CVE-2025-11987 is a stored cross-site scripting (XSS) vulnerability identified in the Visual Link Preview plugin for WordPress, maintained by brechtvds. The vulnerability exists in versions up to and including 2.2.7 due to insufficient sanitization and escaping of user-supplied attributes within the plugin's visual-link-preview shortcode. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions within the context of the victim’s session. The vulnerability is classified under CWE-80, indicating improper neutralization of script-related HTML tags. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector from the network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. Although no active exploits have been reported, the vulnerability poses a significant risk due to the common use of WordPress and the plugin in question. The lack of official patches at the time of disclosure necessitates immediate mitigation efforts by administrators. The vulnerability's exploitation could compromise confidentiality and integrity of user data but does not impact availability. The attack requires authenticated access, which limits exposure to some extent but still presents a serious threat in environments where contributor roles are assigned to untrusted users.

The primary impact of CVE-2025-11987 is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of cookies or credentials, unauthorized actions performed on behalf of users, and defacement of website content. This can erode user trust, damage brand reputation, and lead to regulatory compliance issues if sensitive data is exposed. Since the vulnerability requires authenticated access, the risk is heightened in environments with weak user access controls or where contributor roles are assigned to untrusted individuals. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the plugin itself, potentially impacting other parts of the WordPress site. Although availability is not directly affected, the indirect consequences of exploitation, such as site defacement or data leakage, can disrupt business operations and require costly incident response efforts. Organizations relying on the Visual Link Preview plugin should consider the threat significant enough to warrant immediate attention, especially those with high traffic or sensitive user data.

1. Immediately restrict contributor-level privileges to trusted users only, minimizing the risk of malicious script injection. 2. Disable or remove the Visual Link Preview plugin if it is not essential to site functionality until a security patch is released. 3. Implement strict input validation and output escaping on all user-supplied data within WordPress, especially for shortcodes and plugin inputs. 4. Employ a Web Application Firewall (WAF) with rules designed to detect and block common XSS payloads targeting the plugin’s shortcode parameters. 5. Monitor site logs and user activity for unusual behavior indicative of attempted or successful exploitation, such as unexpected script injections or changes to page content. 6. Educate site administrators and content contributors about the risks of XSS and the importance of secure content practices. 7. Once available, promptly apply official patches or updates released by the plugin vendor to remediate the vulnerability. 8. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and user privilege configurations to detect similar issues proactively.