CVE-2025-11808 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Shortcode for Google Street View plugin for WordPress developed by antiochinteractive. The vulnerability affects all versions up to and including 0.5.7. It stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'id' attribute within the 'streetview' shortcode. Authenticated users with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into the shortcode's 'id' attribute. Because the injected script is stored and rendered on pages, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The attack vector requires network access (remote) and low attack complexity, with no user interaction needed once the malicious content is stored. The scope is considered changed (S:C) because the vulnerability affects other users beyond the attacker. The CVSS 3.1 base score is 6.4, indicating medium severity, with impacts on confidentiality and integrity but no direct availability impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content or shortcode usage by authenticated users.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the affected plugin installed. Exploitation could lead to unauthorized disclosure of sensitive information, such as session cookies or personal data, through malicious script execution. This can facilitate account takeover, privilege escalation, or further attacks like phishing or malware distribution. The integrity of website content can be compromised, damaging organizational reputation and trust. Since contributors and above can exploit this, insider threats or compromised contributor accounts increase risk. Although availability is not directly impacted, the indirect effects of defacement or data leakage can disrupt business operations and compliance with GDPR and other privacy regulations. Organizations relying on WordPress for customer-facing or internal portals should consider this vulnerability a significant security concern, especially those in sectors with high regulatory scrutiny or handling sensitive user data.

Immediate mitigation steps include restricting contributor-level user permissions to trusted individuals and auditing existing contributor accounts for suspicious activity. Disable or remove the Shortcode for Google Street View plugin if it is not essential. If removal is not feasible, implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'streetview' shortcode's 'id' attribute. Monitor logs for unusual shortcode usage or script injection attempts. Educate content contributors about safe input practices and the risks of injecting untrusted content. Since no official patch is currently available, organizations should follow vendor advisories for updates and apply patches promptly once released. Additionally, implement Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of potential XSS payloads. Regularly scan WordPress installations with security tools to detect vulnerabilities and unauthorized changes.