{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11857", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-16T13:19:16.646Z", "datePublished": "2025-10-18T05:41:56.057Z", "dateUpdated": "2026-04-08T16:55:39.687Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:39.687Z"}, "affected": [{"vendor": "mxp", "product": "XX2WP Integration Tools", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxp_fb2wp_display_embed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'post_id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "XX2WP Integration Tools <= 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cbb28e2-a7a1-4e33-93e5-872d6f2e00ec?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fb2wp-integration-tools/tags/1.9.9/index.php#L302"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379625%40fb2wp-integration-tools&new=3379625%40fb2wp-integration-tools&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-10-16T15:24:43.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-17T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-20T18:59:23.107864Z", "id": "CVE-2025-11857", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-20T18:59:33.908Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-20T18:59:23.107864Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-20T18:59:29.060Z"}}], "cna": {"title": "XX2WP Integration Tools <= 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mxp", "product": "XX2WP Integration Tools", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.9.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-16T15:24:43.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-17T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cbb28e2-a7a1-4e33-93e5-872d6f2e00ec?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fb2wp-integration-tools/tags/1.9.9/index.php#L302"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379625%40fb2wp-integration-tools&new=3379625%40fb2wp-integration-tools&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxp_fb2wp_display_embed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'post_id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:39.687Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11857", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:55:39.687Z", "dateReserved": "2025-10-16T13:19:16.646Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-18T05:41:56.057Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxp_fb2wp_display_embed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'post_id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11857", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-18T06:15:38.720", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fb2wp-integration-tools/tags/1.9.9/index.php#L302"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379625%40fb2wp-integration-tools&new=3379625%40fb2wp-integration-tools&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cbb28e2-a7a1-4e33-93e5-872d6f2e00ec?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:06:32.433600+00:00", "value": {"mitigation_remediation": ["Upgrade XX2WP Integration Tools to a version newer than 1.9.9 that implements proper input sanitization for the \u2018post_id\u2019 parameter.", "If an upgrade is infeasible, remove or disable the \u2018mxp_fb2wp_display_embed\u2019 shortcode and restrict its use to trusted administrators only.", "Sanitize the \u2018post_id\u2019 value on input by allowing only numeric identifiers before storing or rendering the content.", "Audit existing posts for injected scripts and clean any discovered instances to eliminate the stored XSS risk."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the XX2WP Integration Tools plugin with a version of 1.9.9 or earlier are affected. The vulnerability is specific to the WordPress plugin identified by the CNA as mxp:XX2WP Integration Tools.\n", "description_and_impact": "The XX2WP Integration Tools plugin for WordPress allows stored XSS because the \u2018mxp_fb2wp_display_embed\u2019 shortcode does not sanitize the user\u2011supplied \u2018post_id\u2019 parameter, a flaw identified as CWE\u201179. Attackers who can authenticate as a contributor or higher can insert arbitrary scripts that will execute when any user loads the affected page, potentially stealing credentials or defacing content. The CVSS score of 6.4 reflects the severity of this worst\u2011case scenario.\n", "risk_and_exploitability": "The EPSS score is less than 1\u202f%, indicating a low but non\u2011zero probability that the flaw will be targeted. The issue is not listed in CISA\u2019s KEV catalog. Because the impact requires an authenticated user with at least contributor access, an attacker must first gain or use legitimate WordPress credentials. Once the payload is stored, the cross\u2011site scripting effect will occur for any other visitor, exposing the site to data theft or session hijacking.\n"}}}}, "created": "2025-10-20T13:21:32.386738+00:00", "updated": "2026-04-22T14:15:20.400036+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}