CVE-2025-11860 identifies a stored cross-site scripting vulnerability in the caselock Twitter Feed plugin for WordPress, specifically in versions up to and including 1.3.1. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where the plugin fails to properly sanitize the 'width' and 'height' parameters passed through the 'ottwitter_feed' shortcode. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored and executed whenever any user accesses the affected page, this can lead to persistent XSS attacks. The vulnerability does not require user interaction to trigger once the malicious content is stored. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, and a scope change with low confidentiality and integrity impact but no availability impact. No patches or exploits are currently known, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple contributors. The attack could be used to steal session cookies, deface content, or perform other malicious actions within the context of the victim's browser session.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject malicious scripts that execute in the browsers of users visiting the compromised pages. This can lead to theft of sensitive information such as session cookies, user impersonation, unauthorized actions on behalf of users, and defacement of website content. Although the confidentiality and integrity impacts are rated low, the scope is changed because the vulnerability affects other users beyond the attacker. The availability of the site is not impacted. Organizations with multiple contributors on WordPress sites using the caselock Twitter Feed plugin are at risk, especially if contributor accounts are not tightly controlled. This vulnerability could be leveraged in targeted attacks against organizations relying on this plugin, potentially leading to reputational damage and loss of user trust. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is public.

To mitigate this vulnerability, organizations should first update the caselock Twitter Feed plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level permissions to trusted users only, minimizing the risk of malicious shortcode injection. Implement input validation and output encoding for the 'width' and 'height' parameters at the application or web server level to prevent script injection. Employ Web Application Firewalls (WAFs) with rules targeting suspicious shortcode parameters or script tags. Regularly audit and monitor pages containing the 'ottwitter_feed' shortcode for unauthorized script injections. Educate contributors about secure content practices and the risks of injecting untrusted code. Additionally, consider disabling or replacing the vulnerable plugin with a more secure alternative if patching is delayed. Continuous monitoring for unusual user activity and logs can help detect exploitation attempts early.