CVE-2025-11878 is a stored cross-site scripting (XSS) vulnerability identified in the ST Categories Widget plugin for WordPress, affecting all versions up to and including 1.0.0. The root cause is insufficient sanitization and escaping of user-supplied attributes in the plugin's st-categories shortcode, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of the victim. The vulnerability leverages CWE-79, a common web security weakness related to improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. Although no active exploits have been reported, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of a current patch increases the urgency for mitigation through access control and manual input validation.

The primary impact of CVE-2025-11878 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, enabling theft of session cookies, redirection to malicious sites, or unauthorized actions performed with victim privileges. This can lead to account takeover, data leakage, defacement, or further exploitation of the site and its users. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the infected pages. Although availability is not directly impacted, the reputational damage and potential data breaches can have severe consequences for organizations. The scope is limited to sites running the vulnerable plugin, but given WordPress's widespread use, the overall risk is significant. Organizations with multiple contributors and public-facing content are particularly vulnerable, increasing the likelihood of exploitation in collaborative environments.

To mitigate CVE-2025-11878, organizations should first monitor for updates from the beautifultemplates vendor and apply patches promptly once available. Until a patch is released, restrict contributor-level permissions to trusted users only and consider temporarily disabling the ST Categories Widget plugin if feasible. Implement strict input validation and output encoding on all user-supplied data, especially shortcode attributes, to prevent script injection. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting this vulnerability. Conduct regular security audits and code reviews of plugins and themes to identify similar weaknesses. Educate contributors about secure content submission practices and monitor site content for suspicious scripts or changes. Finally, maintain comprehensive backups and incident response plans to quickly recover from potential exploitation.