CVE-2025-11878 is a stored Cross-Site Scripting vulnerability identified in the ST Categories Widget plugin for WordPress, specifically affecting versions 1.0.0 and earlier. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's st-categories shortcode. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. Because the malicious script is stored persistently, it executes every time a user accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and a scope change due to impact on other users. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites that allow contributor-level users to add or edit content. The vulnerability affects all versions up to and including 1.0.0 of the plugin. The lack of patches at the time of reporting means that mitigation relies on access control and manual input validation until an official fix is released.

For European organizations, this vulnerability can lead to unauthorized script execution on their WordPress sites, compromising the confidentiality and integrity of user data. Attackers could steal session cookies, perform actions on behalf of users, or deliver further malware payloads. This is particularly concerning for organizations relying on WordPress for public-facing websites, intranets, or customer portals where contributor-level roles are assigned to multiple users. The impact extends to reputational damage, potential GDPR compliance violations due to data breaches, and operational disruptions if malicious scripts deface websites or redirect users. Since the vulnerability requires contributor-level authentication, insider threats or compromised accounts increase risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future attacks, especially as the vulnerability is publicly disclosed. Organizations with high web content management activity and multiple contributors are more vulnerable to exploitation.

European organizations should immediately audit their WordPress installations to identify the presence of the ST Categories Widget plugin and verify its version. Until an official patch is released, restrict contributor-level permissions to trusted users only and consider temporarily disabling the plugin if feasible. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs that may contain script tags or event handlers. Conduct manual code reviews or use security plugins that enforce strict input validation and output encoding on shortcode attributes. Educate content contributors about the risks of injecting untrusted content and monitor logs for unusual activity indicative of exploitation attempts. Once a patch is available, prioritize timely updates. Additionally, consider deploying Content Security Policy (CSP) headers to limit the impact of any injected scripts. Regular backups and incident response plans should be updated to handle potential XSS incidents.