VK All in One Expansion Unit < 9.112.2 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-11265 | Plugin Vulnerabilities

Description

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters in all versions up to, and including, 9.112.1. This is due to a logic error in the CTA save function that reads sanitization callbacks from the wrong variable ($custom_field_name instead of $custom_field_options), causing the sanitization to never be applied. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute when a user accesses an injected page.",

Affects Plugins

vk-all-in-one-expansion-unit

Fixed in 9.112.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9e5a6158-03d4-4ac7-8a4b-666cedabb433

Classification

Type

CROSS FRAME SCRIPTING

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

r0skie

Verified

No

WPVDB ID

fb39609e-2a6e-4da1-b3bf-4da2d70a78a2

Timeline

Publicly Published

2025-11-17 (about 6 months ago)

Added

2025-11-17 (about 6 months ago)

Last Updated

2025-11-18 (about 6 months ago)

Other

Published

Title

Published

2024-04-29

Title

All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic < 4.6.1.1 - Contributor+ Stored Cross-Site Scripting via Shortcode

Published

2024-03-13

Title

Link Library < 7.6.7 - Reflected Cross-Site Scripting

Published

2024-03-29

Title

WordPress File Upload < 4.24.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2024-03-29

Title

ElementsKit Elementor addons < 3.0.7 - Contributor+ Stored XSS

Published

2024-02-13

Title

Happy Addons for Elementor < 3.10.2 - Contributor+ Stored Cross-Site Scripting