CVE-2025-11875 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2025-11875?

CVE-2025-11875 has a CVSS score of 6.4 (MEDIUM). This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into website pages via the SpendeOnline.org plugin's shortcode. When other users visit pages containing these injected scripts, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using SpendeOnline.org plugin versions up to 3.0.1 are affected.

📋 TL;DR

This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into website pages via the SpendeOnline.org plugin's shortcode. When other users visit pages containing these injected scripts, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using SpendeOnline.org plugin versions up to 3.0.1 are affected.

💻 Affected Systems

Products:

SpendeOnline.org WordPress Plugin

Versions: All versions up to and including 3.0.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. Contributor-level or higher user access is needed for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, redirect visitors to malicious sites, or deface the website, potentially leading to complete site compromise and data theft.

🟠

Likely Case

Attackers with contributor access inject malicious JavaScript to steal cookies or session tokens from visitors, potentially gaining administrative access to the WordPress site.

🟢

If Mitigated

With proper user access controls and content review processes, the risk is limited to authorized users who might accidentally trigger malicious content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access (contributor role or higher) and knowledge of WordPress shortcode usage. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.0.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3380175%40spendeonline&new=3380175%40spendeonline&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find SpendeOnline.org plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download latest version from WordPress plugin repository and replace existing files.

🔧 Temporary Workarounds

Remove Contributor Shortcode Access

WordPress

Modify user roles to prevent contributors from using the spendeonline shortcode

Install and configure a role management plugin like 'User Role Editor' to restrict shortcode usage for contributor roles

🧯 If You Can't Patch

Disable the SpendeOnline.org plugin completely until patched
Implement strict content review for all posts/pages created by contributors and authors

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins, find SpendeOnline.org and verify version is 3.0.1 or earlier

Check Version:

WordPress admin: Plugins > Installed Plugins, or check wp-content/plugins/spendeonline/spendeonline.php file version header

Verify Fix Applied:

After updating, verify plugin version is higher than 3.0.1 in WordPress plugins list

📡 Detection & Monitoring

Log Indicators:

Unusual shortcode usage in post/page edits by contributors
Multiple failed login attempts followed by successful contributor login

Network Indicators:

External JavaScript loading from unexpected domains in page responses
Suspicious outbound connections from user browsers after visiting specific pages

SIEM Query:

source="wordpress" AND (event="post_edit" AND user_role="contributor" AND content CONTAINS "[spendeonline") OR (event="plugin_update" AND plugin="spendeonline")

📊 Metadata

CVE ID: CVE-2025-11875

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.8th percentile)

Published: October 25, 2025

Last Updated: October 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11875, you might also want to check these: