Cybersecurity Vulnerabilities

Alert! Stored XSS Vulnerability Discovered in VK All in One Expansion Unit WordPress Plugin (CVE-2025-11267)

November 18, 2025 - By 

Overview

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the VK All in One Expansion Unit plugin for WordPress. This vulnerability, assigned CVE-2025-11267, affects all versions up to and including 9.112.1. Successful exploitation allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the compromised page, potentially leading to account compromise, data theft, or defacement.

Technical Details

The vulnerability stems from insufficient input sanitization and output escaping of the user-supplied Custom CSS value within the plugin’s settings. Specifically, the _veu_custom_css parameter is vulnerable.

The vulnerable code can be found in the following files:

  • admin/class-veu-metabox.php: Handling of the custom CSS input.
  • inc/css-customize/css-customize-single.php: Where the custom CSS is applied without proper escaping.

An attacker can inject malicious JavaScript code within the Custom CSS field, which is then stored in the database. When a user views a page where this custom CSS is applied, the injected script will execute in their browser.

CVSS Analysis

The vulnerability has a CVSS v3.1 score of 6.4 (Medium). The CVSS vector string is not publicly available at this time. However, the following characteristics contribute to the score:

  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: Low (PR:L) – Contributor access
  • User Interaction: Required (UI:R)
  • Scope: Changed (S:C)
  • Confidentiality Impact: Low (C:L)
  • Integrity Impact: Low (I:L)
  • Availability Impact: None (A:N)

Possible Impact

Successful exploitation of this vulnerability could have the following consequences:

  • Account Takeover: An attacker could potentially steal a user’s session cookie and hijack their account.
  • Data Theft: Sensitive information displayed on the affected page could be exfiltrated.
  • Website Defacement: The attacker could modify the appearance of the website to display malicious content.
  • Redirection to Malicious Sites: Users could be redirected to phishing sites or other malicious domains.

Mitigation and Patch Steps

The vulnerability has been addressed in a later version of the plugin. The recommended mitigation steps are as follows:

  1. Update the Plugin: Immediately update the VK All in One Expansion Unit plugin to the latest available version. This will contain the necessary fix to sanitize the Custom CSS input.
  2. Review Custom CSS: After updating, review any existing Custom CSS code within the plugin settings and remove any suspicious or unfamiliar code.
  3. Implement Web Application Firewall (WAF) Rules: Consider implementing WAF rules to detect and block XSS attacks targeting the _veu_custom_css parameter.
  4. Principle of Least Privilege: Review user roles and permissions. Ensure users only have the necessary privileges to perform their tasks. Limit Contributor-level access where possible.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *