{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11870", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-16T15:04:49.136Z", "datePublished": "2025-10-22T08:27:10.113Z", "dateUpdated": "2026-04-08T17:18:52.071Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:52.071Z"}, "affected": [{"vendor": "dmbarber", "product": "Simple Business Data", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple Business Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'simple_business_data' shortcode attributes in all versions up to, and including, 1.0.1. This is due to the plugin not properly sanitizing user input or escaping output when embedding the `type` attribute into the `class` attribute in rendered HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Simple Business Data <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd2754f9-11f7-4690-99dd-2204e69bf14b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-business-data/tags/1.0.1/templates/simple-business-data-template.php#L14"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-10-21T20:20:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-22T14:20:04.257136Z", "id": "CVE-2025-11870", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T14:20:17.268Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11870", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-22T14:20:04.257136Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T14:20:12.185Z"}}], "cna": {"title": "Simple Business Data <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "dmbarber", "product": "Simple Business Data", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-21T20:20:12.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd2754f9-11f7-4690-99dd-2204e69bf14b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-business-data/tags/1.0.1/templates/simple-business-data-template.php#L14"}], "descriptions": [{"lang": "en", "value": "The Simple Business Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'simple_business_data' shortcode attributes in all versions up to, and including, 1.0.1. This is due to the plugin not properly sanitizing user input or escaping output when embedding the `type` attribute into the `class` attribute in rendered HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-22T08:27:10.113Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11870", "state": "PUBLISHED", "dateUpdated": "2025-10-22T14:20:17.268Z", "dateReserved": "2025-10-16T15:04:49.136Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-22T08:27:10.113Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Business Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'simple_business_data' shortcode attributes in all versions up to, and including, 1.0.1. This is due to the plugin not properly sanitizing user input or escaping output when embedding the `type` attribute into the `class` attribute in rendered HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11870", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-22T09:15:35.320", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-business-data/tags/1.0.1/templates/simple-business-data-template.php#L14"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd2754f9-11f7-4690-99dd-2204e69bf14b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:09:30.836285+00:00", "value": {"mitigation_remediation": ["Upgrade the Simple Business Data plugin to a version that removes the XSS flaw.", "If an upgrade is not immediately available, disable or remove the plugin or prohibit the use of its 'simple_business_data' shortcode.", "Limit contributor-level access to trusted users and monitor for anomalous script activity.", "While an official workaround is not provided, any attempt to escape or remove the 'type' attribute value from output could mitigate the risk until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Stored Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Simple Business Data plugin developed by dmbarber, installed in WordPress sites. All released plugin versions up to and including 1.0.1 are impacted; newer releases beyond 1.0.1 are not listed as affected.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in the Simple Business Data WordPress plugin. The plugin fails to sanitize or escape the value of the 'type' attribute used in the 'simple_business_data' shortcode, embedding the content directly into the class attribute of rendered HTML. An attacker who can create or edit content with contributor-level or higher access can inject arbitrary JavaScript that will execute in the browsers of any user who visits a page containing the compromised shortcode. The script runs client\u2011side and may be used to steal session cookies, redirect users, or perform other malicious actions within the context of the victim\u2019s authenticated session.", "risk_and_exploitability": "The CVSS score for this issue is 6.4, indicating moderate severity. The EPSS score is reported as less than 1%, reflecting a low probability of exploitation within the current timeframe, and the vulnerability is not yet listed in CISA\u2019s KEV catalog. Exploitation requires an authenticated user with contributor or higher privileges, but the resulting XSS can affect any visitor to the compromised page. Overall, the risk is moderate, with low likelihood but potentially significant impact on users of the site."}}}}, "created": "2025-10-23T10:07:52.861215+00:00", "updated": "2026-04-21T02:15:06.529439+00:00", "vendors": ["dmbarber", "dmbarber$PRODUCT$simple_business_data", "wordpress", "wordpress$PRODUCT$wordpress"]}