CVE-2025-11809 identifies a stored cross-site scripting (XSS) vulnerability in the WP-Force Images Download plugin for WordPress, maintained by nazakatali32. This vulnerability exists in all versions up to and including 1.8 due to insufficient sanitization and escaping of user input specifically in the 'class' attribute of the 'wpfid' shortcode. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. Because the malicious script is stored persistently, it executes in the context of any user who views the infected page, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or defacement. The vulnerability is exploitable remotely over the network without user interaction, with a low attack complexity, but requires authenticated access with contributor or higher privileges. The CVSS 3.1 base score is 6.4, reflecting medium severity with partial impact on confidentiality and integrity but no impact on availability. No public exploits or patches have been reported at the time of publication, but the vulnerability is publicly disclosed and should be addressed promptly. The issue is categorized under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of this vulnerability is the potential compromise of user accounts and site integrity on WordPress installations using the vulnerable WP-Force Images Download plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, including administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or further malware deployment. This can result in reputational damage, data breaches, and loss of user trust. Since WordPress powers a significant portion of the web, sites using this plugin are at risk, especially those with multiple contributors. The vulnerability does not affect availability directly but can lead to indirect denial of service through site defacement or administrative lockout. Organizations relying on this plugin for image downloads or content management face increased risk of targeted attacks, especially if contributor accounts are compromised or poorly managed.

To mitigate this vulnerability, organizations should immediately update the WP-Force Images Download plugin to a patched version once available. Until a patch is released, administrators should restrict contributor-level permissions to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the 'wpfid' shortcode can reduce risk. Additionally, site administrators should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning the site for injected scripts or unusual content in posts/pages can help identify exploitation attempts. Disabling or removing the plugin temporarily is a viable option if the risk is unacceptable and no patch is available. Educating contributors about safe content practices and monitoring logs for unusual shortcode usage can further reduce exposure.