CVE-2025-11810 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Print Button Shortcode plugin for WordPress, maintained by chrishurst. The vulnerability affects all versions up to and including 1.0.1. It stems from improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of the 'target' attribute within the 'print-button' shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages or posts. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is classified under CWE-79, indicating a classic XSS issue. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (October 22, 2025).

The primary impact of CVE-2025-11810 is the potential for attackers with contributor-level access to inject malicious scripts that execute in the context of other users visiting the affected WordPress site. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Confidentiality and integrity of user data and site content are at risk, although availability is not directly impacted. Since contributors can publish content, the attack surface includes any page or post where the shortcode is used. This can undermine trust in the website, lead to user account compromise, and facilitate further attacks such as phishing or lateral movement within the site. Organizations relying on this plugin, especially those with multiple contributors or public-facing content, face increased risk of reputational damage and potential data breaches.

To mitigate CVE-2025-11810, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of a patch, administrators should restrict contributor-level permissions to trusted users only and consider temporarily disabling or removing the Print Button Shortcode plugin. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the 'target' attribute in the shortcode can provide interim protection. Additionally, site owners should audit existing content for injected scripts and sanitize or remove any suspicious entries. Employing Content Security Policy (CSP) headers can help reduce the impact of injected scripts by restricting script execution sources. Regular security scanning and monitoring for anomalous behavior related to the plugin usage are also recommended. Finally, educating contributors about safe content practices and the risks of injecting untrusted input can reduce exploitation likelihood.