CVE-2025-11809 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WP-Force Images Download plugin for WordPress, maintained by nazakatali32. The vulnerability exists in all versions up to and including 1.8 due to improper neutralization of input during web page generation, specifically within the 'wpfid' shortcode's 'class' attribute. The root cause is insufficient input sanitization and output escaping, which allows an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability requires authentication but no user interaction, and the scope is limited to sites using this plugin. The CVSS 3.1 score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. No public exploits are known yet, but the vulnerability poses a significant risk to WordPress sites that rely on this plugin for image downloading functionality. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps by site administrators.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, potentially compromising the confidentiality and integrity of user data. Attackers could hijack user sessions, steal authentication tokens, or perform unauthorized actions with the privileges of affected users. This is particularly concerning for organizations that allow contributor-level access to multiple users, increasing the attack surface. The impact is primarily on web application security and user trust, potentially leading to reputational damage and regulatory compliance issues under GDPR if personal data is compromised. Availability is not directly affected, but secondary impacts such as defacement or malicious redirects could disrupt normal operations. Organizations running public-facing WordPress sites with this plugin are at risk, especially those in sectors like e-commerce, media, and government where web presence is critical. The medium severity rating suggests that while exploitation is feasible, it requires authenticated access, somewhat limiting the threat scope but not eliminating it.

Organizations should immediately audit their WordPress installations to identify the presence of the WP-Force Images Download plugin and verify the version in use. Until an official patch is released, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling or uninstalling the plugin to eliminate the attack vector. Implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'wpfid' shortcode can provide interim protection. Site owners should also review and sanitize all user-generated content associated with this shortcode to remove any injected scripts. Monitoring logs for unusual activity or unauthorized content changes is recommended. Once a patch becomes available, prompt updating of the plugin is critical. Additionally, educating contributors about safe content practices and limiting the use of shortcodes that accept user input can reduce risk. Employing Content Security Policy (CSP) headers to restrict script execution sources can mitigate the impact of any successful injection.