CVE-2025-11802 is a stored cross-site scripting (XSS) vulnerability identified in the Bulma Shortcodes plugin for WordPress, specifically within the 'type' attribute of the bulma-notification shortcode. The root cause is insufficient input sanitization and output escaping, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code that is stored persistently in the WordPress database. When any user accesses a page containing the malicious shortcode, the injected script executes in their browser context. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or further exploitation such as privilege escalation. The vulnerability affects all versions up to and including 1.0 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change due to potential impact on other components. No public exploits are known at this time, but the vulnerability's presence in a popular CMS plugin increases the risk of future exploitation. The vulnerability is particularly dangerous because it leverages stored XSS, which persists across sessions and affects all users viewing the compromised content. The plugin is used to enhance WordPress sites with Bulma CSS framework shortcodes, making it attractive for sites leveraging this styling framework. The vulnerability was reserved in October 2025 and published in November 2025, with no patch links currently available, indicating that remediation may still be pending or in progress.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications running WordPress with the Bulma Shortcodes plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions within the context of the victim's session. This can lead to data breaches, defacement of public-facing websites, erosion of customer trust, and regulatory non-compliance under GDPR if personal data is compromised. The scope of impact extends to all users who access the infected pages, including employees, customers, and partners. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts are the primary attack vectors. The absence of known exploits reduces immediate risk but does not eliminate it, as attackers often develop exploits rapidly after disclosure. European organizations with active content contributors and public-facing WordPress sites are particularly vulnerable. The impact on availability is minimal, but the integrity and confidentiality risks are moderate to high depending on the exploitation context.

1. Immediately audit and restrict contributor-level permissions to trusted users only, minimizing the risk of malicious shortcode injection. 2. Monitor and review all content created or edited using the bulma-notification shortcode, especially the 'type' attribute, for suspicious or unexpected input. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting this shortcode attribute. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 5. Regularly update the Bulma Shortcodes plugin once a patch or fixed version is released by the vendor. 6. Educate content contributors about safe content creation practices and the risks of injecting untrusted code. 7. Use security plugins that scan for stored XSS vulnerabilities and anomalous shortcode usage. 8. Consider temporarily disabling the bulma-notification shortcode or the entire Bulma Shortcodes plugin if immediate patching is not possible. 9. Conduct penetration testing focused on shortcode injection vectors to identify any other related vulnerabilities. 10. Maintain strict logging and alerting on content changes and user activities involving shortcode usage to detect potential exploitation attempts early.