Overview
A critical security vulnerability, identified as CVE-2025-11826, has been discovered in the WP Company Info plugin for WordPress. This vulnerability is a Stored Cross-Site Scripting (XSS) flaw affecting versions up to and including 1.9.0. The vulnerability arises due to insufficient input sanitization and output escaping in the ‘class’ attribute of the ‘social-networks’ shortcode.
Technical Details
The WP Company Info plugin allows users to display company information and social media links on their WordPress site. The ‘social-networks’ shortcode provides functionality to render these links. However, the plugin fails to properly sanitize user-supplied input within the ‘class’ attribute of this shortcode. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript code into WordPress pages and posts. The injected script will then execute whenever a user visits the affected page, potentially leading to session hijacking, defacement, or other malicious activities.
Specifically, the vulnerability is located in the class-wp-company-info-social-links.php file within the plugin’s code. The affected code section is responsible for generating the HTML output for the social media links, and it does not properly escape the ‘class’ attribute, allowing for XSS injection.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns a score of 6.4 to CVE-2025-11826, classifying it as a MEDIUM severity vulnerability. The CVSS vector string provides a more detailed breakdown:
- AV:N (Attack Vector: Network)
- AC:L (Attack Complexity: Low)
- PR:L (Privileges Required: Low)
- UI:R (User Interaction: Required)
- S:C (Scope: Changed)
- C:L (Confidentiality Impact: Low)
- I:L (Integrity Impact: Low)
- A:N (Availability Impact: None)
This score indicates that an attacker can exploit this vulnerability over the network with relative ease, requiring low privileges (e.g., Contributor access) and requiring some user interaction to trigger the XSS. While the impact to confidentiality and integrity is low, the scope is changed, meaning the injected script can execute in the context of the WordPress domain, potentially impacting other users.
Possible Impact
Successful exploitation of this stored XSS vulnerability can have several negative consequences:
- Account Takeover: Attackers can potentially steal user session cookies, leading to account hijacking.
- Website Defacement: Malicious scripts can modify the content of the affected pages, defacing the website.
- Malware Distribution: Attackers can redirect users to malicious websites or inject code that downloads malware.
- Phishing Attacks: Injected scripts can be used to create fake login forms to steal user credentials.
Mitigation & Patch Steps
The most effective way to mitigate this vulnerability is to update the WP Company Info plugin to a patched version that addresses the XSS flaw. As of this writing, there is no official patched version available. Therefore, immediate steps must be taken.
- Disable the Plugin: As a temporary measure, disable the WP Company Info plugin entirely to prevent further exploitation.
- Remove Social Networks Shortcode: Manually remove any instances of the
[social-networks]shortcode from your WordPress pages and posts. - Monitor for Updates: Closely monitor the WordPress plugin repository and the WP Company Info plugin developer’s website for updates that address this vulnerability.
- Implement Web Application Firewall (WAF) Rules: Configure your WAF to block requests containing potentially malicious code in the ‘class’ attribute of the ‘social-networks’ shortcode.
Once a patched version is available, update the plugin immediately.
References
WP Company Info Social Links Code (Version 1.9.0)
Wordfence Threat Intelligence Report
