CVE-2025-11808 is a stored cross-site scripting (XSS) vulnerability identified in the Shortcode for Google Street View plugin for WordPress, developed by antiochinteractive. The vulnerability affects all plugin versions up to and including 0.5.7. It stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'id' attribute in the 'streetview' shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into WordPress pages. Because the malicious scripts are stored persistently in the content, they execute automatically whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet. The vulnerability highlights the risk of insufficient input validation in WordPress plugins, especially those that allow shortcode usage by contributors. Given WordPress's widespread adoption, this vulnerability could be leveraged in targeted attacks against websites that use this plugin, especially those with multiple contributors or editors.

The primary impact of CVE-2025-11808 is the potential for stored XSS attacks, which can lead to unauthorized script execution in the context of users visiting compromised pages. This can result in session hijacking, credential theft, defacement, or unauthorized actions performed on behalf of users with elevated privileges. For organizations, this can mean data breaches, loss of user trust, and potential regulatory consequences if sensitive user data is exposed. Since the vulnerability requires contributor-level access, attackers must first compromise or have legitimate access to the site, which limits but does not eliminate risk. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation. Organizations relying on this plugin for embedding Google Street View content are at risk of targeted attacks, especially those with active contributor communities or less stringent access controls.

1. Immediate mitigation involves updating the Shortcode for Google Street View plugin to a patched version once released by the vendor. Since no patch links are currently available, monitor vendor advisories closely. 2. Restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the 'streetview' shortcode parameters. 4. Use security plugins that sanitize shortcode inputs or disable shortcode execution for untrusted roles. 5. Conduct regular security audits and code reviews of custom shortcodes or plugins to ensure proper input validation and output escaping. 6. Educate content contributors on safe content practices and the risks of embedding untrusted code. 7. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts by restricting script sources and execution contexts. 8. Monitor website logs and user reports for unusual behavior indicative of XSS exploitation attempts. These steps combined reduce the attack surface and limit potential damage until an official patch is available.