CVE-2025-11765 is a stored Cross-Site Scripting (XSS) vulnerability identified in the developdaly Stock Tools plugin for WordPress, affecting all versions up to and including 1.1. The vulnerability stems from insufficient input sanitization and output escaping of the 'image_height' and 'image_width' shortcode attributes. These attributes are intended to control image dimensions but can be manipulated by authenticated users with contributor-level access or higher to inject arbitrary JavaScript code. Because the malicious script is stored persistently in the WordPress database and rendered on pages viewed by other users, it can execute in the context of any user visiting the infected page. This can lead to theft of session cookies, defacement, or other malicious actions leveraging the victim's privileges. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability affects other users beyond the attacker. No known public exploits have been reported yet. The root cause is the failure to properly neutralize input during web page generation, classified under CWE-79. This issue highlights the importance of rigorous input validation and output encoding in WordPress plugins, especially those that accept user-supplied shortcode attributes. Since contributors can inject scripts, the risk is elevated in environments with multiple authors or editors. The vulnerability is currently unpatched, and no official patch links are available.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can compromise the confidentiality and integrity of user data. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of any user viewing the infected pages, potentially leading to session hijacking, credential theft, unauthorized actions performed on behalf of users, or defacement. Although availability is not directly affected, the trustworthiness and integrity of the affected websites can be severely damaged. Organizations using the Stock Tools plugin in multi-user WordPress environments are at higher risk, especially those with contributors who may be compromised or malicious. The vulnerability could be leveraged to escalate privileges or pivot to further attacks within the network. Given the medium CVSS score and the requirement for authenticated access, the threat is moderate but significant in environments with multiple content editors or contributors. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation.

To mitigate this vulnerability, organizations should first check for any official patches or updates from the developdaly vendor and apply them promptly once available. In the absence of a patch, administrators should restrict contributor-level access to trusted users only and review existing content for injected scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious scripts targeting shortcode attributes can provide temporary protection. Additionally, site administrators can sanitize and validate shortcode attributes manually or via custom code to enforce strict numeric input for 'image_height' and 'image_width'. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting script execution sources. Regular security audits and monitoring for unusual user activity or content changes are recommended. Finally, educating content contributors about safe content practices and the risks of injecting untrusted code can reduce accidental exploitation.