CVE-2025-11819: 
WordPress vulnerability analysis and mitigation

The WP-Thumbnail plugin for WordPress has been identified with a Stored Cross-Site Scripting vulnerability (CVE-2025-11819), discovered and disclosed on October 21, 2025. The vulnerability affects all versions up to and including version 1.1 of the plugin. The plugin was subsequently closed on October 17, 2025, pending a full security review (NVD CVE, WordPress Plugin).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue that exists in the 'roboshot' shortcode functionality. The root cause is attributed to insufficient input sanitization and output escaping on user-supplied attributes. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD CVE).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other client-side attacks (NVD CVE).

The WordPress plugin repository has temporarily closed the WP-Thumbnail plugin as of October 17, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).