CVE-2025-11823 is a stored cross-site scripting (XSS) vulnerability identified in the ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules plugin for WordPress, formerly known as WooLentor. This vulnerability exists due to improper neutralization of script-related HTML tags (CWE-80) in the 'button_exist_text' parameter within the 'wishsuite_button' shortcode. Specifically, the plugin fails to adequately sanitize and escape user-supplied input before rendering it on web pages, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. When other users access pages containing the malicious shortcode, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability affects all versions up to and including 3.2.4. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or above), no user interaction, and scope change due to impact on other users. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for sites using this plugin, especially those with multiple contributors or editors. The lack of patch links suggests that users should monitor vendor updates closely or apply manual mitigations.

The primary impact of CVE-2025-11823 is the compromise of confidentiality and integrity within affected WordPress sites. Successful exploitation allows an authenticated contributor or higher to inject persistent malicious scripts that execute in the context of other users' browsers. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of other users, and potential defacement or redirection attacks. Since the vulnerability does not affect availability directly, denial-of-service is less likely. However, the scope change means that the attacker’s influence extends beyond their own account, potentially compromising administrators or site visitors. For organizations relying on the ShopLentor plugin, especially e-commerce sites using WooCommerce, this could result in customer data exposure, loss of trust, and regulatory compliance issues. The medium CVSS score reflects the need for timely remediation, particularly in environments with multiple contributors or editors who could exploit this flaw.

To mitigate CVE-2025-11823, organizations should first check for updates from the plugin vendor and apply patches as soon as they become available. In the absence of an official patch, administrators can implement the following practical steps: 1) Restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'button_exist_text' parameter or shortcode usage. 3) Use security plugins that enforce strict input validation and output escaping on WordPress content. 4) Conduct regular code reviews and sanitize any custom shortcode implementations or overrides related to ShopLentor. 5) Educate content contributors about the risks of injecting untrusted content and monitor logs for unusual shortcode usage. 6) Consider disabling or limiting the use of the vulnerable shortcode until a patch is applied. 7) Implement Content Security Policy (CSP) headers to reduce the impact of potential script injection by restricting script sources. These targeted mitigations go beyond generic advice by focusing on the specific vector and plugin context.