CVE-2025-11809

MEDIUM
2025-10-22 [email protected]
WordPress XSS
6.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 17:22 vuln.today
CVE Published
Oct 22, 2025 - 09:15 nvd
MEDIUM 6.4

DescriptionNVD

The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in WP-Force Images Download WordPress plugin versions up to 1.8 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class' attribute of the 'wpfid' shortcode due to insufficient input sanitization and output escaping. The vulnerability executes malicious scripts in the browser of any user viewing an affected page, potentially enabling account compromise, malware distribution, or defacement with CVSS 6.4 (medium severity). No public exploit code or confirmed active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability stems from improper handling of the 'class' attribute in the 'wpfid' WordPress shortcode (CWE-79: Improper Neutralization of Input During Web Page Generation). The plugin fails to adequately sanitize user-supplied input before rendering it as HTML output in shortcode content. WordPress shortcodes are executed server-side but output HTML to the client; without proper escaping functions such as esc_attr() on the 'class' attribute, attackers can break out of the attribute context and inject HTML/JavaScript payload. The affected code path is in the wp_fid.php file (line 155 reference), where the shortcode processes the 'class' parameter without sufficient validation or escaping. This is a common WordPress plugin vulnerability pattern where developers fail to use WordPress sanitization functions (sanitize_text_field, wp_kses_post) and escaping functions (esc_attr, esc_html) during shortcode attribute processing.

Affected ProductsAI

WP-Force Images Download plugin for WordPress in all versions up to and including 1.8 (CPE reference: wordpress_plugin/wp-force-images-download). The plugin is available via the official WordPress.org plugin repository (plugins.trac.wordpress.org). Affected installations include any WordPress site running version 1.8 or earlier of this plugin with the wpfid shortcode enabled on published pages or posts.

RemediationAI

Update WP-Force Images Download plugin to version 1.9 or later, which contains fixes for the input sanitization and output escaping vulnerability in the 'class' attribute handler. Site administrators should immediately upgrade via the WordPress admin dashboard (Plugins > Installed Plugins > WP-Force Images Download > Update Now) or manually download the patched version from the WordPress plugin repository at https://plugins.trac.wordpress.org/browser/wp-force-images-download. For sites unable to immediately patch, temporarily disable the 'wpfid' shortcode usage or restrict contributor-level access to users who are thoroughly vetted and trusted. Review any pages or posts using the wpfid shortcode for signs of injected malicious content, as any shortcodes authored by contributors prior to patching should be audited.

Share

CVE-2025-11809 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy