CVE-2025-11867 identifies a stored cross-site scripting vulnerability in the Bg Book Publisher plugin for WordPress, present in all versions up to and including 1.25. The vulnerability stems from the plugin's failure to properly escape the 'book_author' post meta field before rendering it through the [book_author] shortcode on web pages. This improper neutralization of input (CWE-79) allows an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript code into the post meta. When any user accesses a page containing the injected script, the malicious code executes in their browser context, potentially leading to session hijacking, privilege escalation, or data theft. The attack vector requires no user interaction beyond visiting the compromised page, but does require authentication with contributor or higher privileges, which are commonly granted to content creators. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with network attack vector, low attack complexity, privileges required, no user interaction, and scope change due to impact on other users. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the importance of proper output encoding and input validation in WordPress plugins, especially those that render user-supplied content dynamically.

The primary impact of this vulnerability is the compromise of confidentiality and integrity for users visiting infected pages. Malicious scripts injected via the stored XSS can steal session cookies, enabling attackers to impersonate users, including administrators if they view the affected content. This can lead to unauthorized access, data leakage, and potential site defacement or further malware distribution. Since the vulnerability requires contributor-level access, attackers who gain such privileges—through phishing, credential reuse, or other means—can leverage this flaw to escalate their control over the site. The availability of the site is not directly affected. Organizations using the Bg Book Publisher plugin on WordPress sites, especially those with multiple contributors or public-facing content, face risks of reputational damage, loss of user trust, and compliance violations if sensitive data is exposed. The medium severity score reflects the moderate ease of exploitation combined with significant potential impact on user data and site integrity.

To mitigate this vulnerability, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing contributors for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'book_author' meta field can provide interim protection. Site owners should also sanitize and validate all user inputs and outputs related to post meta fields, applying proper escaping functions such as esc_html() or esc_attr() in WordPress before rendering. Regular security scanning and monitoring for unusual script injections or unauthorized content changes are recommended. Additionally, educating contributors about secure content practices and enforcing strong authentication mechanisms (e.g., MFA) can reduce the risk of privilege abuse. Finally, consider disabling or replacing the vulnerable plugin if a timely fix is not available.