CVE-2025-11737 affects VK All in One Expansion Unit and it is a stored cross site scripting vulnerability that can be triggered by a Contributor level user through a post level meta field named SNS Title. The vulnerability is dangerous because it lands in the page head as Open Graph metadata, which means it executes in a high trust context on every page view where the affected post is rendered. This is not a narrow admin only issue. Once the malicious value is stored, it can reach front end visitors and also administrators reviewing content, and it can become a persistent trap that fires repeatedly. With an install base around 100k plus, this is relevant to many multi author WordPress sites where Contributors exist by design.
| CVE | CVE-2025-11737 |
| Plugin Version | VK All in One Expansion Unit <= 9.112.3 |
| All Time | 8 201 364 |
| Active installations | 100 000+ |
| Publicly Published | February 17, 2026 |
| Last Updated | February 17, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11737 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/vk-all-in-one-expansion-unit/vk-all-in-one-expansion-unit-91123-authenticated-contributor-stored-cross-site-scripting-via-sns-title |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 7, 2025 | Plugin testing and vulnerability detection in the VK All in One Expansion Unit have been completed |
| October 7, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 17, 2026 | Registered CVE-2025-11737 |
Discovery of the Vulnerability
The vulnerable flow begins when the plugin saves the SNS Title meta value without sanitization in the metabox handler. The value is persisted as vkExUnit_sns_title and later retrieved by a helper that returns the string as is. The final sink occurs when the plugin builds an Open Graph tag in the head and concatenates the raw SNS Title into an attribute value like content="..." without using esc_attr or an equivalent attribute encoding function. In attribute contexts, a single quote or double quote is enough to break out of the attribute and inject additional markup. That is why the bug is a stored XSS. The plugin does not only fail to sanitize on input. It also fails to escape on output in the correct context, which makes exploitation stable and predictable.
Understanding of XSS attack’s
Stored XSS in WordPress often comes from meta fields because developers treat them like internal settings, but in multi author setups they are still attacker controlled inputs. Open Graph metadata is a particularly sensitive sink because it is rendered on every page load, often before any other content, and it is widely used by themes and plugins that integrate with social sharing. Real world impact goes beyond showing an alert box. JavaScript running in the site origin can steal session data, perform background requests, and manipulate what users see. Even if the payload is only triggered on mouseover in a crafted tag, it can be adapted into more reliable execution paths using event handlers that fire automatically, or by injecting additional tags that execute more consistently. Another real world consequence is social sharing poisoning. Since the tag affects og:title, it may also influence how links are previewed on social platforms. An attacker can use that to spread malicious looking previews or misleading titles, which creates reputational damage even if script execution is limited by browser behavior. The essential lesson is that any string placed into an HTML attribute must be escaped with the correct function, and relying on trust assumptions about who can edit meta fields is a mistake.
Exploiting the XSS Vulnerability
To exploit CVE-2025-11737, an attacker with Contributor+ cookies:
POC:
Create a new Post and change "SNS Title" field to 123" onmouseover=alert(1)//____
The main risk is persistent script execution that can target administrators and front end users. On a typical WordPress site, administrators review posts, preview them, and click through front end pages while logged in. If the stored payload executes for an admin, it can steal nonces from pages, call privileged endpoints, and create a full takeover chain. On multi author sites, a malicious Contributor account can plant the payload in a low visibility post and wait for higher privilege staff to view it, which is a classic stored XSS escalation pattern. Because the injection sits in metadata, it can also pollute caches and appear across multiple layers like CDN cached HTML, making cleanup harder. Another realistic scenario is supply chain style abuse where the attacker uses the XSS to inject malicious scripts that load external resources, resulting in a broader compromise of visitors. Even if the initial payload is small, the persistence and high trust context make it a serious issue.
Recommendations for Improved Security
The fix must include proper input handling and output encoding. The plugin should sanitize the SNS Title value on save using a strict text sanitizer that removes quotes and markup, or at minimum strips tags and enforces a safe character set. More importantly, when outputting the value into an HTML attribute, it must be escaped with esc_attr or an equivalent attribute escaping function. Escaping on output is the reliable defense because it addresses any stored data regardless of how it was created. The plugin should also consider using WordPress functions that generate meta tags safely rather than concatenating strings. Site owners should update to a fixed version once available and should audit existing content for stored SNS Title values that contain quotes or angle brackets, because stored payloads remain dangerous until removed. As an operational response, purge caches after cleanup and review who has Contributor access, because limiting untrusted authors reduces the likelihood of stored XSS payload planting in the first place.
By taking proactive measures to address XSS like CVE-2025-11737 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #XSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website