CVE-2025-11764
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious JavaScript into website pages using the Shortcodes Bootstrap plugin's notification shortcode. When visitors view pages containing the injected code, their browsers execute the attacker's scripts, potentially stealing credentials, session cookies, or performing unauthorized actions. All WordPress sites using Shortcodes Bootstrap plugin versions up to 1.1 are affected.
💻 Affected Systems
- WordPress Shortcodes Bootstrap plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface websites, redirect visitors to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor access inject malicious scripts that steal user session cookies or credentials when visitors view compromised pages.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, though the plugin still requires security review for other potential issues.
🎯 Exploit Status
Exploitation requires contributor-level WordPress access. The vulnerability is publicly documented with technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.1 (check WordPress plugin repository for latest)
Vendor Advisory: https://plugins.trac.wordpress.org/browser/shortcodes-bootstrap/trunk/inc/dws_alert.php#L16
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Shortcodes Bootstrap' plugin. 4. Click 'Update Now' if available. 5. If no update available, deactivate and remove the plugin.
🔧 Temporary Workarounds
Remove vulnerable shortcode usage
allDisable or remove all instances of the [notification] shortcode from posts and pages
UPDATE wp_posts SET post_content = REPLACE(post_content, '[notification', '[disabled_notification') WHERE post_content LIKE '%[notification%';
Restrict user roles
allTemporarily remove contributor-level access from untrusted users
UPDATE wp_usermeta SET meta_value = 'subscriber' WHERE meta_key = 'wp_capabilities' AND meta_value LIKE '%contributor%';
🧯 If You Can't Patch
- Disable the Shortcodes Bootstrap plugin immediately
- Implement a Web Application Firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Shortcodes Bootstrap version 1.1 or earlierCheck Version:
SELECT option_value FROM wp_options WHERE option_name = 'active_plugins' AND option_value LIKE '%shortcodes-bootstrap%';Verify Fix Applied:
Verify plugin version is higher than 1.1 or plugin is completely removed📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with 'type' parameter containing script tags
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress server
- Unusual JavaScript payloads in HTTP requests
SIEM Query:
source="wordpress.log" AND ("[notification" OR "type=" AND "<script")