CVE-2025-11867 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Bg Book Publisher plugin for WordPress, specifically in all versions up to and including 1.25. The flaw stems from the plugin's failure to properly escape the `book_author` post meta value before rendering it through the `[book_author]` shortcode on web pages. This improper neutralization of input (CWE-79) allows an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript code into the post meta. Because the injected script is stored persistently in the WordPress database and rendered on pages viewed by other users, it can execute in the context of any visitor's browser who accesses the compromised page. The vulnerability does not require user interaction beyond visiting the page, and the attacker only needs contributor-level access, which is a relatively low privilege level in WordPress. The CVSS 3.1 base score of 6.4 reflects a medium severity, with the vector indicating network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to affecting other users' confidentiality and integrity. Although no known exploits have been reported in the wild, the vulnerability could be leveraged to steal session cookies, perform actions on behalf of users, or deliver further malware payloads. The plugin is widely used in WordPress environments focused on book publishing, making the vulnerability relevant for websites that rely on this plugin for content management. The lack of available patches at the time of disclosure increases the urgency for mitigations.

For European organizations, this vulnerability presents a significant risk to websites using the Bg Book Publisher plugin, particularly those in the publishing, education, and cultural sectors where book-related content is common. Exploitation could lead to unauthorized access to user accounts, session hijacking, and potential data leakage, undermining user trust and violating data protection regulations such as GDPR. The persistent nature of the XSS means that multiple users could be affected over time, amplifying the impact. Additionally, compromised sites could be used as a vector for further attacks, including phishing or malware distribution. The medium severity score indicates a moderate but tangible threat, especially given the low privilege required to exploit it. European organizations with contributor-level users who manage content are at risk, and the reputational damage from a successful attack could be substantial. The impact on confidentiality and integrity is clear, while availability is not directly affected.

Organizations should immediately audit their WordPress installations to identify the presence of the Bg Book Publisher plugin and its version. Until an official patch is released, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling or removing the plugin if feasible. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections in post meta fields can provide a layer of defense. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly monitoring logs for unusual activity related to the plugin's shortcodes and educating content contributors about safe input practices can reduce exploitation risk. Once a patch becomes available, prompt updating is critical. Backup procedures should be reviewed to ensure quick recovery if compromise occurs. Finally, consider scanning existing content for injected scripts to remediate any pre-existing infections.