CVE-2025-11802 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Bulma Shortcodes plugin for WordPress, specifically within the bulma-notification shortcode's 'type' attribute. The root cause is insufficient input sanitization and output escaping, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the browsers of any users who visit the infected pages, potentially compromising session tokens, redirecting users, or performing actions on behalf of victims. The vulnerability affects all versions up to and including 1.0 of the plugin. Exploitation requires authenticated access but no user interaction beyond page viewing. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is considered changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges by impacting other users. No patches were available at the time of disclosure, and no known exploits have been detected in the wild. The vulnerability is cataloged under CWE-79, a common and well-understood web application security issue. Given the widespread use of WordPress and the popularity of Bulma Shortcodes for styling, this vulnerability poses a tangible risk to websites that allow multiple contributors to publish content.

For European organizations, this vulnerability can lead to unauthorized script execution on their WordPress-powered websites, potentially compromising user sessions, stealing sensitive information, or defacing web content. Organizations with collaborative content creation environments are particularly at risk, as contributors can inject malicious code that affects all site visitors, including administrators and customers. This can damage brand reputation, lead to data breaches under GDPR regulations, and cause operational disruptions. Attackers could leverage this vulnerability to conduct phishing campaigns, spread malware, or pivot to more severe attacks within the network. The medium severity indicates a significant but not critical threat, yet the persistent nature of stored XSS can have prolonged impacts if not remediated promptly. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code may emerge post-disclosure.

European organizations should immediately audit their WordPress installations to identify the presence of the Bulma Shortcodes plugin and verify the version in use. Until a patch is released, restrict contributor-level permissions to trusted users only, and consider temporarily disabling the plugin if feasible. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs, particularly targeting the 'type' attribute in bulma-notification shortcodes. Conduct regular content reviews to detect injected scripts and sanitize existing content. Educate content contributors about secure content practices and the risks of injecting untrusted code. Monitor website traffic and logs for unusual activity indicative of exploitation attempts. Once a vendor patch or update is available, apply it promptly and test the site for residual malicious code. Additionally, consider deploying Content Security Policy (CSP) headers to limit the impact of any injected scripts.