CVE-2025-11265 is a stored Cross-Site Scripting (XSS) vulnerability identified in the VK All in One Expansion Unit plugin for WordPress, a popular plugin used to enhance website functionality. The vulnerability exists in all versions up to and including 9.112.1 due to a logic error in the CTA (Call To Action) save function. Specifically, the sanitization callbacks intended to clean user input are read from an incorrect variable ($custom_field_name) instead of the correct one ($custom_field_options), resulting in no sanitization being applied to the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters. This flaw allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits have been reported in the wild yet. The vulnerability impacts confidentiality and integrity but does not affect availability. The flaw is categorized under CWE-80, which covers improper neutralization of script-related HTML tags in web pages, a common XSS category. The plugin is widely used in WordPress environments, making this a significant concern for websites relying on it for content management and expansion.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of web applications using the VK All in One Expansion Unit plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed with the victim’s privileges. This can damage organizational reputation, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. Since WordPress is widely used across Europe for corporate websites, blogs, and e-commerce platforms, the exposure is significant. The vulnerability does not directly impact availability, but successful exploitation could indirectly disrupt operations through compromised accounts or defacement. Organizations with multiple contributors or less stringent access controls are at higher risk. Additionally, regulatory frameworks like GDPR impose strict requirements on protecting personal data, so exploitation leading to data leakage could result in legal and financial penalties.

1. Monitor for and apply official patches or updates from the kurudrive vendor as soon as they are released to fix the sanitization logic error. 2. Until patches are available, restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input. 3. Implement additional server-side input validation and sanitization for all user-supplied content, especially for the vulnerable parameters 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text'. 4. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of injected scripts. 5. Conduct regular security audits and code reviews of WordPress plugins and custom code to detect similar logic errors. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. 7. Use Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting known vulnerable parameters. 8. Monitor logs and user activity for unusual behavior indicative of exploitation attempts.