CVE-2025-11763 identifies a stored cross-site scripting vulnerability in the Display Pages Shortcode plugin for WordPress, developed by rustybadrobot. The vulnerability is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'column_count' parameter within the [display-pages] shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the shortcode. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, defacement, or redirection to malicious sites. The vulnerability affects all versions up to and including 1.1 of the plugin. The CVSS 3.1 base score is 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or exploit code are currently publicly available, and no known exploitation in the wild has been reported. The vulnerability was reserved on October 14, 2025, and published on November 21, 2025. Given the nature of WordPress plugins and their widespread use, this vulnerability poses a significant risk to websites that allow multiple contributors and use this plugin for page display functionality.

The primary impact of CVE-2025-11763 is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the context of other users visiting the infected pages. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized actions under victim user accounts. Additionally, attackers can manipulate page content, redirect users to phishing or malware sites, or conduct further attacks such as drive-by downloads. Although availability is not directly impacted, the reputational damage and potential data breaches can be severe. Organizations relying on the Display Pages Shortcode plugin, especially those with multiple contributors or editors, face increased risk of internal threat vectors and targeted attacks. The medium CVSS score reflects that exploitation requires some level of privilege, limiting exposure to authenticated users but still posing a significant threat in collaborative environments. The lack of known exploits in the wild suggests limited current active exploitation but does not preclude future attacks once exploit code becomes available.

1. Immediate mitigation involves restricting contributor-level access and above to trusted users only, minimizing the risk of malicious script injection. 2. Monitor and audit user-generated content, especially pages using the [display-pages] shortcode, for suspicious or unexpected scripts or HTML. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the 'column_count' parameter or shortcode usage. 4. If possible, disable or remove the Display Pages Shortcode plugin until an official patch or update is released by rustybadrobot. 5. Encourage plugin developers or site administrators to apply strict input validation and output escaping for all shortcode parameters, particularly 'column_count'. 6. Educate contributors about safe content practices and the risks of injecting untrusted code. 7. Keep WordPress core and all plugins updated to the latest versions to reduce exposure to known vulnerabilities. 8. Consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 9. Regularly backup site data and configurations to enable quick recovery in case of compromise. 10. Stay informed on updates from the plugin vendor and security advisories for any released patches or further guidance.