CVE-2025-11764 is a stored Cross-Site Scripting (XSS) vulnerability identified in the fastmover Shortcodes Bootstrap plugin for WordPress, affecting all versions up to and including 1.1. The vulnerability stems from improper neutralization of input during web page generation, specifically due to missing input sanitization and output escaping of the 'type' parameter within the [notification] shortcode. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site context. The vulnerability is classified under CWE-79, indicating Cross-Site Scripting issues. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (contributor or higher), no user interaction, and a scope change affecting confidentiality and integrity but not availability. No patches or known exploits have been reported at the time of publication. The vulnerability's exploitation requires authenticated access, limiting exposure to internal or trusted users with editing rights. However, in environments with multiple contributors or less stringent access controls, the risk increases. The stored nature of the XSS means the malicious payload persists in the site content, affecting all users who view the infected pages.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of WordPress-based websites that utilize the fastmover Shortcodes Bootstrap plugin. Exploitation could allow attackers with contributor-level access to execute arbitrary scripts, potentially leading to session hijacking, defacement, or unauthorized actions on behalf of other users, including administrators. This could result in data leakage, unauthorized content changes, or further compromise of the website and connected systems. Organizations relying on WordPress for public-facing or internal content management, especially those with multiple contributors, are at heightened risk. The vulnerability does not directly impact availability but could indirectly cause service disruptions through defacement or administrative lockout. Given the medium severity and requirement for authenticated access, the threat is moderate but significant in environments with less restrictive contributor management or where contributor accounts are compromised. The absence of known exploits in the wild reduces immediate risk but does not preclude targeted attacks or future exploitation.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict contributor-level access to trusted personnel only, minimizing the number of users who can inject shortcode parameters. 2) Monitor and review all content created or edited via the [notification] shortcode for suspicious or unexpected script content. 3) Employ Web Application Firewalls (WAFs) with rules targeting common XSS payloads, especially those targeting shortcode parameters. 4) If possible, disable or remove the fastmover Shortcodes Bootstrap plugin until a vendor patch or update is available. 5) Implement server-side input validation and output escaping for shortcode parameters in custom code or overrides to prevent script injection. 6) Educate content contributors about safe content creation practices and the risks of injecting untrusted code. 7) Regularly update WordPress core and plugins to incorporate security patches promptly once released. 8) Conduct periodic security scans focusing on stored XSS vulnerabilities in WordPress environments. These steps go beyond generic advice by focusing on access control, content monitoring, and proactive plugin management specific to this vulnerability.