CVE-2025-11267 is a stored cross-site scripting vulnerability identified in the VK All in One Expansion Unit plugin for WordPress, affecting all versions up to and including 9.112.1. The vulnerability stems from insufficient input sanitization and output escaping of the '_veu_custom_css' parameter, which accepts user-supplied custom CSS code. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into the custom CSS field. Because the injected scripts are stored persistently, they execute in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of victims. The vulnerability is classified under CWE-80, indicating improper neutralization of script-related HTML tags. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or known exploits are currently reported, but the vulnerability poses a significant risk in environments where the plugin is deployed and multiple users have contributor or higher access.

The impact of CVE-2025-11267 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, enabling theft of session cookies, credentials, or other sensitive information. It can also facilitate unauthorized actions such as content manipulation, redirection to malicious sites, or installation of further malware. Since the vulnerability requires authenticated access at the Contributor level or above, the risk is heightened in multi-user WordPress environments such as corporate blogs, community sites, or membership platforms. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting other users and site administrators. Although availability is not directly affected, the reputational damage and potential data breaches can have severe consequences for organizations, including regulatory penalties and loss of user trust.

To mitigate CVE-2025-11267, organizations should immediately update the VK All in One Expansion Unit plugin to a patched version once available. In the absence of an official patch, administrators can implement strict input validation and output encoding on the '_veu_custom_css' parameter to neutralize script tags and other malicious content. Restricting Contributor-level user permissions and auditing user roles can reduce the attack surface. Employing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections in CSS fields can provide interim protection. Additionally, monitoring logs for unusual activities related to CSS modifications and conducting regular security assessments of WordPress plugins is recommended. Educating users about the risks of elevated privileges and enforcing the principle of least privilege will further reduce exploitation likelihood.