VK All in One Expansion Unit < 9.112.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title | CVE 2025-11737 | Plugin Vulnerabilities

Description

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

vk-all-in-one-expansion-unit

Fixed in 9.112.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1e7efb39-fada-4167-825c-21cc31948a63

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

afc41c9d-e575-4c15-8534-60909986df02

Timeline

Publicly Published

2026-02-17 (about 3 months ago)

Added

2026-02-17 (about 3 months ago)

Last Updated

2026-05-12 (about 12 days ago)

Other

Published

Title

Published

2015-01-14

Title

Simple Security <= 1.1.5 - 2 x Cross-Site Scripting (XSS)

Published

2024-08-02

Title

Ditty 3.1.39-3.1.45 - Author+ Stored XSS

Published

2022-05-10

Title

WPQA < 5.4 - Reflected Cross-Site Scripting

Published

2025-03-12

Title

Picture Gallery < 1.6.4 - Unauthenticated Stored XSS

Published

2024-06-22

Title

WP eMember < 10.6.7 - Reflected XSS