CVE-2025-11197: 
WordPress vulnerability analysis and mitigation

The Draft List plugin for WordPress (versions up to 2.6.1) contains a Stored Cross-Site Scripting vulnerability (CVE-2025-11197) discovered on October 10, 2025. The vulnerability exists in the plugin's 'drafts' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This security issue affects WordPress installations with the Draft List plugin installed (NVD CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability stems from inadequate sanitization of user input in the plugin's shortcode functionality (Wordfence Intel).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other client-side attacks (NVD CVE).

The vulnerability has been patched in version 2.6.2 of the Draft List plugin. The update includes improved input sanitization and additional security enhancements. Users are strongly advised to update to the latest version immediately (Github PR, WordPress Changeset).