CVE-2025-11799 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Affiliate AI Lite plugin for WordPress, specifically affecting all versions up to and including 1.0.1. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The issue lies in the insufficient sanitization and escaping of the 'asin' attribute within the affiai_img shortcode, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into WordPress pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability requires no user interaction beyond viewing the infected page but does require the attacker to have contributor or higher privileges, limiting the initial attack vector to authenticated users. The CVSS v3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. Currently, no public exploits are known, and no patches have been linked, indicating the need for vigilance and proactive mitigation. This vulnerability is significant in environments where Affiliate AI Lite is used, especially on sites allowing multiple contributors or editors.

The primary impact of CVE-2025-11799 is on the confidentiality and integrity of user data and site content. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users’ browsers, potentially leading to session hijacking, theft of authentication tokens, or unauthorized actions performed with victim privileges. This can erode user trust, lead to account compromise, and facilitate further attacks such as privilege escalation or phishing. Although availability is not directly affected, the reputational damage and potential data breaches can have significant operational and financial consequences. The vulnerability’s requirement for authenticated access limits the attack surface but does not eliminate risk, especially on sites with multiple contributors or less stringent access controls. Organizations relying on Affiliate AI Lite for affiliate marketing or e-commerce may face targeted exploitation attempts, particularly if attackers gain contributor access through social engineering or compromised credentials.

To mitigate CVE-2025-11799, organizations should immediately review and restrict contributor-level access to trusted users only, minimizing the risk of malicious shortcode injection. Administrators should audit existing content for suspicious shortcode usage, especially the affiai_img shortcode with the 'asin' attribute, and sanitize or remove any untrusted inputs. Until an official patch is released, consider disabling or removing the Affiliate AI Lite plugin if feasible. Implement Web Application Firewall (WAF) rules to detect and block malicious script injections targeting shortcode parameters. Educate contributors about secure content practices and monitor logs for unusual shortcode usage patterns. Once a patch or update is available from the vendor, apply it promptly. Additionally, enable Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Regularly update WordPress core and all plugins to minimize exposure to similar vulnerabilities.