CVE-2025-11129 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Include Fussball.de Widgets plugin for WordPress, maintained by mheob. This vulnerability arises from improper neutralization of input during web page generation, specifically within the 'api' and 'type' parameters. The plugin fails to adequately sanitize and escape these inputs, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the affected site. The vulnerability affects all versions up to and including 4.0.0. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change due to impact on other users. Although no public exploits are currently known, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple authenticated contributors. The CWE classification is CWE-79, indicating improper input neutralization leading to XSS. The vulnerability was published on November 11, 2025, and no patches or updates have been linked yet, emphasizing the need for proactive mitigation.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted websites, compromising user sessions, stealing sensitive information, or enabling further attacks such as privilege escalation or phishing. Organizations running WordPress sites with the Include Fussball.de Widgets plugin are particularly at risk, especially if they allow multiple contributors to publish content. The impact is heightened for organizations involved in sports media, fan engagement, or football-related content, where this plugin is more likely deployed. Exploitation could damage brand reputation, lead to data breaches, and disrupt user trust. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts increase risk. The scope change in CVSS indicates that the compromise can affect users beyond the attacker, potentially leading to widespread impact across site visitors. Given the popularity of WordPress in Europe and the cultural significance of football, the potential attack surface is considerable.

1. Immediately audit and restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious content injection. 2. Monitor all content submissions for suspicious scripts or unusual input in the 'api' and 'type' parameters, employing web application firewalls (WAF) with custom rules targeting this plugin's parameters. 3. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 4. Regularly back up website content and databases to enable quick restoration if an attack occurs. 5. Stay alert for official patches or updates from mheob and apply them promptly once released. 6. Consider temporarily disabling or removing the Include Fussball.de Widgets plugin if it is not essential. 7. Educate contributors about secure content practices and the risks of injecting untrusted code. 8. Use security plugins that scan for XSS payloads and anomalous content in WordPress posts and pages. 9. Employ multi-factor authentication (MFA) for all contributor accounts to reduce the risk of account compromise. 10. Conduct periodic security assessments focusing on plugin vulnerabilities and user privilege management.