CVE-2025-11502 is a stored cross-site scripting vulnerability identified in the Schema & Structured Data for WP & AMP plugin for WordPress, specifically within the 'saswp_tiny_multiple_faq' shortcode functionality. This vulnerability stems from improper neutralization of input during web page generation (CWE-79), where user-supplied attributes are not adequately sanitized or escaped before rendering on the page. Authenticated attackers with contributor-level privileges or higher can exploit this by injecting arbitrary JavaScript code into pages via the shortcode parameters. Because the malicious script is stored persistently in the page content, it executes every time the page is accessed by any user, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.51 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or fixes have been released at the time of publication, and no active exploitation has been reported. The vulnerability was reserved and published in October-November 2025, with Wordfence as the assigner. Given the widespread use of WordPress and this plugin for SEO and structured data purposes, the vulnerability poses a significant risk to websites that allow contributors to add or edit content.

For European organizations, this vulnerability can lead to unauthorized script execution on their WordPress sites, potentially compromising the confidentiality and integrity of user data. Attackers could hijack user sessions, steal authentication tokens, or perform actions on behalf of users with elevated privileges. This is particularly concerning for organizations with public-facing websites that allow contributor-level content editing, such as media companies, educational institutions, and e-commerce platforms. The persistent nature of the stored XSS means that once exploited, the malicious payload can affect all visitors to the compromised pages, increasing the attack surface. Additionally, reputational damage and regulatory consequences under GDPR could arise if user data is exposed or manipulated. While availability is not directly impacted, the indirect effects of trust erosion and potential site defacement could disrupt business operations.

European organizations should immediately audit their WordPress installations to identify if the Schema & Structured Data for WP & AMP plugin is in use, particularly versions up to 1.51. Restrict contributor-level access to trusted users only and review user role assignments to minimize the risk of malicious input. Implement web application firewalls (WAFs) with rules targeting common XSS payloads and monitor logs for suspicious shortcode usage. Employ input validation and output encoding at the application level where possible, and consider disabling or removing the vulnerable shortcode until a patch is available. Regularly update plugins and monitor vendor advisories for patches addressing this vulnerability. Additionally, conduct security awareness training for content contributors about safe input practices. For critical sites, consider deploying Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of injected scripts.