Security Alert Summary
The VK All in One Expansion Unit WordPress plugin is affected by a stored cross-site scripting (XSS) vulnerability in the vkExUnit_sns_title parameter. Authenticated users with Contributor-level access or higher can inject HTML/JavaScript that will execute when a page containing the injected content is viewed.
CVE Details
- CVE ID: CVE-2025-11737
- Affected plugin / component: VK All in One Expansion Unit plugin for WordPress
- Affected versions: All versions up to, and including, 9.112.3
- Published: February 18, 2026 at 6:16:31 AM UTC
- Last modified: February 18, 2026 at 6:16:31 AM UTC
- CVSS v3.1 base score: 6.4 (MEDIUM)
- CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Authentication required: Yes — authenticated user required (description: Contributor-level access and above)
- Privileges required: Low (CVSS: PR:L); practical level: Contributor or higher
- User interaction: None (CVSS: UI:N)
- Primary impact:
- Confidentiality: Low
- Integrity: Low
- Availability: None
- CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting issue caused by insufficient input sanitization and missing output escaping for the vkExUnit_sns_title parameter. According to the CVE description, authenticated users with Contributor-level access or higher can supply payloads via this parameter that are stored and later rendered in pages without proper escaping.
When a page containing the injected value is loaded by another user, the browser will execute the injected script. The CVE notes the problem stems from lack of adequate sanitization and escaping rather than a flaw in the browser or WordPress core.
How This Could Impact Your Website
In a realistic site setup, a contributor or an external contractor who has Contributor-level access could add or edit content that includes a malicious payload in the vulnerable parameter. When internal staff, administrators, or site visitors view the affected page, the injected script can run in the context of the site.
Practical consequences include disclosure of information visible to the user’s session (for example, exposing parts of the page content or user-visible data), a higher risk of targeted phishing or social-engineering attacks against staff, and the possibility of session-related attacks depending on what the injected script attempts to access. The CVSS impacts indicate confidentiality and integrity are affected at a low level; availability is not impacted by this vulnerability according to the provided data.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can create or edit content.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and content changes for unusual behavior, especially edits from contributor accounts.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
