CVE-2025-11808 is a stored cross-site scripting vulnerability identified in the Shortcode for Google Street View plugin for WordPress, developed by antiochinteractive. The vulnerability exists in all versions up to and including 0.5.7 due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'id' attribute within the 'streetview' shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts using the vulnerable shortcode. When other users access these pages, the malicious script executes in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based, requiring low attack complexity and privileges but no user interaction. The scope is changed because the vulnerability affects other users beyond the attacker. No public exploits have been reported yet, but the risk remains significant for sites allowing contributor-level access. The plugin currently lacks an official patch, so mitigation requires manual intervention or restricting user roles. This vulnerability highlights the importance of proper input validation and output escaping in WordPress plugins that handle user-generated content.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the Shortcode for Google Street View plugin installed. Organizations that allow contributor-level access to multiple users, such as media companies, educational institutions, and collaborative content platforms, are particularly vulnerable. Exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware via injected scripts. This can damage organizational reputation, lead to data breaches, and cause compliance issues under GDPR if personal data is compromised. The vulnerability does not directly affect availability but impacts confidentiality and integrity of web sessions and content. Since the attack requires authenticated access, internal threat actors or compromised contributor accounts pose the greatest risk. The absence of a patch increases exposure time, making timely mitigation critical. Given the widespread use of WordPress in Europe, the potential attack surface is significant, especially in countries with high WordPress adoption and active web publishing sectors.

1. Immediately review and restrict contributor-level access on WordPress sites using the affected plugin to trusted users only. 2. Monitor and audit content submitted via the 'streetview' shortcode for suspicious or unexpected input. 3. Until an official patch is released, implement manual input sanitization and output escaping for the 'id' attribute in the shortcode handler by modifying the plugin code or using security plugins that enforce content filtering. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the shortcode parameters. 5. Educate content contributors on safe content submission practices and the risks of injecting scripts. 6. Regularly update WordPress core, themes, and plugins to minimize exposure to known vulnerabilities. 7. Once a patch is available, apply it promptly and verify the fix through testing. 8. Implement Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts. 9. Conduct periodic security assessments focusing on user role permissions and plugin vulnerabilities. 10. Maintain incident response plans to quickly address any exploitation attempts.