CVE-2025-14113 is a stored cross-site scripting vulnerability identified in the Viitor Button Shortcodes plugin for WordPress, affecting all versions up to and including 3.0.0. The vulnerability stems from improper neutralization of input during web page generation, specifically in the 'link' shortcode attribute. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into pages by exploiting insufficient input sanitization and output escaping mechanisms. When other users access the compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the context of the victim's session. The vulnerability does not require user interaction beyond visiting the infected page and does not affect availability but compromises confidentiality and integrity. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, and privileges required at the contributor level. No public exploits have been reported yet, but the vulnerability is significant given the widespread use of WordPress and the plugin in question. The vulnerability was published in January 2026, with no patch currently available, emphasizing the need for immediate mitigation steps. The CWE classification is CWE-79, indicating cross-site scripting due to improper input validation and output encoding.

For European organizations, this vulnerability poses a risk primarily to websites using the Viitor Button Shortcodes plugin on WordPress, which is popular among small and medium enterprises (SMEs) and content creators. Exploitation can lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform actions on behalf of users, or deface websites. This can result in data breaches, loss of customer trust, reputational damage, and potential regulatory penalties under GDPR if personal data is compromised. Since Contributor-level access is sufficient to exploit the vulnerability, insider threats or compromised accounts can be leveraged to escalate attacks. The impact is heightened for organizations relying on WordPress for customer-facing portals, e-commerce, or internal collaboration platforms. While availability is not directly affected, the integrity and confidentiality of web content and user data are at risk, which can disrupt business operations and compliance.

1. Immediately review and restrict Contributor-level permissions to only trusted users, minimizing the risk of malicious shortcode injection. 2. Monitor WordPress sites for unusual shortcode usage or unexpected script injections in page content. 3. Deploy a Web Application Firewall (WAF) with robust XSS detection and blocking capabilities to intercept malicious payloads targeting the 'link' shortcode attribute. 4. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Regularly audit and sanitize all user-generated content, especially inputs that can be rendered as shortcodes. 6. Stay alert for official patches or updates from the Viitor Button Shortcodes plugin vendor and apply them promptly once available. 7. Educate content contributors about safe content practices and the risks of injecting untrusted code. 8. Consider disabling or replacing the vulnerable plugin with a secure alternative if immediate patching is not feasible.