CVE-2025-11826 is a stored cross-site scripting (XSS) vulnerability identified in the WP Company Info plugin for WordPress, specifically affecting all versions up to and including 1.9.0. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The issue lies in the insufficient sanitization and escaping of the 'class' attribute within the 'social-networks' shortcode, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. Because the injected scripts are stored persistently in the WordPress database and rendered on pages viewed by other users, this can lead to script execution in the context of any user accessing the affected pages. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The confidentiality and integrity impacts are low but notable, as attackers may steal session tokens, perform actions on behalf of other users, or manipulate page content. No public exploits have been reported yet, but the vulnerability poses a risk especially in environments with multiple contributors or editors. The vulnerability was reserved on October 15, 2025, and published on November 21, 2025, with no official patches available at the time of reporting. The vulnerability affects all versions of the plugin, which is used by organizations relying on WordPress for company information display and social network integration.

The primary impact of CVE-2025-11826 is the potential for stored cross-site scripting attacks, which can compromise the confidentiality and integrity of user sessions and data. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of any users viewing the infected pages, potentially leading to session hijacking, unauthorized actions, or defacement. While availability is not directly affected, the trustworthiness of the affected website can be undermined, leading to reputational damage. Organizations with multiple contributors or editors are at higher risk, as the attack requires authenticated access. The vulnerability can be leveraged to escalate privileges or pivot to other attacks within the WordPress environment. Given WordPress's widespread use globally, especially among small to medium businesses and enterprises using the WP Company Info plugin, the threat can affect a broad range of organizations. The absence of known exploits currently limits immediate widespread impact, but the medium severity score indicates a significant risk if exploited.

Organizations should immediately audit user roles and restrict contributor-level access to trusted individuals only, minimizing the risk of malicious script injection. Administrators should review all instances of the 'social-networks' shortcode usage, particularly the 'class' attribute, to detect and remove any suspicious or unexpected input. Until an official patch is released, consider implementing web application firewall (WAF) rules to detect and block malicious payloads targeting the vulnerable shortcode attribute. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. Regularly update the WP Company Info plugin as soon as a security update becomes available from the vendor. Additionally, monitor logs for unusual activity or changes in pages containing the shortcode. Educate contributors about safe input practices and the risks of injecting untrusted content. Finally, consider isolating or disabling the vulnerable shortcode if it is not essential to site functionality.