CVE-2025-11763 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Display Pages Shortcode plugin for WordPress developed by rustybadrobot. This vulnerability exists in all versions up to and including 1.1. The root cause is insufficient sanitization and escaping of the 'column_count' parameter within the [display-pages] shortcode, which allows an authenticated attacker with contributor-level or higher privileges to inject arbitrary JavaScript code into WordPress pages. When any user accesses a page containing the injected shortcode, the malicious script executes in their browser context, potentially leading to session hijacking, unauthorized actions on behalf of users, or the theft of sensitive information. The vulnerability requires authentication but no user interaction beyond viewing the compromised page. The CVSS 3.1 base score is 6.4, indicating a medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. No patches or official fixes have been released at the time of publication, and no active exploitation has been reported. This vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that accept user-controllable parameters in shortcodes.

For European organizations, this vulnerability poses a moderate risk primarily to websites and intranet portals running WordPress with the Display Pages Shortcode plugin installed. Attackers with contributor-level access—often achievable through compromised accounts or insider threats—can inject persistent malicious scripts that execute in the context of any user visiting the affected pages. This can lead to session hijacking, unauthorized actions such as content manipulation or privilege escalation, and potential data leakage. Organizations relying on WordPress for public-facing or internal content management may face reputational damage, regulatory scrutiny under GDPR if personal data is compromised, and operational disruptions. The vulnerability does not directly impact availability but threatens confidentiality and integrity of user sessions and data. Since the attack vector is network-based and requires authentication, the risk is somewhat mitigated by strong access controls but remains significant in environments with multiple contributors or weak account management practices.

European organizations should immediately audit their WordPress installations to identify if the Display Pages Shortcode plugin is in use and confirm the version. Until an official patch is released, mitigation should include: 1) Restrict contributor-level access strictly to trusted users and review existing user privileges to minimize the attack surface. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'column_count' parameter in shortcode requests. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 4) Monitor logs for unusual shortcode parameter usage or unexpected page content changes. 5) Educate content contributors about the risks of injecting untrusted input into shortcodes. 6) Consider temporarily disabling or removing the plugin if it is not essential. 7) Stay alert for official patches or updates from the vendor and apply them promptly. 8) Conduct regular security assessments and penetration testing focused on WordPress plugins and user privilege management.