CVE-2025-11800 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Surbma | MiniCRM Shortcode plugin for WordPress, present in all versions up to and including 2.0. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically via the 'id' attribute of the 'minicrm' shortcode. Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into WordPress pages by manipulating this shortcode attribute. Because the plugin fails to adequately sanitize and escape this input before rendering, the malicious script is stored persistently and executed in the browsers of any users who visit the affected pages. This can lead to session hijacking, privilege escalation, defacement, or unauthorized actions performed on behalf of users. The attack vector is network-based, requiring only authenticated access with contributor privileges, and no user interaction is needed for the payload to execute once the page is loaded. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity with low attack complexity and partial impact on confidentiality and integrity but no impact on availability. No known exploits are currently reported in the wild, but the risk remains significant due to the widespread use of WordPress and the plugin’s role in CRM functionalities. The lack of a patch at the time of publication necessitates immediate mitigation steps by administrators.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of data managed via WordPress sites using the Surbma | MiniCRM Shortcode plugin. Exploitation could allow attackers to steal session cookies, impersonate users, or manipulate CRM data, potentially leading to data breaches or unauthorized access to customer information. Organizations relying on WordPress for customer relationship management or internal collaboration may face reputational damage and regulatory compliance issues, especially under GDPR mandates concerning personal data protection. The vulnerability's requirement for contributor-level access limits exposure but does not eliminate risk, as insider threats or compromised accounts could be leveraged. The persistent nature of stored XSS means that once injected, malicious scripts can affect multiple users over time, increasing the attack surface. Given the plugin’s niche but critical role in CRM workflows, disruption or data compromise could impact business operations and customer trust.

Immediate mitigation involves restricting contributor-level access to trusted users only and auditing existing shortcode usage for suspicious 'id' attribute values. Administrators should monitor WordPress pages that utilize the 'minicrm' shortcode for unexpected script injections. Until an official patch is released, implementing Web Application Firewall (WAF) rules to detect and block malicious script payloads targeting the 'id' parameter can reduce risk. Employing Content Security Policy (CSP) headers to limit script execution sources can also mitigate impact. Additionally, site owners should sanitize and validate all user inputs at the application level, ensuring that shortcode attributes do not accept executable code. Regular backups and monitoring for anomalous behavior are recommended to enable rapid response. Once a vendor patch is available, prompt application is critical. Finally, educating contributors about safe input practices and potential risks can prevent inadvertent exploitation.