | MiniCRM Shortcode WordPress Plugin (CVE-2025-11800)

Overview

This article details a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-11800, affecting the Surbma | MiniCRM Shortcode plugin for WordPress. Versions up to and including 2.0 are vulnerable. This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into pages and posts. This code executes whenever a user views the affected page, potentially leading to account compromise, data theft, or other malicious activities.

Technical Details

The vulnerability resides in the way the plugin handles the id attribute of the [minicrm] shortcode. The plugin fails to properly sanitize user-supplied input for this attribute and doesn’t escape the output when rendering the shortcode on a page. An attacker can inject arbitrary HTML and JavaScript code into the id attribute. For example:

[minicrm id="<script>alert('XSS Vulnerability!');</script>"]

When this shortcode is processed, the injected script will be executed in the user’s browser whenever they view the page containing the shortcode.

The vulnerable code can be seen in the surbma-minicrm-shortcode.php file.

CVSS Analysis

• CVE ID: CVE-2025-11800
• Severity: MEDIUM
• CVSS Score: 6.4

A CVSS score of 6.4 indicates a medium severity vulnerability. While not requiring direct user interaction beyond viewing the page, the potential impact is significant due to the ability to execute arbitrary code in a user’s browser.

Possible Impact

Successful exploitation of this vulnerability can have significant consequences, including:

• Account Takeover: An attacker can potentially steal administrator cookies and take over their account.
• Data Theft: Sensitive data displayed on the affected page can be stolen.
• Malware Distribution: The injected script can redirect users to malicious websites or install malware.
• Defacement: The injected script can alter the appearance of the page, defacing the website.

Mitigation & Patch Steps

The best course of action is to take one of the following steps:

• Update the Plugin: If an updated version of the Surbma | MiniCRM Shortcode plugin is available, update immediately. The updated version should contain a fix for this vulnerability. Check the WordPress plugin repository or the plugin developer’s website for updates.
• Remove the Plugin: If an update is not available, consider removing the plugin entirely until a patched version is released.
• Manual Code Review & Sanitization (Advanced): If you are comfortable with PHP code, you can attempt to manually sanitize the id attribute input and properly escape the output within the plugin’s code. However, this is not recommended unless you are an experienced developer as incorrect implementation can lead to further security issues. Look for the code handling the id attribute within the [minicrm] shortcode function (likely in surbma-minicrm-shortcode.php) and ensure proper sanitization using functions like sanitize_text_field() and proper escaping using functions like esc_attr() or esc_html().

References

• Surbma | MiniCRM Shortcode Plugin Code (version 2.0)
• Wordfence Threat Intelligence Report on CVE-2025-11800