CVE-2025-11502 is a stored cross-site scripting (XSS) vulnerability identified in the Schema & Structured Data for WP & AMP plugin for WordPress, developed by magazine3. The vulnerability exists in all versions up to and including 1.51 within the 'saswp_tiny_multiple_faq' shortcode functionality. This shortcode fails to properly sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability is exploitable remotely over the network without user interaction but requires authentication with contributor or higher privileges. The CVSS 3.1 base score is 6.4, reflecting a medium severity with a network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. Although no known exploits are reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those that allow multiple contributors. The issue stems from improper neutralization of input during web page generation (CWE-79), a common and dangerous web application security flaw. The plugin's widespread use in WordPress sites for structured data markup increases the potential attack surface. The vulnerability was reserved on October 8, 2025, and published on November 1, 2025, with no patch links currently available, indicating that remediation may still be pending or in progress.

The impact of CVE-2025-11502 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows authenticated contributors or higher to inject persistent malicious scripts that execute in the browsers of site visitors, including administrators and other users. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, defacement, and distribution of malware. The vulnerability does not directly affect availability but can indirectly cause service disruption through defacement or loss of user trust. Organizations relying on the Schema & Structured Data for WP & AMP plugin for SEO and structured data benefits may face reputational damage and potential regulatory consequences if user data is compromised. Since the attack requires contributor-level access, the risk is elevated in environments with many contributors or weak internal access controls. The scope of affected systems is broad given WordPress's global popularity and the plugin's usage, making this a significant threat to websites that have not updated or mitigated the vulnerability.

To mitigate CVE-2025-11502, organizations should first check for and apply any official patches or updates released by the plugin vendor magazine3 as soon as they become available. In the absence of patches, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'saswp_tiny_multiple_faq' shortcode can reduce exploitation risk. Site owners can also disable or remove the vulnerable shortcode if it is not essential to their content. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script execution sources. Regular security scanning and monitoring for unusual page content or injected scripts are recommended. Additionally, educating contributors about safe input practices and monitoring plugin updates will help maintain security posture. Finally, consider isolating or sandboxing user-generated content to prevent script execution where feasible.