CVE-2025-11868 identifies a stored cross-site scripting vulnerability in the everviz plugin for WordPress, which provides interactive charts, maps, and tables. The vulnerability exists because the plugin fails to properly sanitize or escape user-supplied input in the 'everviz' shortcode attributes 'type' and 'hash'. These attributes are used to dynamically generate a <div> element with an id attribute, and improper handling allows an authenticated user with contributor-level permissions or higher to inject arbitrary JavaScript code. When other users access the affected page, the injected script executes in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and impacts on confidentiality and integrity but not availability. No patches or fixes are currently linked, and no active exploitation has been reported. The vulnerability affects all versions up to and including 1.1 of the everviz plugin. The issue highlights the importance of input validation and output encoding in WordPress plugins to prevent persistent XSS attacks.

The primary impact of this vulnerability is the ability for an authenticated contributor or higher to inject persistent malicious scripts into WordPress pages using the everviz plugin. This can compromise the confidentiality of users by stealing session cookies or other sensitive data accessible via the browser context. Integrity may also be affected if attackers manipulate page content or perform actions on behalf of other users. Although availability is not impacted, the injected scripts could be used as a foothold for further attacks, including phishing or spreading malware. Organizations relying on everviz for data visualization on WordPress sites face risks of reputational damage, data leakage, and potential unauthorized access. The requirement for contributor-level access limits the attack surface but does not eliminate risk, especially in environments with multiple content editors or less stringent access controls. Since no known exploits are reported, the threat is currently theoretical but could be weaponized if attackers discover the vulnerability independently.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates from the everviz plugin developers once available. In the absence of a patch, administrators should restrict contributor-level access to trusted users only and audit existing users for unnecessary privileges. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute payloads can help prevent exploitation. Additionally, site owners can sanitize and validate shortcode inputs manually or via custom code hooks to ensure no malicious scripts are injected. Monitoring logs for unusual shortcode usage or unexpected script injections is recommended. Educating content contributors about safe input practices and the risks of injecting untrusted content can reduce accidental exploitation. Finally, consider temporarily disabling the everviz plugin if the risk outweighs its benefits until a fix is released.