The vulnerability CVE-2025-11763 affects the Display Pages Shortcode plugin for WordPress, specifically versions up to and including 1.1. It is a stored Cross-Site Scripting (XSS) flaw categorized under CWE-79, caused by insufficient sanitization and escaping of the 'column_count' parameter in the [display-pages] shortcode. This allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. The vulnerability is exploitable remotely over the network without user interaction, but requires the attacker to have at least contributor-level access, which is a moderate privilege level in WordPress. The CVSS 3.1 base score is 6.4 (medium severity), reflecting the balance between ease of exploitation and impact. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. No patches or official fixes are currently available, and no known exploits have been reported in the wild. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that generate dynamic content based on user input.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, compromising user sessions and potentially leaking sensitive information. Since the exploit requires contributor-level access, insider threats or compromised accounts pose a significant risk. Attackers could leverage this to perform actions such as stealing authentication cookies, defacing websites, or conducting phishing attacks by injecting malicious content. The impact on confidentiality and integrity is moderate, while availability is not directly affected. Organizations relying on WordPress for public-facing or internal portals that use the Display Pages Shortcode plugin are at risk of reputational damage and potential regulatory non-compliance if user data is compromised. Given the widespread use of WordPress across Europe, especially in small and medium enterprises, the threat could affect a broad range of sectors including education, government, and commerce.

Immediate mitigation involves restricting contributor-level access to trusted users only and monitoring for suspicious activity related to the Display Pages Shortcode plugin. Administrators should disable or remove the plugin until a security patch is released. If patching is not immediately possible, implement manual input validation and output escaping for the 'column_count' parameter in the shortcode code to neutralize malicious scripts. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to inject scripts via this parameter. Regularly audit user roles and permissions to minimize the number of users with contributor or higher privileges. Additionally, enable Content Security Policy (CSP) headers to limit the impact of any injected scripts. Organizations should also monitor security advisories from the plugin vendor and WordPress security communities for updates and patches.