{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11737", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T13:19:06.530Z", "datePublished": "2026-02-18T05:29:16.434Z", "dateUpdated": "2026-04-08T16:40:48.223Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:48.223Z"}, "affected": [{"vendor": "kurudrive", "product": "VK All in One Expansion Unit", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "9.112.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "VK All in One Expansion Unit <= 9.112.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e7efb39-fada-4167-825c-21cc31948a63?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402996%40vk-all-in-one-expansion-unit&new=3402996%40vk-all-in-one-expansion-unit&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-02-17T16:43:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:25:22.402266Z", "id": "CVE-2025-11737", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:53:23.276Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11737", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:25:22.402266Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:25:23.501Z"}}], "cna": {"title": "VK All in One Expansion Unit <= 9.112.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "kurudrive", "product": "VK All in One Expansion Unit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "9.112.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-17T16:43:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e7efb39-fada-4167-825c-21cc31948a63?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402996%40vk-all-in-one-expansion-unit&new=3402996%40vk-all-in-one-expansion-unit&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:48.223Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11737", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:40:48.223Z", "dateReserved": "2025-10-14T13:19:06.530Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T05:29:16.434Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin VK All in One Expansion Unit para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'vkExUnit_sns_title' en todas las versiones hasta la 9.112.3, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de nivel Colaborador y superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-11737", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T06:16:31.820", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402996%40vk-all-in-one-expansion-unit&new=3402996%40vk-all-in-one-expansion-unit&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e7efb39-fada-4167-825c-21cc31948a63?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.112.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "VK All in One Expansion Unit", "source": "cna", "vendor": "kurudrive"}, "product": "vk_all_in_one_expansion_unit", "vendor": "kurudrive"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T21:02:32.148526+00:00", "value": {"mitigation_remediation": ["Update the VK All in One Expansion Unit plugin to the most recent release, which removes the XSS flaw.", "If an update is not yet available, temporarily disable or delete the plugin to eliminate the risk.", "Revoke Contributor or higher privileges from users who do not need to edit SNS titles, or use a role editor to remove the capability to modify that field."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting allowing arbitrary script injection"}, "threat_synthesis": {"affected_systems": "All installations of the VK All in One Expansion Unit WordPress plugin distributed by kurudrive, version 9.112.3 or earlier, on any WordPress site where the plugin is active.", "description_and_impact": "The VK All in One Expansion Unit plugin for WordPress is vulnerable to stored cross\u2011site scripting via the \u2018vkExUnit_sns_title\u2019 parameter in all versions up to and including 9.112.3 due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor\u2011level access and higher can inject arbitrary scripts into this field, which are then stored and executed in the browser of any visitor to the affected page. This flaw permits the attacker to run client\u2011side code on the site.", "risk_and_exploitability": "With a CVSS score of 6.4 the vulnerability is of moderate severity. Its EPSS score is reported as less than 1 percent, indicating a very low probability of exploitation in the wild, and it is not currently listed in the CISA KEV catalog. The attack path requires the attacker to be authenticated with Contributor\u2011level or higher privileges and to have permission to edit SNS titles within the plugin. After privilege gain, the attacker can inject malicious scripts that will run whenever a user accesses the affected page."}}}}, "created": "2026-02-18T10:32:48.915078+00:00", "updated": "2026-04-27T21:15:05.534951+00:00", "vendors": ["kurudrive", "kurudrive$PRODUCT$vk_all_in_one_expansion_unit", "wordpress", "wordpress$PRODUCT$wordpress"]}