Stored Cross-Site Scripting in Stock Tools Plugin for WordPress
CVE-2025-11765

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Stock Tools
Vendor
CVE Published:
21 November 2025

What is CVE-2025-11765?

The Stock Tools plugin for WordPress contains a vulnerability that allows stored cross-site scripting (XSS) via the 'image_height' and 'image_width' shortcode attributes. This issue arises from inadequate sanitization of user inputs and insufficient escaping of output. Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability to insert malicious web scripts. These scripts will execute in the context of users accessing affected pages, potentially compromising user data and site integrity.

Affected Version(s)

Stock Tools * <= 1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/stock-tools/ta...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

zakaria
JSON
.