Summary

A stored Cross‑Site Scripting (XSS) vulnerability affecting versions ≤ 2.0 of the WordPress plugin “Surbma | MiniCRM Shortcode” (CVE‑2025‑11800) has been publicly disclosed. The flaw allows an authenticated user with the Contributor role to inject persistent JavaScript into content rendered by the plugin. Because this is stored XSS, the malicious payload is saved on the site and executed in the browser of any user who views the affected page — including administrators and editors. The CVSS score is 6.5 (medium), but real‑world impact varies by site usage and visitors.

This advisory:

• Explains the vulnerability and exploitation scenarios in plain language.
• Lists immediate actions site owners should take.
• Provides technical detection and mitigation guidance (vendor‑neutral).
• Offers secure coding best practices for plugin developers and administrators.

What happened? — Plain English

The plugin renders content provided by authenticated users (Contributor role and above) into pages via a shortcode or similar output. The vulnerability occurs because certain user‑supplied fields are output as HTML without proper sanitization or escaping. A Contributor can submit markup (including