CVE-2025-22558 identifies a stored cross-site scripting (XSS) vulnerability in the mcjh button shortcode plugin for WordPress, developed by Marcus C. J. Hartmann. The vulnerability is caused by improper neutralization of user-supplied input during the generation of web pages, specifically in the shortcode functionality that renders buttons. This flaw allows an attacker to inject malicious JavaScript code that is stored persistently on the affected website, which executes in the context of users visiting the compromised pages. The affected versions include all versions up to and including 1.6.4. Since the vulnerability is stored XSS, it can be exploited by submitting crafted input that is saved and later rendered without proper sanitization or encoding. This can lead to theft of user credentials, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of legitimate users. The vulnerability does not require authentication or user interaction beyond visiting the infected page, increasing its risk. No CVSS score has been assigned yet, and no public exploits are currently known. The vulnerability was published on January 7, 2025, and no official patches or mitigation links have been provided at this time.

The impact of CVE-2025-22558 is significant for organizations running WordPress sites that utilize the mcjh button shortcode plugin. Successful exploitation can lead to compromise of user accounts through session hijacking, theft of sensitive data, website defacement, and distribution of malware or phishing content. Because the vulnerability is stored XSS, it can affect all visitors to the compromised pages, potentially damaging the organization's reputation and trustworthiness. Attackers can leverage this vulnerability to escalate privileges or pivot to other attacks within the network. The ease of exploitation and lack of required authentication increase the likelihood of attacks, especially on high-traffic websites. Organizations in sectors such as e-commerce, finance, healthcare, and government that rely on WordPress for public-facing websites are particularly at risk. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once details are public.

To mitigate CVE-2025-22558, organizations should immediately check if they are using the mcjh button shortcode plugin version 1.6.4 or earlier and plan to update to a patched version as soon as it becomes available. In the absence of an official patch, administrators should consider disabling or removing the plugin to eliminate the attack surface. Web application firewalls (WAFs) can be configured to detect and block typical XSS payloads targeting the shortcode functionality. Input validation and output encoding should be enforced at the application level to prevent malicious scripts from being stored or rendered. Regular security audits and scanning for XSS vulnerabilities on WordPress sites are recommended. Additionally, monitoring website traffic and logs for suspicious activity related to script injection attempts can provide early detection. Educating content editors and administrators about safe input handling and plugin security is also important. Finally, implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources.