CVE-2025-11821 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Woocommerce – Products By Custom Tax plugin for WordPress, maintained by elvismdev. This vulnerability affects all plugin versions up to and including 2.2. The root cause is improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes passed to the 'woo_products_custom_tax' shortcode. An attacker with authenticated contributor-level access or higher can craft malicious input that is stored persistently within the plugin's data. When other users access pages containing the injected shortcode, the malicious JavaScript executes in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions. The vulnerability requires no user interaction beyond visiting the compromised page and can be exploited remotely over the network. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, and privileges required but no user interaction. The scope is changed as the vulnerability affects the confidentiality and integrity of users beyond the initial attacker. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (November 11, 2025).

The impact of CVE-2025-11821 is significant for organizations using the affected Woocommerce plugin, particularly e-commerce sites relying on WordPress. Successful exploitation allows an authenticated contributor or higher to inject persistent malicious scripts, which execute in the context of other users' browsers. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement, or distribution of malware. The vulnerability compromises confidentiality and integrity but does not directly affect availability. Since contributor-level access is required, attackers must first gain some level of authenticated access, which may be easier in environments with weak access controls or compromised accounts. The scope of affected systems is broad given the widespread use of WordPress and WooCommerce globally. Exploitation could damage brand reputation, lead to data breaches, and cause financial losses due to fraud or remediation costs.

To mitigate CVE-2025-11821, organizations should immediately restrict contributor-level access to trusted users only and audit existing user roles for unnecessary privileges. Until an official patch is released, administrators can disable or remove the 'woo_products_custom_tax' shortcode usage in content to prevent script injection. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious shortcode attribute patterns can reduce risk. Additionally, applying Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script execution sources. Regularly monitoring logs for unusual shortcode usage or script injection attempts is advised. Once available, promptly apply vendor patches or updates addressing the vulnerability. Educating content contributors about safe input practices and sanitization can also help prevent exploitation.