Overview
CVE-2025-11803 identifies a Stored Cross-Site Scripting (XSS) vulnerability found in the WPSite Shortcode plugin for WordPress. This vulnerability affects all versions up to and including 1.2. It allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into website pages. When a user visits the injected page, the malicious script executes, potentially leading to account compromise, data theft, or other harmful actions.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping within the plugin’s shortcode functionality. Specifically, the ‘format’ attribute in the wpsite_y shortcode and the ‘before’ attribute in the wpsite_postauthor shortcode are susceptible. An attacker can inject malicious code through these attributes, which is then stored in the WordPress database. The code is rendered unsafely in error messages when these shortcodes are used improperly, leading to XSS when the page is viewed.
Relevant code snippets from the vulnerable plugin (version 1.2) demonstrate the lack of proper sanitization:
// Vulnerable code example (wpsite_date.php) - simplified for illustration
function wpsite_y_shortcode( $atts ) {
$a = shortcode_atts( array(
'format' => 'Y',
), $atts );
$format = $a['format'];
if ( empty($format) ) {
// Vulnerable output in error case: No sanitization here.
return "Error: Format attribute is required.";
}
return date($format);
}
function wpsite_postauthor_shortcode( $atts ) {
$a = shortcode_atts( array(
'before' => 'By ',
), $atts );
$before = $a['before'];
// Vulnerable output in error case: No sanitization here.
if ( empty(get_the_author()) ) {
return "Error: Before attribute is required.";
}
return $before . get_the_author();
}
CVSS Analysis
- CVSS Score: 6.4 (Medium)
- Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Explanation: This score reflects the moderate severity of the vulnerability. While the attacker needs to be authenticated with at least contributor-level access (PR:L), the attack requires user interaction (UI:R) to trigger the XSS. The impact includes limited confidentiality and integrity compromise (C:L, I:L) with no impact on availability (A:N). The scope is changed (S:C) because the attacker can execute code in the context of another user.
Possible Impact
Successful exploitation of this vulnerability can lead to several negative consequences:
- Account Compromise: An attacker could potentially steal administrator session cookies, gaining full control of the WordPress website.
- Data Theft: Sensitive information, such as user data or website content, could be accessed and stolen.
- Malware Distribution: The injected scripts could redirect users to malicious websites or install malware on their computers.
- Website Defacement: An attacker could alter the appearance or content of the website.
Mitigation and Patch Steps
The primary mitigation step is to update the WPSite Shortcode plugin to a version higher than 1.2, if a patched version is available. Check the WordPress plugin repository or the plugin developer’s website for updates.
If an update is not available, consider these temporary workarounds:
- Disable the WPSite Shortcode plugin: This will prevent the vulnerable code from being executed.
- Use a Web Application Firewall (WAF): A WAF can help detect and block XSS attacks.
- Carefully review and sanitize content: Monitor user-generated content and shortcodes for suspicious code. However, relying solely on manual review is not a reliable long-term solution.
