WWordPress Vulnerability Database

Community Advisory Shortcode Button Stored XSS(CVE202510194)

WordPress Shortcode Button plugin
0
Shares
0
0
0
0
Plugin Name Shortcode Button
Type of Vulnerability Authenticated Stored XSS
CVE Number CVE-2025-10194
Urgency Low
CVE Publish Date 2025-10-15
Source URL CVE-2025-10194

Shortcode Button (≤ 1.1.9) — Authenticated Contributor Stored XSS (CVE-2025-10194): What Site Owners and Developers Must Do Now

Date: 15 October 2025 | Author: Hong Kong Security Expert

A stored Cross‑Site Scripting (XSS) affecting the Shortcode Button plugin (versions ≤ 1.1.9) has been assigned CVE‑2025‑10194. Authenticated users with Contributor privileges (and above) can store HTML/JavaScript that will execute in other users’ browsers. No vendor patch is available at publication. This post outlines the risk, detection, developer fixes, and immediate mitigations.

What is stored XSS and why it matters

Cross‑Site Scripting (XSS) allows an attacker to inject client‑side scripts that run in other users’ browsers. Stored (persistent) XSS is particularly dangerous because the payload is saved on the server (database, options, postmeta) and delivered to many visitors over time. Executed scripts can:

  • Steal cookies or authentication tokens (session theft)
  • Perform actions as the victim (CSRF via injected script)
  • Present phishing overlays or misleading UI
  • Load external malware, redirect users, or fingerprint visitors
  • Exfiltrate data visible to the compromised user

In WordPress, stored XSS commonly originates from plugins or themes that accept user input and render it without suitable sanitization and escaping.

The Shortcode Button vulnerability in plain English

The Shortcode Button plugin accepts input that is later output in posts, pages or admin views. A vulnerability exists such that an authenticated user with Contributor privilege (or higher) can save data that contains HTML/JavaScript. The plugin stores and renders that data without adequate escaping, enabling script execution when content is viewed.

Key facts:

  • Affects Shortcode Button plugin versions ≤ 1.1.9
  • Vulnerability type: Stored Cross‑Site Scripting (XSS)
  • Required privilege: Contributor (authenticated)
  • CVE: CVE‑2025‑10194
  • Status at publication: No official vendor fix available

Because Contributor accounts are common on multi‑author sites, LMS platforms, membership communities and similar deployments, the practical risk can be material where untrusted contributors are allowed to create or edit content.

Threat model: who can exploit this and how

Typical exploitation flow and prerequisites:

  1. The attacker holds an account with at least Contributor privileges. This may be an account created by public registration, a compromised account, or an insider with malicious intent.
  2. The attacker uses the Shortcode Button UI or other plugin endpoints that store data (shortcode attributes, postmeta, plugin options) to insert malicious content.
  3. The plugin stores the data and later outputs it without proper escaping, so visiting users’ browsers execute the payload.
  4. Executed payloads can target unauthenticated visitors, logged‑in users, or administrators depending on where the payload is rendered.

Because the payload is persistent, it can affect many visitors over time and remain active until removed.

Potential impact to your site and users

Impact depends on where the injected script runs:

  • Front‑end only: defacement, redirects, hidden crypto‑miner scripts, or malicious ads.
  • Admin pages / editor screens: possible session theft, unauthorized setting changes, backdoor uploads, or creation of new admin accounts.
  • Combined with social engineering: attacker may phish admins or escalate to persistent access.

Although CVSS may be moderate due to required authenticated access, Contributor accounts are often easy to obtain on many sites, raising operational risk for some deployments.

Quick detection: what to look for on your site now

If your site uses Shortcode Button ≤ 1.1.9, perform these checks immediately:

1. Inventory

  • Identify installations with Shortcode Button and confirm version (wp-admin → Plugins). If present and unpatched, treat as high priority.

2. User roles and registrations

  • Review users with Contributor or higher roles. Look for recently created or suspicious accounts.
  • If public registration is enabled, consider changing default role to Subscriber or temporarily closing registration.

3. Search for suspicious content in posts, postmeta, and options

Search the database for common XSS indicators. Run queries on a staging copy or after backups:

SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%

Also search for attributes and functions commonly used in payloads: onerror=, javascript:, document.cookie, eval(. Manual review is required — many benign constructs exist.

4. Check recent edits

  • Review posts/pages created or edited by Contributors in the recent 30 days.

5. Scan files and uploads

  • Look for recently modified plugin/theme files and suspicious PHP files in /wp-content/uploads/.

6. Web logs

  • Review server logs and any WAF logs for POST requests to plugin endpoints or admin AJAX calls that reference Shortcode Button inputs.

If you find suspect content, do not blindly edit on production. Back up, move to staging, and clean safely.

Immediate mitigation steps (site owners/operators)

If you cannot remove or update the plugin immediately, apply these prioritized mitigations:

  1. Limit Contributor access temporarily
    • Change default registration role to Subscriber.
    • Downgrade or suspend suspicious Contributor accounts.
    • Consider disabling new user registrations while you triage.
  2. Deactivate or remove the plugin
    • If the plugin is not critical, deactivate and delete it until a safe fix is available.
  3. Sanitize existing content
    • Review and clean posts, shortcodes, and postmeta created by Contributors. Remove