CVE-2025-11800 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Surbma | MiniCRM Shortcode plugin for WordPress, affecting all versions up to and including 2.0. The root cause is insufficient sanitization and escaping of the 'id' attribute within the 'minicrm' shortcode, allowing malicious input to be stored and later rendered in web pages. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'id' attribute, which is then stored persistently in the WordPress database. When any user, including administrators or visitors, accesses a page containing the injected shortcode, the malicious script executes in their browser context. This can lead to session hijacking, privilege escalation, defacement, or redirection to malicious sites. The vulnerability does not require user interaction beyond page access and has a CVSS 3.1 base score of 6.4 (medium severity), with attack vector network, low attack complexity, privileges required, no user interaction, and scope changed. No public exploits have been reported yet, but the vulnerability poses a significant risk to sites using this plugin, especially those with multiple contributors or public-facing content. The plugin developer has not yet released a patch, so mitigation relies on access control, input validation, or disabling the shortcode.

The impact of CVE-2025-11800 is primarily on the confidentiality and integrity of affected WordPress sites using the Surbma | MiniCRM Shortcode plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the site, potentially stealing session cookies, performing actions on behalf of other users, or defacing content. This can erode user trust, lead to account compromise, and facilitate further attacks such as phishing or malware distribution. Since contributor-level access is required, the threat is elevated in environments with multiple content editors or less stringent access controls. The vulnerability does not directly affect availability but can indirectly cause service disruption if exploited for defacement or administrative takeover. Organizations relying on this plugin for CRM functionality risk data leakage and reputational damage. The scope includes all sites running vulnerable versions, which may be significant given WordPress's widespread use and the plugin's niche CRM integration role.

To mitigate CVE-2025-11800, organizations should first check for and apply any official patches or updates from the Surbma plugin developer once available. Until a patch is released, consider disabling the 'minicrm' shortcode functionality or the entire plugin if feasible. Restrict contributor-level and higher permissions strictly to trusted users to reduce the risk of malicious shortcode injection. Implement Web Application Firewall (WAF) rules to detect and block suspicious script payloads in shortcode attributes. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting script sources and execution contexts. Conduct regular security audits of user-generated content and shortcode usage. Additionally, sanitize and escape all shortcode attributes manually if custom development is possible, or use security plugins that enhance input validation. Educate content contributors about the risks of injecting untrusted content and monitor logs for unusual shortcode usage patterns.