CVE-2025-11987 is a stored cross-site scripting (XSS) vulnerability classified under CWE-80, affecting the Visual Link Preview plugin for WordPress developed by brechtvds. The vulnerability exists in versions up to and including 2.2.7 due to improper neutralization of script-related HTML tags in user-supplied attributes within the plugin's visual-link-preview shortcode. Authenticated attackers with at least contributor-level privileges can inject arbitrary JavaScript code into pages or posts by exploiting insufficient input sanitization and output escaping mechanisms. Once injected, the malicious scripts execute in the context of any user who views the compromised page, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (November 5, 2025). The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content to be rendered dynamically.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress sites, potentially compromising user accounts, leaking sensitive information, or enabling further attacks such as phishing or malware distribution. Organizations relying on the Visual Link Preview plugin for content management or marketing may face reputational damage if attackers deface websites or inject malicious content targeting visitors. The medium severity score indicates a moderate risk, but the requirement for contributor-level access somewhat limits the attack surface to insiders or compromised accounts. However, many organizations allow contributors or similar roles to publish content, increasing exposure. The cross-site scripting vulnerability could also be leveraged to bypass security controls or escalate privileges within the web application. Given the widespread use of WordPress across Europe, especially among SMEs and public sector entities, the impact could be significant if exploited at scale.

European organizations should immediately audit their WordPress installations to identify the presence of the Visual Link Preview plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack vector. Restrict contributor-level access strictly to trusted users and review user permissions to minimize the risk of malicious content injection. Implement web application firewalls (WAFs) with rules designed to detect and block common XSS payloads targeting the shortcode parameters. Employ Content Security Policy (CSP) headers to reduce the impact of injected scripts by restricting script execution sources. Regularly monitor website content for unauthorized changes or suspicious scripts. Finally, maintain an update schedule to apply security patches promptly once available from the vendor.