CVE-2025-11825 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Playerzbr plugin for WordPress, developed by pedrolaxe. This vulnerability exists in all versions up to and including 1.6 due to insufficient sanitization and escaping of the 'urlmeta' post meta field. The flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into WordPress posts or pages. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and scope change. The vulnerability affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and the ease of exploitation by authenticated users. The absence of patches necessitates immediate mitigation through alternative controls such as input validation and output encoding.

The primary impact of this vulnerability is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, potentially stealing session cookies, performing actions on behalf of users, or defacing content. This can lead to unauthorized access, data leakage, and erosion of user trust. Since the vulnerability requires authentication but no user interaction, it can be exploited by insiders or compromised accounts. Organizations relying on Playerzbr for content management risk reputational damage and potential regulatory consequences if sensitive data is exposed. The scope change indicates that the vulnerability affects resources beyond the initially compromised component, increasing the attack surface. Although availability is not impacted, the indirect effects of exploitation can disrupt normal operations and necessitate incident response efforts.

1. Apply patches or updates from the plugin vendor as soon as they become available to address the vulnerability directly. 2. In the absence of official patches, implement strict input validation on the 'urlmeta' post meta field to reject or sanitize any potentially malicious input before storage. 3. Employ robust output encoding/escaping techniques when rendering the 'urlmeta' data on web pages to prevent script execution. 4. Restrict contributor-level permissions to trusted users only and monitor for unusual activity or unauthorized content changes. 5. Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable field. 6. Conduct regular security audits and code reviews of WordPress plugins to identify and remediate similar issues proactively. 7. Educate content contributors about the risks of injecting untrusted content and enforce security best practices. 8. Consider disabling or replacing the Playerzbr plugin if immediate patching is not feasible and risk is unacceptable.