CVE-2025-5535: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in chemiker e.nigma buttons
The e.nigma buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Analysis
Technical Summary
CVE-2025-5535 is a stored Cross-Site Scripting (XSS) vulnerability affecting the e.nigma buttons plugin for WordPress, specifically versions up to and including 1.1.3. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where user-supplied attributes in the plugin's 'button' shortcode are not adequately sanitized or escaped before being rendered. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently and executed whenever any user accesses the compromised page, this can lead to session hijacking, privilege escalation, or other malicious activities. The vulnerability does not require user interaction beyond page access, and the attacker must have at least contributor-level access, which is a relatively low privilege level in WordPress environments. The CVSS v3.1 base score is 6.4 (medium severity), with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, privileges required, no user interaction, scope change, and low impact on confidentiality and integrity, no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on June 26, 2025, and assigned by Wordfence. The plugin is used to add customizable buttons to WordPress sites, and the vulnerability affects all versions up to 1.1.3, implying that any site using this plugin version is at risk if the plugin is installed and active.
Potential Impact
For European organizations utilizing WordPress sites with the e.nigma buttons plugin, this vulnerability poses a significant risk of persistent XSS attacks. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and defacement. This can undermine the integrity and confidentiality of web applications and user data. Given that WordPress is widely used across Europe for corporate, governmental, and e-commerce websites, the risk extends to sectors handling sensitive personal data under GDPR, increasing regulatory and reputational risks. The scope of impact includes any organization that allows contributor-level users to add or edit content and uses the affected plugin version. The lack of requirement for user interaction beyond page access increases the attack surface. However, since the vulnerability requires authenticated access, external attackers without credentials are less likely to exploit it directly, but insider threats or compromised accounts could be leveraged. The absence of known exploits in the wild suggests limited immediate threat but also underscores the importance of proactive mitigation.
Mitigation Recommendations
1. Immediate audit of WordPress installations across the organization to identify the presence of the e.nigma buttons plugin and verify its version. 2. Restrict contributor-level privileges strictly to trusted users; review and minimize the number of users with such access. 3. Implement a Content Security Policy (CSP) that restricts execution of inline scripts and limits sources of executable scripts to trusted domains, mitigating impact of injected scripts. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs or script tags in content submissions. 5. Monitor logs and content changes for unusual shortcode usage or unexpected script injections. 6. Until an official patch is released, consider disabling or uninstalling the e.nigma buttons plugin if feasible, or replacing it with alternative plugins that do not have this vulnerability. 7. Educate content contributors about the risks of injecting untrusted content and enforce strict input validation policies. 8. Plan for rapid deployment of patches once available and test updates in staging environments before production rollout.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2025-5535: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in chemiker e.nigma buttons
Description
The e.nigma buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI-Powered Analysis
Technical Analysis
CVE-2025-5535 is a stored Cross-Site Scripting (XSS) vulnerability affecting the e.nigma buttons plugin for WordPress, specifically versions up to and including 1.1.3. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where user-supplied attributes in the plugin's 'button' shortcode are not adequately sanitized or escaped before being rendered. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently and executed whenever any user accesses the compromised page, this can lead to session hijacking, privilege escalation, or other malicious activities. The vulnerability does not require user interaction beyond page access, and the attacker must have at least contributor-level access, which is a relatively low privilege level in WordPress environments. The CVSS v3.1 base score is 6.4 (medium severity), with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, privileges required, no user interaction, scope change, and low impact on confidentiality and integrity, no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on June 26, 2025, and assigned by Wordfence. The plugin is used to add customizable buttons to WordPress sites, and the vulnerability affects all versions up to 1.1.3, implying that any site using this plugin version is at risk if the plugin is installed and active.
Potential Impact
For European organizations utilizing WordPress sites with the e.nigma buttons plugin, this vulnerability poses a significant risk of persistent XSS attacks. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and defacement. This can undermine the integrity and confidentiality of web applications and user data. Given that WordPress is widely used across Europe for corporate, governmental, and e-commerce websites, the risk extends to sectors handling sensitive personal data under GDPR, increasing regulatory and reputational risks. The scope of impact includes any organization that allows contributor-level users to add or edit content and uses the affected plugin version. The lack of requirement for user interaction beyond page access increases the attack surface. However, since the vulnerability requires authenticated access, external attackers without credentials are less likely to exploit it directly, but insider threats or compromised accounts could be leveraged. The absence of known exploits in the wild suggests limited immediate threat but also underscores the importance of proactive mitigation.
Mitigation Recommendations
1. Immediate audit of WordPress installations across the organization to identify the presence of the e.nigma buttons plugin and verify its version. 2. Restrict contributor-level privileges strictly to trusted users; review and minimize the number of users with such access. 3. Implement a Content Security Policy (CSP) that restricts execution of inline scripts and limits sources of executable scripts to trusted domains, mitigating impact of injected scripts. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs or script tags in content submissions. 5. Monitor logs and content changes for unusual shortcode usage or unexpected script injections. 6. Until an official patch is released, consider disabling or uninstalling the e.nigma buttons plugin if feasible, or replacing it with alternative plugins that do not have this vulnerability. 7. Educate content contributors about the risks of injecting untrusted content and enforce strict input validation policies. 8. Plan for rapid deployment of patches once available and test updates in staging environments before production rollout.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-03T15:06:53.599Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685cac96e230f5b2348611f3
Added to database: 6/26/2025, 2:12:38 AM
Last enriched: 6/26/2025, 2:29:36 AM
Last updated: 8/13/2025, 4:10:19 AM
Views: 11
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.