CVE-2025-14113 is a stored Cross-Site Scripting vulnerability identified in the Viitor Button Shortcodes plugin for WordPress, affecting all versions up to and including 3.0.0. The vulnerability stems from improper neutralization of input (CWE-79) during web page generation, specifically through the 'link' shortcode attribute. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into pages by exploiting insufficient input sanitization and output escaping mechanisms. Once injected, the malicious script executes in the context of any user who views the compromised page, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deliver further payloads. The attack vector is network-based, with low complexity, requiring no user interaction but limited to authenticated users with certain privileges. The vulnerability affects the confidentiality and integrity of the affected WordPress sites but does not impact availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in December 2025 and published in January 2026, with a CVSS v3.1 base score of 6.4, indicating medium severity. The scope is considered changed due to the potential for script execution affecting multiple users. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow shortcode attributes to be user-controlled.

The primary impact of CVE-2025-14113 is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with Contributor-level access can inject persistent malicious scripts that execute in the browsers of any user visiting the infected page, including administrators. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware. For organizations, this can result in data breaches, loss of user trust, reputational damage, and potential regulatory consequences if sensitive data is exposed. Since the vulnerability requires authenticated access, the risk is somewhat mitigated but remains significant in environments with multiple contributors or where account compromise is possible. The vulnerability does not affect availability directly but can indirectly cause service disruption through administrative account compromise or site defacement. Organizations relying on the Viitor Button Shortcodes plugin in multi-user WordPress environments are at particular risk, especially if they do not enforce strict access controls or monitor for unusual shortcode usage.

To mitigate CVE-2025-14113, organizations should first check for and apply any official patches or updates from the Viitor Button Shortcodes plugin vendor once available. In the absence of patches, administrators should restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious shortcode injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attributes or script tags can help prevent exploitation. Regularly auditing shortcode usage and content for unexpected or malicious scripts is recommended. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Disabling or removing the Viitor Button Shortcodes plugin entirely, if not essential, is a strong preventive measure. Monitoring logs for unusual shortcode attribute usage and educating content contributors about safe practices can further reduce risk. Finally, ensure that WordPress core and all plugins are kept up to date to minimize exposure to known vulnerabilities.