CVE-2025-9849
BaseFortify
Publication date: 2025-09-06
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alimuzzaman | html_social_share_buttons | 2.2.0 |
| alimuzzaman | html_social_share_buttons | 2.2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9849 is a Stored Cross-Site Scripting (XSS) vulnerability in the Html Social Share Buttons WordPress plugin, specifically in the 'zm_sh_btn' shortcode. It occurs because the plugin does not properly sanitize or escape user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject malicious scripts. These scripts are stored and executed whenever a user views the affected page, potentially compromising site security. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor-level access or above to inject arbitrary malicious scripts into pages via the plugin's shortcode. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, defacement, data theft, or other malicious actions. It undermines the security and trustworthiness of the affected website. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is running the Html Social Share Buttons plugin version 2.1.16 or earlier, as these versions are vulnerable. You can look for the presence of the `zm_sh_btn` shortcode in posts or pages, which may contain malicious scripts injected by an attacker. To detect exploitation, you can search the WordPress database for instances of the shortcode with suspicious or unexpected script tags. For example, you can run a SQL query on the WordPress database to find posts containing the shortcode with potential script injections: `SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[zm_sh_btn%<script%'`. Additionally, inspecting the rendered pages for unexpected JavaScript execution related to the social share buttons can help identify exploitation. There are no specific network commands provided, but monitoring HTTP responses for injected scripts in pages using the shortcode can be useful. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Html Social Share Buttons plugin to version 2.2.0 or later, where the Stored Cross-Site Scripting issue has been fixed by implementing comprehensive input sanitization and output escaping on all shortcode attributes and related outputs. If updating immediately is not possible, restrict contributor-level and higher user access to trusted users only, as the vulnerability requires authenticated users with contributor-level access or above to exploit. Additionally, review and clean any injected malicious scripts from posts or pages using the `zm_sh_btn` shortcode. Applying a Web Application Firewall (WAF) rule to block suspicious shortcode inputs may also help mitigate exploitation until the update is applied. [1]