CVE-2025-11803 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WPSite Shortcode plugin for WordPress, specifically in all versions up to and including 1.2. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'format' attribute of the wpsite_y shortcode and the 'before' attribute of the wpsite_postauthor shortcode. These attributes are used in generating error messages, where malicious scripts can be injected and persistently stored. An attacker with contributor-level privileges or higher can exploit this by submitting crafted shortcode attributes that embed arbitrary JavaScript. When any user, including administrators or visitors, accesses the affected page, the malicious script executes in their browser context, potentially leading to session hijacking, privilege escalation, or data theft. The CVSS v3.1 score of 6.4 reflects a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and a scope change indicating impact beyond the vulnerable component. No public exploits are currently known, but the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin. The vulnerability was published on November 21, 2025, and no patches are currently linked, suggesting users must monitor for updates or apply manual mitigations.

For European organizations, this vulnerability presents a moderate risk primarily to websites using the WPSite Shortcode plugin on WordPress. Exploitation can lead to unauthorized script execution in users' browsers, enabling session hijacking, theft of sensitive information such as cookies or credentials, defacement of websites, or delivery of further malware. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Since the attack requires contributor-level access, insider threats or compromised accounts are a primary concern. The scope change in the CVSS score indicates that the impact extends beyond the plugin itself, potentially affecting the entire website and its users. Organizations with customer-facing WordPress sites or internal portals using this plugin are particularly vulnerable. Given the medium severity, the threat is significant but not critical, allowing some time for mitigation before exploitation becomes widespread.

1. Monitor for official patches or updates from the WPSite Shortcode plugin vendor and apply them promptly once available. 2. Until a patch is released, restrict contributor-level access to trusted users only and audit existing user privileges to minimize risk. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs containing script tags or suspicious payloads. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5. Conduct manual code reviews or apply custom input validation and output encoding on the affected shortcode attributes if feasible. 6. Regularly scan WordPress sites for XSS vulnerabilities using specialized security tools. 7. Educate site administrators and contributors about the risks of injecting untrusted content in shortcodes. 8. Maintain regular backups of website content to enable quick restoration if defacement occurs.