CVE-2025-11875 is a stored Cross-Site Scripting (XSS) vulnerability identified in the SpendeOnline.org plugin for WordPress, maintained by dr-thomas-fuessl. This vulnerability affects all versions up to and including 3.0.1. The root cause is insufficient sanitization and escaping of user input passed through the plugin's 'spendeonline' shortcode attributes. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored, it executes every time a user accesses the compromised page, potentially leading to session hijacking, defacement, or further exploitation within the victim's browser context. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity with network attack vector, low complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with no effect on availability. Although no public exploits have been reported yet, the vulnerability poses a significant risk in environments where contributor-level access is granted to untrusted users. The scope is limited to sites using the vulnerable plugin versions, but the impact can be broad depending on the site's user base and privileges of compromised accounts.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject malicious scripts that execute in the context of any user visiting the affected pages. This can lead to theft of session cookies, user impersonation, unauthorized actions performed on behalf of users, and potential privilege escalation if administrative users are targeted. The compromise of user accounts or site integrity can damage organizational reputation, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by access controls; however, many WordPress sites allow contributors or similar roles for content creation, increasing exposure. The vulnerability does not affect availability directly but can indirectly cause denial of service through site defacement or administrative lockout. Organizations relying on SpendeOnline.org for donation management or fundraising may face operational disruption and loss of donor trust if exploited.

Organizations should immediately upgrade the SpendeOnline.org plugin to a version that addresses this vulnerability once available. In the absence of a patch, administrators should restrict contributor-level access to trusted users only and audit existing user roles to minimize exposure. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injection attempts targeting the 'spendeonline' shortcode parameters can provide interim protection. Additionally, site owners should enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly scanning the website for injected scripts and monitoring logs for suspicious activity is recommended. Developers maintaining custom integrations with the plugin should review and sanitize all user inputs rigorously. Finally, educating users about the risks of XSS and enforcing strong authentication practices can reduce the likelihood of successful exploitation.