CVE-2025-11812 is a stored cross-site scripting vulnerability identified in the Reuse Builder plugin for WordPress, affecting all versions up to and including 1.7. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'reuse_builder_single_post_title' shortcode. The plugin fails to adequately sanitize and escape user-supplied input in the 'style' attribute, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code. Because the malicious script is stored persistently in the page content, it executes in the context of any user who views the affected page, potentially compromising their session, stealing cookies, or performing unauthorized actions. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change affecting confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or editors. The issue highlights the importance of proper input validation and output encoding in web applications to prevent XSS attacks.

This vulnerability can lead to unauthorized script execution in the browsers of users visiting affected pages, compromising user sessions and potentially allowing attackers to steal sensitive information such as authentication tokens or personal data. It can also enable attackers to perform actions on behalf of users, leading to data integrity issues or unauthorized changes within the website. Since the vulnerability requires contributor-level access, it primarily threatens environments where multiple users have editing privileges, such as collaborative blogs or content management systems. The confidentiality and integrity of user data and site content are at risk, though availability is not directly impacted. Exploitation could facilitate further attacks, including privilege escalation or persistent backdoors, especially if combined with other vulnerabilities. Organizations relying on the Reuse Builder plugin may face reputational damage and compliance risks if user data is compromised.

Organizations should immediately update the Reuse Builder plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing content for injected scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections targeting the 'style' attribute can provide temporary protection. Additionally, site owners should enforce Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning the website for XSS payloads and sanitizing user inputs before storage or rendering is critical. Developers maintaining custom shortcodes or plugins should review and apply secure coding practices, including proper input validation and output encoding, especially for HTML attributes. Monitoring logs for unusual contributor activity and educating users on secure content management practices will further reduce risk.