CVE-2025-11821 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Woocommerce – Products By Custom Tax plugin for WordPress, developed by elvismdev. This vulnerability affects all versions up to and including 2.2. The root cause is insufficient sanitization and escaping of user-supplied attributes in the 'woo_products_custom_tax' shortcode, which is used to display products filtered by custom taxonomies. Authenticated users with contributor-level permissions or higher can exploit this by injecting arbitrary JavaScript code into pages via the shortcode attributes. Because the malicious script is stored, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, and requiring privileges (authenticated contributor or above). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. Confidentiality and integrity are impacted, while availability is unaffected. No user interaction is required for exploitation once the malicious script is stored. Currently, no known exploits are reported in the wild, and no official patches or updates have been published. The vulnerability was reserved on October 15, 2025, and published on November 11, 2025. Given the widespread use of WordPress and Woocommerce in e-commerce, this vulnerability poses a significant risk to websites using this plugin, especially those allowing contributor-level users to add or edit content. Attackers could leverage this to escalate privileges, conduct phishing, or spread malware within the site environment.

For European organizations, particularly those operating e-commerce platforms on WordPress using the Woocommerce – Products By Custom Tax plugin, this vulnerability can lead to significant security risks. Exploitation could result in unauthorized script execution affecting site visitors and administrators, leading to session hijacking, credential theft, or defacement. This undermines customer trust and can result in financial losses, regulatory penalties under GDPR due to compromised user data, and reputational damage. Since contributor-level access is required, insider threats or compromised contributor accounts increase risk. The vulnerability's ability to affect site integrity and confidentiality without impacting availability means attackers can stealthily compromise data and user sessions without immediate detection. European organizations with multi-user content management workflows are particularly vulnerable. The lack of an official patch increases exposure time, emphasizing the need for proactive mitigation. Additionally, given the interconnected nature of e-commerce ecosystems, exploitation could facilitate further attacks such as supply chain compromises or distribution of malicious payloads to customers.

1. Immediately audit and restrict contributor-level and higher access to trusted personnel only, minimizing the risk of malicious shortcode injection. 2. Implement strict input validation and output escaping for the 'woo_products_custom_tax' shortcode attributes via custom code or security plugins to sanitize user inputs before rendering. 3. Monitor website content and shortcode usage for suspicious or unexpected scripts or HTML tags, using automated scanning tools or manual reviews. 4. Disable or remove the Woocommerce – Products By Custom Tax plugin if it is not essential to business operations until an official patch is released. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to inject or execute malicious scripts via the shortcode. 6. Educate content contributors about the risks of injecting untrusted code and enforce strict content policies. 7. Keep WordPress core, themes, and other plugins updated to reduce the attack surface and leverage security improvements. 8. Regularly back up website data and configurations to enable rapid recovery in case of compromise. 9. Follow vendor communications closely for patch releases and apply updates promptly once available. 10. Consider deploying Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact of injected scripts.