{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11502", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-08T14:28:01.206Z", "datePublished": "2025-11-01T05:40:24.552Z", "dateUpdated": "2026-04-08T17:26:21.053Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:21.053Z"}, "affected": [{"vendor": "magazine3", "product": "Schema & Structured Data for WP & AMP", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.51", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'saswp_tiny_multiple_faq' shortcode in all versions up to, and including, 1.51 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Schema & Structured Data for WP & AMP <= 1.51 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d664d1f9-39b1-424f-a95e-7a480d809c79?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.50/modules/tinymce/register-shortcodes.php#L120"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387089/schema-and-structured-data-for-wp/trunk/modules/tinymce/register-shortcodes.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-10-31T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-03T13:10:36.550311Z", "id": "CVE-2025-11502", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T13:30:58.163Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11502", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-03T13:10:36.550311Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T13:10:37.257Z"}}], "cna": {"title": "Schema & Structured Data for WP & AMP <= 1.51 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "magazine3", "product": "Schema & Structured Data for WP & AMP", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.51"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-31T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d664d1f9-39b1-424f-a95e-7a480d809c79?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.50/modules/tinymce/register-shortcodes.php#L120"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387089/schema-and-structured-data-for-wp/trunk/modules/tinymce/register-shortcodes.php"}], "descriptions": [{"lang": "en", "value": "The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'saswp_tiny_multiple_faq' shortcode in all versions up to, and including, 1.51 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:21.053Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11502", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:21.053Z", "dateReserved": "2025-10-08T14:28:01.206Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-01T05:40:24.552Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'saswp_tiny_multiple_faq' shortcode in all versions up to, and including, 1.51 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11502", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-01T06:15:38.423", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.50/modules/tinymce/register-shortcodes.php#L120"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3387089/schema-and-structured-data-for-wp/trunk/modules/tinymce/register-shortcodes.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d664d1f9-39b1-424f-a95e-7a480d809c79?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:57:53.383150+00:00", "value": {"mitigation_remediation": ["Upgrade the Schema & Structured Data for WP & AMP plugin to the latest version that removes the insecure shortcode handling.", "If an upgrade is not immediately possible, disable or delete the plugin\u2019s shortcode functionality until a patch is available.", "Restrict contributor user roles to limit their ability to insert shortcodes, or apply additional output escaping layers in the theme to mitigate script injection."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of the Schema & Structured Data for WP & AMP plugin by magazine3 up to and including version 1.51. Any WordPress site that has this plugin installed and allows contributor\u2011level users to insert or modify content is impacted.", "description_and_impact": "The Schema & Structured Data for WP & AMP plugin contains a stored XSS flaw in the 'saswp_tiny_multiple_faq' shortcode that occurs when user\u2011supplied attributes are not properly sanitized or escaped. An attacker who can add or edit the shortcode can embed arbitrary JavaScript that will execute in the browsers of all users who view the affected page, potentially leading to credential theft, session hijacking, and other malicious actions. This weakness is catalogued as CWE\u201179, a classic input validation flaw that can compromise confidentiality and integrity of site content.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1% signals that exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw requires authenticated contributor\u2011level access, an attacker who gains such privileges could easily abuse the plugin. The attack vector is inferred to be web\u2011based, relying on the attacker\u2019s ability to inject content through the plugin\u2019s shortcode interface."}}}}, "created": "2025-11-03T10:43:44.433047+00:00", "updated": "2026-04-21T02:00:12.322903+00:00", "vendors": ["magazine3", "magazine3$PRODUCT$schema_&_structured_data_for_wp_&_amp", "wordpress", "wordpress$PRODUCT$wordpress"]}