CVE-2025-11129 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Include Fussball.de Widgets plugin for WordPress, affecting all versions up to and including 4.0.0. The root cause is insufficient sanitization and escaping of user-supplied input in the 'api' and 'type' parameters, which are used during web page generation. This flaw allows attackers with authenticated Contributor-level or higher privileges to inject arbitrary JavaScript code into pages served by the plugin. Because the malicious scripts are stored persistently, they execute whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of victims. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a network attack vector, low complexity, and no user interaction required, but limited to authenticated users with some privileges. The scope is considered changed (S:C) because the vulnerability affects components beyond the attacker’s privileges, impacting other users. While no public exploits are currently known, the presence of this vulnerability in a popular WordPress plugin used for embedding football-related widgets poses a moderate risk to websites that have enabled this plugin. The CWE-79 classification confirms this is a classic XSS issue stemming from improper neutralization of input during web page generation. The vulnerability was published on November 11, 2025, and assigned by Wordfence. No patches or fixes are currently linked, indicating that mitigation may require manual intervention or plugin updates once available.

The primary impact of CVE-2025-11129 is on the confidentiality and integrity of affected WordPress sites and their users. Exploitation allows authenticated attackers to execute arbitrary JavaScript in the context of the vulnerable site, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, defacement of web pages, or unauthorized actions performed on behalf of other users. Since the vulnerability requires Contributor-level access or higher, it limits exploitation to insiders or compromised accounts, but the consequences can extend to all site visitors and users. The availability of the site is not directly affected. Organizations running websites with this plugin may face reputational damage, loss of user trust, and potential regulatory compliance issues if user data is exposed. The moderate CVSS score reflects that while the attack complexity is low and no user interaction is needed, the prerequisite of authenticated access reduces the overall risk compared to fully unauthenticated XSS. However, given the widespread use of WordPress and the plugin’s niche in sports-related content, targeted attacks against sports media, fan communities, or related businesses could be significant.

To mitigate CVE-2025-11129, organizations should first verify if the Include Fussball.de Widgets plugin is installed and active on their WordPress sites. If so, immediate steps include: 1) Restrict Contributor-level and higher privileges strictly to trusted users to reduce the risk of malicious input injection. 2) Monitor and audit user-generated content, especially inputs to the 'api' and 'type' parameters, for suspicious or unexpected data. 3) Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting these parameters. 4) Apply output encoding and input validation manually if possible, or disable the plugin until an official patch is released. 5) Regularly check for updates from the plugin vendor and apply patches promptly once available. 6) Educate site administrators and content contributors about the risks of XSS and safe content practices. 7) Consider using Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of injected scripts. These measures go beyond generic advice by focusing on access control, monitoring, and layered defenses specific to this plugin’s vulnerability.