CVE-2025-5535 is a stored Cross-Site Scripting (XSS) vulnerability identified in the e.nigma buttons plugin for WordPress, specifically affecting all versions up to and including 1.1.3. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The plugin's 'button' shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed whenever any user accesses the infected page, potentially compromising user sessions or performing unauthorized actions within the context of the affected website. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring low attack complexity and privileges of an authenticated contributor or higher, but no user interaction is necessary for exploitation. The scope is changed, indicating that the vulnerability can affect components beyond the initially vulnerable plugin, potentially impacting the confidentiality and integrity of data. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on June 3, 2025, and published on June 26, 2025, by Wordfence. The absence of patch links suggests that a fix may not yet be publicly available, underscoring the need for immediate mitigation efforts by affected parties.

The primary impact of CVE-2025-5535 is the potential execution of arbitrary JavaScript code within the context of the vulnerable WordPress site. This can lead to partial compromise of confidentiality by exposing sensitive user data such as cookies or session tokens to attackers. Integrity may also be affected as attackers could manipulate page content or perform unauthorized actions on behalf of users. Although availability is not directly impacted, the injected scripts could be used to conduct phishing attacks, redirect users to malicious sites, or facilitate further exploitation. Organizations relying on the e.nigma buttons plugin risk reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. Since exploitation requires contributor-level access, insider threats or compromised accounts pose a significant risk. The vulnerability's ability to affect all users who visit the infected pages broadens the scope of impact, potentially affecting site administrators, editors, and visitors alike.

1. Immediate mitigation should focus on restricting contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns related to the 'button' shortcode attributes. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 4. Monitor and audit user-generated content for suspicious or unexpected script tags or event handlers within the plugin's shortcode usage. 5. Until an official patch is released, consider disabling or removing the e.nigma buttons plugin to eliminate the attack surface. 6. Educate content contributors about safe input practices and the risks of embedding untrusted code. 7. Regularly update WordPress core and plugins to the latest versions once a patch becomes available. 8. Conduct thorough security reviews of all user inputs and outputs in custom shortcodes or plugins to prevent similar vulnerabilities.