CVE-2025-10194 is a stored Cross-Site Scripting (XSS) vulnerability identified in the eflyjason Shortcode Button plugin for WordPress, affecting all versions up to and including 1.1.9. The vulnerability arises from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes in the plugin's 'button' shortcode. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts via the shortcode parameters. Because the injected scripts are stored persistently, they execute in the context of any user who views the affected page, potentially compromising session cookies, redirecting users, or performing unauthorized actions. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and the plugin. The vulnerability is classified under CWE-79, highlighting the failure to properly sanitize input leading to XSS. The lack of patches at the time of reporting necessitates immediate mitigation steps by administrators. This vulnerability underscores the importance of secure coding practices in WordPress plugins, especially those that process user-generated content.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the eflyjason Shortcode Button plugin installed. Exploitation can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware via injected scripts. Organizations with multiple contributors or editors on their WordPress sites are particularly vulnerable since the attack requires contributor-level access. The compromise of user sessions can lead to data leakage, reputational damage, and potential regulatory consequences under GDPR if personal data is exposed or manipulated. Additionally, the persistent nature of stored XSS means that the malicious code remains active until removed, increasing the window of exposure. Although no known exploits are in the wild, the medium CVSS score and ease of exploitation by authenticated users make this a credible threat. The impact is heightened for sectors relying heavily on web presence, such as e-commerce, media, and public services within Europe.

1. Immediately audit WordPress sites for the presence of the eflyjason Shortcode Button plugin and identify versions up to 1.1.9. 2. Restrict contributor-level access strictly to trusted users and review user roles to minimize the number of users who can inject content. 3. Until an official patch is released, consider disabling or removing the plugin to eliminate the attack surface. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs that may contain script tags or event handlers. 5. Educate content contributors about the risks of injecting untrusted code and enforce content review policies. 6. Monitor website logs and user activity for unusual behavior that could indicate exploitation attempts. 7. Once a patch is available, apply it promptly and verify that input sanitization and output escaping are correctly implemented. 8. Employ Content Security Policy (CSP) headers to reduce the impact of any injected scripts by restricting script sources. 9. Regularly update WordPress core and all plugins to minimize exposure to known vulnerabilities.