CVE-2025-11875 is a stored Cross-Site Scripting (XSS) vulnerability identified in the SpendeOnline.org plugin for WordPress, maintained by dr-thomas-fuessl. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically through the plugin's 'spendeonline' shortcode. All versions up to and including 3.0.1 are affected. The root cause is insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executes in the context of any user who views the infected page, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or defacement. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component. No patches or known exploits are currently reported, but the vulnerability's presence in a widely used WordPress plugin makes it a notable risk. The plugin is commonly used by organizations managing online donations, increasing the attractiveness of this vulnerability to attackers targeting nonprofit or fundraising websites.

For European organizations, particularly nonprofits and charities using WordPress with the SpendeOnline.org plugin, this vulnerability can lead to significant risks. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, unauthorized actions, data theft, or defacement. This undermines user trust and can damage organizational reputation. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts pose a direct risk. The persistent nature of stored XSS means that the malicious payload remains active until removed, increasing exposure time. Given the widespread use of WordPress across Europe and the importance of donation platforms, exploitation could disrupt fundraising activities and lead to regulatory scrutiny under GDPR if personal data is compromised.

Immediate mitigation steps include restricting contributor-level access to trusted users only and monitoring for suspicious activity within the WordPress admin panel. Organizations should implement strict input validation and output escaping on all user-generated content, especially shortcodes. Deploying a Web Application Firewall (WAF) with rules to detect and block XSS payloads can provide a protective layer. Regularly auditing installed plugins and promptly applying updates when patches become available is critical. In the absence of an official patch, temporarily disabling or removing the SpendeOnline.org plugin can eliminate the attack vector. Additionally, organizations should educate contributors on secure content submission practices and monitor logs for signs of exploitation attempts. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources.