The Draft List plugin for WordPress, developed by dartiss, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-11197. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of user-supplied attributes in the 'drafts' shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deliver further payloads. The vulnerability affects all versions up to and including 2.6.1. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low complexity, privileges required (PR:L), no user interaction (UI:N), and scope changed (S:C). The impact primarily affects confidentiality and integrity, with no direct availability impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling user-generated content and shortcodes.

This vulnerability allows authenticated contributors or higher to inject persistent malicious scripts into WordPress sites using the Draft List plugin. The impact includes potential theft of session tokens, unauthorized actions performed on behalf of other users, defacement, or redirection to malicious sites. Since the vulnerability requires contributor-level access, it limits exploitation to users who already have some level of trust within the site, but this is significant because contributors are common roles in many WordPress installations. The compromise of confidentiality and integrity can lead to broader site compromise, user data leakage, and erosion of trust. For organizations relying on WordPress for content management, especially those with multiple contributors, this vulnerability can facilitate lateral movement and privilege escalation. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is public. The absence of a patch increases exposure time, emphasizing the need for interim mitigations.

1. Immediately restrict contributor-level access to trusted users only until a patch is available. 2. Monitor and audit user-generated content submitted via the Draft List plugin for suspicious scripts or unusual shortcode attributes. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the 'drafts' shortcode. 4. Disable or remove the Draft List plugin if it is not essential to reduce the attack surface. 5. Encourage the plugin vendor to release a security update that properly sanitizes and escapes all user inputs and outputs in the shortcode. 6. Educate site administrators and contributors about the risks of injecting untrusted content and the importance of least privilege principles. 7. Use Content Security Policy (CSP) headers to restrict script execution origins, mitigating the impact of injected scripts. 8. Regularly back up WordPress sites to enable recovery in case of compromise. These steps go beyond generic advice by focusing on access control, monitoring, and layered defenses specific to this plugin and vulnerability.