CVE-2025-11502 is a stored cross-site scripting vulnerability identified in the Schema & Structured Data for WP & AMP plugin for WordPress, specifically in the 'saswp_tiny_multiple_faq' shortcode. This vulnerability arises from improper neutralization of input (CWE-79), where user-supplied attributes are not sufficiently sanitized or escaped before being rendered in web pages. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.51 of the plugin. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, requiring privileges (contributor or above), no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin is widely used in WordPress sites to enhance SEO and structured data presentation, making this vulnerability relevant for many websites relying on this plugin for FAQ schema markup and AMP compatibility.

For European organizations, this vulnerability poses a significant risk to websites using the affected plugin, especially those that allow contributor-level users to publish or edit content. Exploitation could lead to session hijacking, unauthorized actions, defacement, or distribution of malware via injected scripts. This can damage brand reputation, lead to data breaches involving user credentials or personal data, and potentially violate GDPR requirements regarding data protection and breach notification. E-commerce, media, and public sector websites are particularly vulnerable due to their reliance on WordPress and structured data for SEO and accessibility. The persistent nature of stored XSS means that once exploited, the malicious code can affect all visitors, amplifying the impact. Although no known exploits are currently reported, the medium severity score and ease of exploitation by authenticated users necessitate proactive mitigation to avoid potential attacks.

1. Immediately update the Schema & Structured Data for WP & AMP plugin to a version that addresses this vulnerability once available. 2. Until a patch is released, restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious content injection. 3. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode attributes. 4. Conduct regular security audits and content reviews to detect and remove any injected malicious scripts. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected websites. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 8. Consider disabling or replacing the plugin if immediate patching is not feasible, especially for high-risk sites.