CVE-2025-10194
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arefly | shortcode_button | 1.1.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Shortcode Button WordPress plugin (up to version 1.1.9). It occurs because the plugin does not properly sanitize or escape user-supplied attributes in its 'button' shortcode. As a result, authenticated users with contributor-level access or higher can inject malicious scripts into pages. These scripts then execute whenever any user views the affected page.
How can this vulnerability impact me? :
The vulnerability allows attackers with contributor-level access to inject arbitrary web scripts into pages. This can lead to malicious actions such as stealing user credentials, hijacking user sessions, defacing the website, or distributing malware. Because the scripts execute in the context of the website, all users who visit the injected pages are at risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning WordPress installations for the presence of the Shortcode Button plugin version 1.1.9 or earlier. Since the vulnerability involves stored cross-site scripting via the 'button' shortcode, detection can include searching for pages or posts containing the '[button]' shortcode with suspicious or malicious script content in the attributes. Commands to detect the plugin version on the server could include: 1) Using WP-CLI to list installed plugins and their versions: `wp plugin list | grep shortcode-button` 2) Searching the WordPress database for posts containing the shortcode: `wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[button%';"` 3) Using web vulnerability scanners that detect stored XSS in WordPress plugins. Network detection of exploit attempts could involve monitoring HTTP requests for suspicious payloads in parameters related to the shortcode or unusual script tags in page content.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Deactivating and uninstalling the Shortcode Button plugin if it is installed, especially versions up to 1.1.9. 2) Reviewing and cleaning any content that uses the '[button]' shortcode to remove potentially malicious scripts. 3) Restricting contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated contributor access. 4) Monitoring and applying any future patches or updates from the plugin developer or WordPress security teams. 5) Considering disabling shortcodes or filtering shortcode attributes to sanitize inputs if the plugin must remain active. [2, 3]