CVE-2025-11745 is a stored cross-site scripting (XSS) vulnerability classified under CWE-80 affecting the WordPress plugin 'Ad Inserter – Ad Manager & AdSense Ads' up to version 2.8.7. The vulnerability arises from improper neutralization of script-related HTML tags due to insufficient input sanitization and output escaping of user-supplied attributes within the plugin's 'adinserter' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into custom fields processed by the shortcode. When any user accesses a page containing the injected shortcode, the malicious script executes in their browser context, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. No patches or official fixes were available at the time of disclosure, and no active exploits have been reported. The plugin is widely used for managing ads and inserting AdSense ads on WordPress sites, making this vulnerability relevant for websites relying on this plugin for monetization or content management. The flaw highlights the risk of insufficient input validation in plugins that process user-generated content and underscores the importance of strict sanitization and output encoding in WordPress plugin development.

For European organizations, this vulnerability poses a significant risk to websites using the affected plugin, particularly those allowing contributor-level users to add or edit content. Exploitation can lead to session hijacking, unauthorized actions, defacement, or distribution of malware via injected scripts, undermining user trust and potentially causing reputational damage. Organizations in sectors such as media, e-commerce, and public services that rely on WordPress for content delivery and advertising are especially vulnerable. The vulnerability could also facilitate lateral movement or privilege escalation if combined with other flaws. Given the medium severity and the requirement for authenticated access, the impact is moderate but can escalate if exploited in targeted attacks. The lack of a patch at disclosure increases exposure time, emphasizing the need for immediate mitigation. Additionally, compliance with GDPR and other data protection regulations may be affected if user data is compromised through XSS attacks, leading to potential legal and financial consequences.

European organizations should immediately audit their WordPress installations to identify the presence of the 'Ad Inserter – Ad Manager & AdSense Ads' plugin and verify the version in use. Until an official patch is released, restrict contributor-level user permissions to prevent unauthorized shortcode usage or content injection. Implement strict content moderation workflows to review any user-generated content that could include shortcodes. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode parameters or script injection patterns. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Regularly monitor website logs and user activity for signs of exploitation attempts. Once patches become available, prioritize immediate updates of the plugin. Additionally, educate content contributors about the risks of injecting untrusted code and enforce the principle of least privilege for all user roles.