CVE-2025-11745 is a stored cross-site scripting vulnerability identified in the 'Ad Inserter – Ad Manager & AdSense Ads' WordPress plugin developed by spacetime. The vulnerability arises from improper neutralization of script-related HTML tags (CWE-80) due to insufficient sanitization and escaping of user-supplied attributes in the plugin's 'adinserter' shortcode. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into custom fields that are rendered on web pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability affects all versions up to and including 2.8.7. The CVSS 3.1 base score of 6.4 indicates a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability's nature makes it a candidate for targeted attacks, especially in environments with multiple contributors. The lack of a patch link suggests that a fix may be pending or not yet publicly available, emphasizing the need for vigilance and interim mitigation.

For European organizations, this vulnerability poses a significant risk to websites using the affected plugin, particularly those with multiple content contributors such as news portals, e-commerce sites, and corporate blogs. Exploitation can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware through injected scripts. This can damage organizational reputation, lead to data breaches involving user credentials or personal data, and cause regulatory compliance issues under GDPR due to compromised user data confidentiality. The medium severity score reflects that while the attack requires authenticated access, the low complexity and network exploitability make it feasible in environments with multiple contributors. The scope change means that the vulnerability can affect components beyond the initially compromised plugin, potentially impacting the entire website or user base. Given the widespread use of WordPress in Europe and the popularity of ad management plugins, the potential impact is broad, especially for organizations relying on user-generated content workflows.

Organizations should immediately audit their WordPress installations to identify use of the 'Ad Inserter – Ad Manager & AdSense Ads' plugin and verify the version in use. Until an official patch is released, restrict contributor-level access to trusted users only and consider temporarily disabling the plugin or the 'adinserter' shortcode functionality if feasible. Implement web application firewall (WAF) rules to detect and block suspicious script injection patterns in requests involving the shortcode. Review and harden input validation and output escaping mechanisms in custom fields, possibly by applying custom filters or sanitization plugins that enforce strict HTML sanitization. Monitor website logs for unusual activity or script injections and conduct regular security scans. Educate content contributors about the risks of injecting untrusted content and enforce strict content policies. Once a patch is available, apply it promptly and verify the fix through testing. Additionally, consider implementing Content Security Policy (CSP) headers to mitigate the impact of any injected scripts.