CVE-2025-11745 is a stored Cross-Site Scripting (XSS) vulnerability identified in the 'Ad Inserter – Ad Manager & AdSense Ads' WordPress plugin developed by spacetime. This vulnerability affects all versions up to and including 2.8.7. The root cause is insufficient sanitization and escaping of user-supplied input in the plugin's 'adinserter' shortcode, specifically within custom fields. Authenticated users with contributor-level or higher privileges can exploit this flaw by injecting arbitrary JavaScript code into pages managed by the plugin. When any user, including administrators or visitors, accesses the compromised page, the malicious script executes in their browser context. This can lead to theft of cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the victim user. The vulnerability does not require user interaction beyond page access but does require authentication with contributor or higher privileges, which somewhat limits the attacker scope. The CVSS v3.1 base score is 6.4, indicating a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. No public exploits are currently known, but the vulnerability is publicly disclosed and should be addressed promptly. This vulnerability falls under CWE-80, which covers improper neutralization of script-related HTML tags in web pages, a common XSS category.

The impact of CVE-2025-11745 is significant for organizations using the affected WordPress plugin. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the context of any user visiting those pages. This can lead to session hijacking, credential theft, unauthorized actions, defacement, or distribution of malware. Since the vulnerability affects the integrity and confidentiality of user data and site content, it can damage organizational reputation and lead to compliance violations. The requirement for authenticated contributor access limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or weak internal controls. The vulnerability can also be leveraged as a pivot point for further attacks within the organization’s web infrastructure. Given the widespread use of WordPress and popularity of the Ad Inserter plugin, the potential scope is broad, affecting websites globally. The lack of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation.

To mitigate CVE-2025-11745, organizations should immediately update the 'Ad Inserter – Ad Manager & AdSense Ads' plugin to a patched version once released by the vendor. Until a patch is available, restrict contributor-level access to trusted users only and audit existing contributors for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns targeting the 'adinserter' shortcode parameters. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Regularly scan WordPress sites for XSS vulnerabilities using specialized security tools. Educate site administrators and contributors about the risks of injecting untrusted content. Additionally, review and sanitize all user-generated content before rendering it on pages, and consider disabling or limiting the use of shortcodes that accept user input. Monitor logs for unusual activity related to shortcode usage or contributor actions. Finally, maintain a robust backup and incident response plan to quickly recover from any successful exploitation.