CVE-2025-11987 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Visual Link Preview plugin for WordPress, maintained by brechtvds. The vulnerability exists in all versions up to and including 2.2.7 and stems from improper neutralization of script-related HTML tags (CWE-80) within the plugin's visual-link-preview shortcode. Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the victim's browser session. The vulnerability requires authentication but no user interaction, and the scope is limited to sites using this plugin and allowing contributor or higher roles to submit content. The CVSS v3.1 base score is 6.4, reflecting a medium severity due to network attack vector, low attack complexity, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites that rely on this plugin for enhanced link previews.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted websites, potentially resulting in session hijacking, defacement, phishing, or unauthorized actions performed on behalf of legitimate users. Organizations with collaborative content creation workflows that grant contributor or higher roles to multiple users are particularly vulnerable. The compromise of user sessions or administrative accounts could lead to data leakage or further compromise of internal systems. Given WordPress's widespread use across Europe for corporate, governmental, and media websites, exploitation could damage reputation, disrupt services, and expose sensitive information. The vulnerability does not directly affect availability but can undermine trust and confidentiality. Attackers could leverage this vulnerability to pivot into more severe attacks if combined with other weaknesses.

Immediate mitigation involves restricting contributor-level access to trusted users only and auditing existing content for injected scripts. Organizations should monitor and limit the use of the Visual Link Preview plugin until a patched version is released. Applying web application firewall (WAF) rules to detect and block suspicious shortcode attribute inputs can reduce risk. Administrators should implement strict Content Security Policy (CSP) headers to limit script execution sources. Once a patch is available, promptly update the plugin to the fixed version. Additionally, perform regular security reviews of all WordPress plugins, enforce the principle of least privilege for user roles, and educate content contributors about secure input practices. Employing security plugins that sanitize user inputs and outputs can provide an additional layer of defense.