Stored Cross-Site Scripting Vulnerability in VK All in One Expansion Unit Plugin
CVE-2025-11265

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Vk All In One Expansion Unit
Vendor: CVE Published:; 18 November 2025

What is CVE-2025-11265?

The VK All in One Expansion Unit plugin for WordPress has a Stored Cross-Site Scripting vulnerability that affects all versions up to and including 9.112.1. This flaw arises from a logic error in the CTA save function, which incorrectly references sanitization callbacks, failing to apply necessary sanitation to the user input. As a result, authenticated users with Contributor access and higher can inject arbitrary web scripts into web pages. When these pages are accessed by other users, the injected scripts are executed, potentially compromising user data and security.

Affected Version(s)

VK All in One Expansion Unit * <= 9.112.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/vk-all-in-one-...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2025
Vulnerability Reserved
Oct 3, 2025

Credit

Farhan Dio Arrafiq

JSON