CVE-2025-11873 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP BBCode plugin for WordPress, maintained by eflyjason. The vulnerability exists in all versions up to and including 1.8.1 due to insufficient sanitization and escaping of user-supplied input in the 'url' shortcode attribute. Specifically, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages or posts by manipulating the shortcode parameters. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or phishing. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability affects all versions of WP BBCode up to 1.8.1, a plugin used to extend WordPress functionality by allowing BBCode formatting. Given WordPress's widespread adoption, this vulnerability poses a risk to many websites that use this plugin and allow contributor-level users to post content.

The primary impact of CVE-2025-11873 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages or posts. This can lead to session hijacking, theft of sensitive user data, defacement, or redirection to malicious sites. Since the vulnerability affects the confidentiality and integrity of user data and site content, it can undermine user trust and damage organizational reputation. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially compromised plugin, potentially impacting the entire WordPress site and its users. Although the attack requires authenticated access, contributor roles are common in many WordPress deployments, increasing the attack surface. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often target popular CMS platforms. Organizations relying on this plugin for content formatting are at risk of targeted attacks, especially those with multiple contributors or public-facing content submission.

To mitigate CVE-2025-11873, organizations should first check for and apply any official patches or updates from the WP BBCode plugin vendor once available. In the absence of patches, administrators should restrict contributor-level permissions to trusted users only and consider temporarily disabling or removing the WP BBCode plugin to eliminate the attack vector. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious shortcode input patterns can provide interim protection. Additionally, site administrators should audit existing content for injected scripts and sanitize or remove any suspicious entries. Enforcing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Regular security training for content contributors to avoid unsafe input practices and monitoring logs for unusual activity related to shortcode usage are recommended. Finally, consider alternative plugins with better security track records or native WordPress features to replace WP BBCode functionality.