CVE-2025-11753 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the augustinfotech Bootstrap Multi-language Responsive Portfolio plugin for WordPress. The flaw exists due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of administrator-supplied input in the plugin's settings. This vulnerability affects all versions up to and including 1.0. It is exploitable only by authenticated users with administrator-level permissions or higher, who can inject arbitrary JavaScript code into pages managed by the plugin. The injected scripts execute whenever any user accesses the compromised page, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites. The vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, narrowing the scope of impact. The CVSS v3.1 base score is 4.4, reflecting a medium severity due to the requirement for high privileges and the absence of user interaction for exploitation. No public exploits have been reported yet, but the vulnerability poses a risk to confidentiality and integrity of affected sites. The vulnerability does not impact availability. The lack of a patch link suggests that a fix may not yet be publicly available, so mitigation strategies are critical.

For European organizations, this vulnerability poses a moderate risk primarily to WordPress multi-site environments using the affected plugin. Successful exploitation could lead to unauthorized script execution, enabling attackers to hijack user sessions, steal sensitive data, or manipulate site content, thereby compromising confidentiality and integrity. Since exploitation requires administrator-level access, the threat is more relevant in scenarios where internal users or compromised admin accounts exist. The impact is heightened in sectors with strict data protection regulations such as GDPR, where data leakage or unauthorized access could lead to regulatory penalties and reputational damage. Additionally, organizations relying on multi-site WordPress deployments for managing multiple domains or subsidiaries are at greater risk. Although availability is not affected, the potential for lateral movement and further compromise within the network increases the overall threat. The absence of known exploits reduces immediate risk but does not eliminate the need for proactive measures.

1. Immediately audit all WordPress installations for the presence of the augustinfotech Bootstrap Multi-language Responsive Portfolio plugin, especially in multi-site configurations. 2. Restrict administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of credential compromise. 3. Until an official patch is released, consider disabling or removing the vulnerable plugin from multi-site installations or those with unfiltered_html disabled. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting the plugin’s admin settings. 5. Regularly monitor logs for unusual administrator activity or unexpected changes in plugin settings that could indicate exploitation attempts. 6. Educate administrators about the risks of stored XSS and safe input handling practices. 7. Once a patch becomes available, prioritize its deployment across all affected environments. 8. Consider deploying Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script execution sources. 9. Conduct periodic security assessments and penetration tests focusing on WordPress plugins and multi-site configurations to identify similar vulnerabilities.