The Magazine Companion plugin for WordPress, specifically the 'Post Blocks & Tools' component, suffers from a stored cross-site scripting vulnerability identified as CVE-2025-11828. The issue is due to improper neutralization of input in the 'headerHtmlTag' attribute within the bnm-blocks/featured-posts-1 block. Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code that is stored and later executed in the context of any user viewing the compromised page. This vulnerability stems from insufficient input sanitization and output escaping when user-supplied values are used as HTML tag names. The CVSS v3.1 base score is 6.4, reflecting a network attack vector with low attack complexity, requiring privileges, no user interaction, and impacts confidentiality and integrity with no availability impact. There is no vendor advisory or patch link provided, and no known exploits have been reported.

Successful exploitation allows an authenticated contributor or higher to inject persistent malicious scripts into pages rendered by the plugin. This can lead to unauthorized actions performed in the context of other users viewing the page, potentially compromising user data confidentiality and integrity. Availability is not affected. The vulnerability does not appear to be exploited in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, users should consider restricting contributor-level access until a patch is released. Monitoring for updates from the plugin vendor or WordPress security advisories is recommended. Avoid using or disable the affected 'headerHtmlTag' attribute or the featured-posts-1 block if possible until a fix is provided.