Stored Cross-Site Scripting in Footnotes Made Easy Plugin for WordPress
CVE-2025-11733

7.2HIGH

Key Information:

Vendor: WordPress
Status: Footnotes Made Easy
Vendor: CVE Published:; 4 November 2025

What is CVE-2025-11733?

The Footnotes Made Easy plugin for WordPress suffers from a vulnerability that allows for Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in its settings. This flaw enables unauthenticated attackers to inject malicious scripts, which can execute whenever users visit affected pages, potentially compromising user data and the integrity of the website. Ensuring plugins are updated and securely configured is critical to mitigating such risks.

Affected Version(s)

Footnotes Made Easy * <= 3.0.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/footnotes-made...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2025
Vulnerability Reserved
Oct 14, 2025

Credit

Athiwat Tiprasaharn

JSON