Stored Cross-Site Scripting in Simple Business Data Plugin for WordPress
CVE-2025-11870

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Simple Business Data
Vendor: CVE Published:; 22 October 2025

What is CVE-2025-11870?

The Simple Business Data plugin for WordPress presents a vulnerability that allows stored Cross-Site Scripting (XSS) through the 'simple_business_data' shortcode attributes. This issue arises because the plugin fails to sanitize user inputs appropriately and does not escape outputs when embedding the type attribute into the class attribute within rendered HTML. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject arbitrary web scripts into pages, leading to potential attacks each time a user accesses the compromised page.

Affected Version(s)

Simple Business Data * <= 1.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-busines...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2025
Vulnerability Reserved
Oct 16, 2025

Credit

Gilang Asra Bilhadi

JSON