CVE-2025-11737
Stored XSS in VK All in One Expansion Unit Plugin Allows Script Injection
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vk_all_in_one_expansion_unit | vk_all_in_one_expansion_unit | to 9.112.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in the VK All in One Expansion Unit WordPress plugin is a Stored Cross-Site Scripting (XSS) issue. It occurs via the 'vkExUnit_sns_title' parameter in all versions up to and including 9.112.3. This happens because the plugin does not properly sanitize input or escape output, allowing authenticated users with Contributor-level access or higher to inject malicious scripts. These scripts then execute whenever any user accesses the affected page."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 9.112.4.0 by sanitizing the Open Graph Protocol (OGP) title output using proper escaping functions to neutralize any injected scripts.'}] [2]
How can this vulnerability impact me? :
This vulnerability allows an attacker with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts can execute in the browsers of users who visit the injected pages, potentially leading to theft of user credentials, session hijacking, defacement, or distribution of malware.
Because the attack is stored, the malicious script persists on the site and affects all users who view the compromised content, increasing the scope and impact of the attack.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'vkExUnit_sns_title' parameter in the VK All in One Expansion Unit WordPress plugin versions up to 9.112.3. Detection involves identifying if your WordPress installation uses this plugin version and if the vulnerable parameter is being exploited."}, {'type': 'paragraph', 'content': "To detect exploitation attempts, you can monitor HTTP requests to your WordPress site for suspicious or malicious scripts injected into the 'vkExUnit_sns_title' parameter. Network monitoring tools or web application firewalls (WAF) can help capture such requests."}, {'type': 'paragraph', 'content': "On the server, you can search for injected scripts in the database or page content where the 'vkExUnit_sns_title' parameter is stored or rendered."}, {'type': 'list_item', 'content': 'Use grep or similar commands to search for suspicious script tags or payloads in your WordPress database exports or files.'}, {'type': 'list_item', 'content': "Example command to search for suspicious script injections in WordPress uploads or plugin directories: `grep -r --include=*.php '<script' /path/to/wordpress/wp-content/plugins/vk-all-in-one-expansion-unit/`"}, {'type': 'list_item', 'content': 'Use WP-CLI to export and inspect options or post meta that might contain injected scripts, e.g., `wp post meta list <post_id> --format=json | grep script`.'}, {'type': 'paragraph', 'content': 'Note that no specific detection commands are provided in the available resources.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation step is to update the VK All in One Expansion Unit plugin to version 9.112.4.0 or later, which includes fixes for the Stored Cross-Site Scripting vulnerability by properly sanitizing the 'vkExUnit_sns_title' parameter."}, {'type': 'paragraph', 'content': 'Ensure that your WordPress installation meets the plugin requirements of PHP 7.4 and WordPress 6.5 or higher to maintain compatibility with the fixed plugin version.'}, {'type': 'paragraph', 'content': 'If immediate updating is not possible, consider restricting Contributor-level and higher user permissions temporarily to reduce the risk of exploitation, since the vulnerability requires authenticated users with at least Contributor access.'}, {'type': 'paragraph', 'content': 'Additionally, implement or enhance Web Application Firewall (WAF) rules to detect and block attempts to inject scripts via the vulnerable parameter.'}] [2]