CVE-2025-11875 is a stored Cross-Site Scripting vulnerability identified in the SpendeOnline.org plugin for WordPress, developed by dr-thomas-fuessl. The vulnerability exists in all versions up to and including 3.0.1 and stems from improper neutralization of user input during web page generation, specifically within the 'spendeonline' shortcode. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via unsanitized shortcode attributes. Because the plugin fails to properly sanitize and escape user-supplied input, the malicious scripts are stored persistently and executed in the context of any user who views the infected page. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, or defacement of web content. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change due to the potential for privilege escalation or data leakage. Although no public exploits are currently known, the vulnerability poses a significant risk to websites using this plugin, especially those handling donations or sensitive user data. The plugin is commonly used in WordPress installations for nonprofit organizations, making it a target for attackers aiming to compromise trust or steal information.

For European organizations, particularly nonprofits and charitable institutions relying on the SpendeOnline.org plugin for donation management, this vulnerability can lead to serious consequences. Exploitation could result in unauthorized script execution, enabling attackers to hijack user sessions, steal sensitive donor information, or manipulate donation data. This undermines user trust and could lead to reputational damage, legal liabilities under GDPR for data breaches, and financial losses. Since the vulnerability requires contributor-level access, insider threats or compromised low-privilege accounts could be leveraged to launch attacks. The persistent nature of stored XSS means that once injected, malicious scripts can affect all visitors to the site, amplifying the impact. Additionally, the scope change in the CVSS vector suggests that the vulnerability could be leveraged to escalate privileges or access additional resources, increasing the potential damage. The lack of known exploits in the wild provides a window for proactive mitigation, but the widespread use of WordPress and this plugin in Europe increases the risk of targeted attacks.

1. Monitor for and apply updates from the plugin developer promptly once a security patch is released to address CVE-2025-11875. 2. Until a patch is available, restrict contributor-level access and above to trusted users only, minimizing the risk of malicious shortcode injection. 3. Implement strict input validation and output encoding at the application level if possible, or use custom filters to sanitize shortcode attributes. 4. Deploy a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the 'spendeonline' shortcode parameters. 5. Conduct regular security audits and code reviews of custom plugins and shortcodes to identify similar input sanitization issues. 6. Educate site administrators and contributors about the risks of XSS and the importance of cautious content input. 7. Enable Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts. 8. Monitor logs and user activity for suspicious behavior indicative of exploitation attempts. 9. Consider isolating donation-related functionalities to reduce the attack surface. 10. Backup website data regularly to enable recovery in case of compromise.