CVE-2025-14113 is a stored cross-site scripting vulnerability identified in the Viitor Button Shortcodes plugin for WordPress, which is widely used to add customizable buttons via shortcodes. The vulnerability specifically targets the 'link' attribute within the shortcode, where insufficient input sanitization and lack of proper output escaping allow authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability affects all versions up to and including 3.0.0. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. No patches or known exploits are currently documented, but the risk remains significant due to the ease of exploitation by authenticated users and the potential impact on site integrity and confidentiality. The vulnerability is categorized under CWE-79, which is a common and impactful web security flaw. Organizations using this plugin should assess their exposure and apply mitigations promptly.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress sites, compromising user sessions, leaking sensitive information, or enabling further attacks such as privilege escalation or defacement. Since the exploit requires Contributor-level access, attackers might leverage compromised or weak user credentials to inject malicious scripts. This can undermine trust in affected websites, cause reputational damage, and potentially violate data protection regulations like GDPR if personal data is exposed. The impact is particularly critical for organizations relying on WordPress for customer-facing portals, e-commerce, or internal collaboration platforms. The persistent nature of the stored XSS increases the risk as multiple users can be affected over time. Although no known exploits are reported, the vulnerability's medium severity and ease of exploitation by authenticated users make it a notable risk for European entities using the plugin.

European organizations should immediately audit their WordPress installations to identify the presence of the Viitor Button Shortcodes plugin and its version. Since no official patch links are provided, organizations should consider the following mitigations: restrict Contributor-level access strictly to trusted users, implement web application firewalls (WAFs) with rules to detect and block XSS payloads targeting shortcode parameters, and sanitize all user inputs at the application level if possible. Monitoring logs for unusual shortcode usage or script injections can help detect exploitation attempts. Additionally, organizations should plan to update the plugin once a patched version is released or consider disabling the plugin temporarily if it is not essential. Employing Content Security Policy (CSP) headers can also reduce the impact of injected scripts by restricting script execution sources. Regular security training for administrators and users with elevated privileges can reduce the risk of credential compromise that enables exploitation.