CVE-2025-11875
BaseFortify
Publication date: 2025-10-25
Last updated on: 2025-10-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | spendeonline | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the SpendeOnline.org WordPress plugin up to version 3.0.1. It occurs because the plugin does not properly sanitize or escape user-supplied attributes in its 'spendeonline' shortcode. Authenticated users with contributor-level access or higher can inject malicious JavaScript code into pages. When other users visit these pages, the injected scripts execute in their browsers, potentially compromising their security.
How can this vulnerability impact me? :
The vulnerability allows attackers with contributor-level access or higher to inject arbitrary scripts into pages via the shortcode attribute. This can lead to unauthorized actions such as stealing user credentials, performing actions on behalf of users, or defacing the website. It compromises the integrity and security of the website and its users by executing malicious code in their browsers without their consent.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the SpendeOnline.org WordPress plugin versions up to 3.0.1 and inspecting pages that use the 'spendeonline' shortcode for injected scripts. Since the vulnerability involves stored cross-site scripting via the 'name' attribute in the shortcode, you can search your WordPress database or page content for suspicious script tags or unusual JavaScript code within shortcode attributes. Specific commands might include using WP-CLI to list installed plugins and their versions, e.g., `wp plugin list | grep spendeonline`, and searching the database for the shortcode usage with potential script injections, e.g., `wp db query "SELECT post_content FROM wp_posts WHERE post_content LIKE '%[spendeonline%name=%<script>%'"`. Additionally, manual inspection of pages rendered with the shortcode for unexpected script execution can help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the SpendeOnline.org WordPress plugin to version 3.0.2 or later, which includes a fix that sanitizes the 'name' attribute in the shortcode using WordPress's esc_attr() function to prevent cross-site scripting. Until the update is applied, restrict contributor-level access and above to trusted users only, as the vulnerability requires authenticated access. Additionally, consider implementing web application firewall (WAF) rules to block malicious shortcode attribute inputs and monitor for suspicious activity related to the plugin. [2]