CVE-2025-11197

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 2.6.1. The vulnerability exists in the plugin's 'drafts' shortcode, which fails to properly sanitize user-supplied attributes and escape output. This insufficient input validation allows attackers to inject arbitrary web scripts.

Authenticated attackers with contributor-level access or above can exploit this by crafting a malicious shortcode with injected JavaScript. The attack does not require elevated privileges beyond contributor, which is a common role for many WordPress sites. When the injected page is viewed by any user, the script executes in the context of that user's browser.

Successful exploitation can lead to a range of impacts, including session hijacking, redirection to malicious sites, or defacement. The attacker's injected script can perform actions on behalf of the victim, potentially compromising the site further.

The vulnerability has been patched in version 2.6.2, as detailed in the GitHub pull request [1]. Users are strongly advised to update to the latest version to mitigate the risk. No workarounds have been provided for sites that cannot upgrade immediately.