CVE-2025-10190
BaseFortify
Publication date: 2025-10-11
Last updated on: 2025-10-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| husain_ahmed | wp_easy_toggles | 1.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10190 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP Easy Toggles WordPress plugin (up to version 1.9.0). It occurs because the plugin does not properly sanitize or escape user-supplied attributes in its 'toggles' shortcode. This allows authenticated users with contributor-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user views the affected page, potentially compromising site security. [3]
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor-level access to inject arbitrary JavaScript into your WordPress site. When other users visit the infected pages, the malicious scripts execute in their browsers, which can lead to theft of sensitive information (like cookies or session tokens), unauthorized actions on behalf of users, defacement, or further compromise of the website. It undermines the trustworthiness and security of your site. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning WordPress sites for the presence of the WP Easy Toggles plugin version 1.9.0 or earlier. Additionally, inspecting pages that use the [toggles] shortcode for suspicious or unexpected script tags or HTML in the toggle titles or descriptions can help identify exploitation. Since the vulnerability involves stored XSS via shortcode attributes, searching the database for shortcode entries containing script tags or unusual HTML can be useful. Specific commands might include using WP-CLI to search posts for the shortcode with suspicious content, e.g., `wp post list --post_type=page,post --field=ID | xargs -I % wp post get % --field=post_content | grep -i "[toggles]"` and then manually inspecting for injected scripts. Network detection could involve monitoring HTTP responses for injected scripts in pages using the toggle shortcode. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the WP Easy Toggles plugin from your WordPress installation, especially if it is version 1.9.0 or earlier. Since the plugin has been temporarily closed and removed from download availability pending a security review, avoid reinstalling or updating from untrusted sources. Review and sanitize any content created using the [toggles] shortcode to remove potentially malicious scripts. Limit contributor-level access or higher to trusted users only, as the vulnerability requires authenticated users with such privileges to exploit. Applying a Web Application Firewall (WAF) rule to block suspicious script injections in shortcode attributes can also help mitigate risk until a patched version is available. [2, 3]