CVE-2025-10194 identifies a stored cross-site scripting vulnerability in the eflyjason Shortcode Button plugin for WordPress, present in all versions up to and including 1.1.9. The vulnerability arises from improper neutralization of user-supplied input in the 'button' shortcode attributes, where insufficient input sanitization and lack of output escaping allow an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript code. When a page containing the injected shortcode is rendered, the malicious script executes in the context of any user viewing that page, potentially compromising session tokens, cookies, or enabling actions on behalf of the victim user. The vulnerability is classified under CWE-79, indicating cross-site scripting due to improper input handling during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to impact on other components. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability affects all versions of the plugin, which is used in WordPress environments, a widely deployed content management system.

This vulnerability allows authenticated users with contributor or higher privileges to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any visitors or administrators viewing those pages. The impact includes potential theft of session cookies, leading to account takeover, unauthorized actions performed with the victim's privileges, and possible defacement or redirection attacks. Since WordPress powers a significant portion of websites globally, exploitation could affect numerous organizations, especially those with multiple contributors or less restrictive user role management. The scope change in the CVSS vector indicates that the vulnerability could affect components beyond the immediate plugin, potentially compromising site integrity and user trust. Although no known exploits exist yet, the medium severity and ease of exploitation by authenticated users make it a credible threat, particularly in environments where contributor access is granted to untrusted parties or where user roles are not tightly controlled.

Organizations should immediately review user roles and restrict contributor-level access to trusted users only. Implement strict input validation and output escaping for all shortcode attributes, either by applying vendor patches once available or by manually sanitizing inputs in the plugin code. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads in shortcode parameters to provide temporary protection. Regularly audit WordPress plugins for updates and security advisories, and consider disabling or replacing the Shortcode Button plugin if a timely patch is not available. Additionally, monitor site logs for unusual activity or injection attempts and educate contributors on secure content creation practices. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources.