CVE-2025-4221 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Animated Buttons WordPress plugin developed by baswaniyash. The vulnerability exists in all versions up to and including 1.0.0, specifically within the 'auto-downloader' shortcode functionality. The root cause is insufficient sanitization and escaping of user-supplied attributes, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the context of any user who views the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability requires no user interaction beyond viewing the page but does require the attacker to have authenticated access with contributor or higher privileges, limiting exploitation to insiders or compromised accounts. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The vulnerability impacts confidentiality and integrity but not availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on May 2, 2025, and published on May 21, 2025.

The primary impact of CVE-2025-4221 is the potential compromise of user confidentiality and integrity on WordPress sites using the vulnerable Animated Buttons plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators, leading to session hijacking, credential theft, or unauthorized actions such as content manipulation or privilege escalation. This can undermine trust in the affected websites, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. Since the vulnerability requires authenticated access, the risk is higher in environments with weak account controls or where contributor accounts are shared or compromised. The scope includes all WordPress sites using the plugin, which may be small to moderate in number but could include high-value targets. The vulnerability does not affect availability directly but can degrade site integrity and user trust significantly.

To mitigate CVE-2025-4221, organizations should immediately audit their WordPress installations for the presence of the Animated Buttons plugin and restrict contributor-level access to trusted users only. Since no official patch is currently available, administrators should consider disabling or uninstalling the plugin until a fix is released. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections in shortcode attributes can provide temporary protection. Additionally, enforcing strong authentication policies, including multi-factor authentication for all users with contributor or higher privileges, reduces the risk of account compromise. Regularly monitoring logs for unusual shortcode usage or content changes can help detect exploitation attempts. Finally, site owners should sanitize and escape all user inputs in custom shortcodes and plugins to prevent similar vulnerabilities in the future.