CVE-2025-11747 is a stored cross-site scripting vulnerability identified in the Colibri Page Builder plugin for WordPress, specifically within the colibri_blog_posts shortcode. The root cause is insufficient sanitization and escaping of user-supplied attributes, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users visit these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of victims. The vulnerability affects all versions up to and including 1.0.345. The CVSS 3.1 score of 6.4 reflects a medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or exploits are currently publicly available, but the vulnerability is publicly disclosed and documented by Wordfence. This vulnerability is a classic example of CWE-79, highlighting the importance of proper input validation and output encoding in web applications. Since contributor-level users can exploit this, it poses a risk in environments where such roles are assigned to untrusted or semi-trusted users.

The impact of this vulnerability includes potential theft of user credentials or session cookies, unauthorized actions performed on behalf of users, and defacement or manipulation of website content. For organizations, this can lead to compromised user accounts, loss of customer trust, reputational damage, and potential regulatory consequences if sensitive data is exposed. Since the vulnerability allows scope change, attackers might escalate privileges or move laterally within the affected WordPress environment. The requirement for contributor-level access limits initial exploitation but does not eliminate risk, especially in environments with multiple content editors or less stringent access controls. The vulnerability affects the confidentiality and integrity of data but does not directly impact availability. Given WordPress's widespread use globally, many organizations, including small businesses, media outlets, and enterprises using Colibri Page Builder, are at risk if unpatched.

Organizations should immediately review user roles and permissions, restricting contributor-level access to trusted users only. Until an official patch is released, administrators can disable or remove the Colibri Page Builder plugin or specifically avoid using the colibri_blog_posts shortcode. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections in shortcode attributes can provide temporary protection. Regularly audit and sanitize existing content for injected scripts. Monitoring logs for unusual contributor activity can help detect exploitation attempts. Once a patch becomes available, promptly apply it. Additionally, educating content contributors about safe input practices and enforcing strong authentication mechanisms reduces risk. Employing Content Security Policy (CSP) headers can mitigate the impact of injected scripts by restricting script execution sources.