CVE-2025-11764 is a stored cross-site scripting vulnerability identified in the Shortcodes Bootstrap plugin for WordPress, developed by fastmover. This vulnerability affects all versions up to and including 1.1. The root cause is the improper neutralization of input during web page generation, specifically the lack of input sanitization and output escaping of the 'type' parameter within the [notification] shortcode. An attacker with authenticated access at the contributor level or above can exploit this flaw by injecting arbitrary JavaScript code into WordPress pages or posts. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising any user who views it. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The impact primarily affects confidentiality and integrity, enabling attackers to steal session cookies, perform actions on behalf of users, or manipulate page content. No public exploits have been reported to date. The vulnerability was reserved in October 2025 and published in November 2025. The plugin is widely used in WordPress environments that utilize shortcodes for enhanced content presentation, making the vulnerability relevant to many websites relying on this plugin for notification display.

The vulnerability allows authenticated users with contributor-level permissions to inject persistent malicious scripts into WordPress pages, which execute in the context of any user viewing the page. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or redirection to malicious sites. Since contributors can create or edit content, the attack surface includes all visitors to affected pages, including administrators and higher-privileged users, potentially escalating the attacker's control. The confidentiality of user data and integrity of site content are at risk, though availability is not directly impacted. Organizations running WordPress sites with this plugin may face reputational damage, data breaches, and increased risk of further exploitation if attackers chain this vulnerability with others. The medium CVSS score reflects the need for timely remediation, especially in environments with multiple contributors or high-traffic sites.

1. Immediately update the Shortcodes Bootstrap plugin to a patched version once released by the vendor. Monitor official fastmover channels for updates. 2. Until a patch is available, restrict contributor-level access to trusted users only and review existing content for injected scripts. 3. Implement a Web Application Firewall (WAF) with rules to detect and block malicious script payloads targeting the 'type' parameter in the [notification] shortcode. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5. Conduct regular security audits and scanning of WordPress content for suspicious scripts or anomalies. 6. Educate content contributors about safe input practices and the risks of injecting untrusted code. 7. Consider disabling or removing the Shortcodes Bootstrap plugin if it is not essential to reduce attack surface. 8. Monitor logs for unusual activity related to shortcode usage or content editing that could indicate exploitation attempts.