CVE-2025-11876

Vulnerability

Overview The Mailgun Subscriptions plugin for WordPress up to version 1.3.1 contains a Stored Cross-Site Scripting (XSS) vulnerability in its mailgun_subscription_form shortcode. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, specifically the description parameter. The official patch [1] shows that the fix applies wp_kses_post() to the description value before passing it to the form display function, confirming the lack of filtering in vulnerable versions.

Attack

Vector An authenticated attacker with at minimum contributor-level access to WordPress can exploit this vulnerability by crafting a shortcode block with a malicious description attribute. The unsanitized input is then stored and rendered on pages where the shortcode is used. When any user (including administrators or visitors) accesses the affected page, the injected script executes within the context of the victim's browser session.

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the browser of anyone visiting the compromised page. This can lead to session hijacking, defacement, redirection to malicious websites, or theft of sensitive information such as cookies or authentication tokens. The scope of impact is amplified because the injected content persists until removed, affecting all subsequent viewers.

Remediation

The vulnerability has been patched in a commit to the plugin's GitHub repository [1]. Users are strongly advised to update the Mailgun Subscriptions plugin to the latest version that includes the sanitization fix. No workaround is available other than removing or restricting contributor access until the plugin can be updated.