The vulnerability CVE-2025-22815 affects the bPlugins Button Block plugin (version ≤ 1.1.9). It is a Stored Cross-site Scripting (XSS) flaw caused by improper neutralization of input during web page generation. An attacker with low privileges and requiring user interaction can exploit this to execute arbitrary scripts in the context of the victim's browser session. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, required privileges, user interaction, and partial impact on confidentiality, integrity, and availability.

Successful exploitation can result in partial compromise of confidentiality, integrity, and availability of the affected system or user data. This may allow attackers to execute malicious scripts in users' browsers, potentially leading to session hijacking or unauthorized actions within the affected application context. However, no known exploits are currently reported in the wild.

Patch status is not yet confirmed — no official fix or patch links are provided. Users should monitor the vendor's advisory channels for updates and apply any forthcoming patches promptly. Until a fix is available, consider restricting user input or applying web application firewall rules to detect and block suspicious input patterns related to this vulnerability.