The vulnerability CVE-2025-23449 affects the Simple shortcode buttons plugin by davidpuc, specifically versions up to 1.3.2. It is a reflected cross-site scripting (XSS) issue caused by improper input neutralization during web page generation. This allows an attacker to inject malicious scripts that execute in the context of the victim's browser when they interact with the affected plugin's output. The CVSS v3.1 base score is 7.1, indicating high severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts to confidentiality, integrity, and availability at low to low levels but with scope changed.

Successful exploitation of this vulnerability can allow an attacker to execute arbitrary scripts in the context of the affected web application users. This may lead to partial disclosure of sensitive information, modification of data, or disruption of service. The reflected nature means the attack requires user interaction, such as clicking a crafted link. No known exploits in the wild have been reported, so active exploitation is not confirmed.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor the vendor's communications for updates. In the meantime, consider applying input validation or output encoding workarounds if feasible. Avoid clicking suspicious links that may trigger the reflected XSS. No official mitigation or temporary fix is currently documented.