CVE-2025-5535 is a stored Cross-Site Scripting (XSS) vulnerability affecting the e.nigma buttons plugin for WordPress, specifically versions up to and including 1.1.3. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where user-supplied attributes in the plugin's 'button' shortcode are not adequately sanitized or escaped before being rendered. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently and executed whenever any user accesses the compromised page, this can lead to session hijacking, privilege escalation, or other malicious activities. The vulnerability does not require user interaction beyond page access, and the attacker must have at least contributor-level access, which is a relatively low privilege level in WordPress environments. The CVSS v3.1 base score is 6.4 (medium severity), with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, privileges required, no user interaction, scope change, and low impact on confidentiality and integrity, no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on June 26, 2025, and assigned by Wordfence. The plugin is used to add customizable buttons to WordPress sites, and the vulnerability affects all versions up to 1.1.3, implying that any site using this plugin version is at risk if the plugin is installed and active.

For European organizations utilizing WordPress sites with the e.nigma buttons plugin, this vulnerability poses a significant risk of persistent XSS attacks. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and defacement. This can undermine the integrity and confidentiality of web applications and user data. Given that WordPress is widely used across Europe for corporate, governmental, and e-commerce websites, the risk extends to sectors handling sensitive personal data under GDPR, increasing regulatory and reputational risks. The scope of impact includes any organization that allows contributor-level users to add or edit content and uses the affected plugin version. The lack of requirement for user interaction beyond page access increases the attack surface. However, since the vulnerability requires authenticated access, external attackers without credentials are less likely to exploit it directly, but insider threats or compromised accounts could be leveraged. The absence of known exploits in the wild suggests limited immediate threat but also underscores the importance of proactive mitigation.

1. Immediate audit of WordPress installations across the organization to identify the presence of the e.nigma buttons plugin and verify its version. 2. Restrict contributor-level privileges strictly to trusted users; review and minimize the number of users with such access. 3. Implement a Content Security Policy (CSP) that restricts execution of inline scripts and limits sources of executable scripts to trusted domains, mitigating impact of injected scripts. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs or script tags in content submissions. 5. Monitor logs and content changes for unusual shortcode usage or unexpected script injections. 6. Until an official patch is released, consider disabling or uninstalling the e.nigma buttons plugin if feasible, or replacing it with alternative plugins that do not have this vulnerability. 7. Educate content contributors about the risks of injecting untrusted content and enforce strict input validation policies. 8. Plan for rapid deployment of patches once available and test updates in staging environments before production rollout.