CVE-2025-8776 identifies a stored cross-site scripting (XSS) vulnerability in the Epic Bootstrap Buttons plugin for WordPress, maintained by mikemayhem3030. The vulnerability exists due to improper neutralization of input during web page generation, specifically through the ‘icol’ parameter. All versions up to and including 1.0 are affected. The core issue is insufficient input sanitization and output escaping, which allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. These malicious scripts are stored persistently and execute in the context of any user who views the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or higher), no user interaction, and scope change. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple authenticated contributors. The plugin’s widespread use in WordPress environments makes this a relevant threat to many organizations relying on this CMS for content management and website functionality.

The impact of CVE-2025-8776 can be significant for organizations using the Epic Bootstrap Buttons plugin on WordPress sites. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts, which execute in the browsers of all users visiting the compromised pages. This can lead to session hijacking, theft of authentication tokens, defacement, unauthorized actions performed on behalf of users, and potential spread of malware. The vulnerability compromises the confidentiality and integrity of user data and site content but does not directly affect availability. Since exploitation requires authenticated access, the risk is higher in environments with multiple contributors or less restrictive access controls. Organizations with high-traffic WordPress sites or those handling sensitive user data are at greater risk of reputational damage, data breaches, and compliance violations if this vulnerability is exploited. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting broader site functionality.

To mitigate CVE-2025-8776, organizations should take the following specific actions: 1) Immediately review and restrict Contributor-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2) Monitor WordPress sites for unusual or unauthorized script injections, particularly in areas where the ‘icol’ parameter is used or stored content is displayed. 3) Implement web application firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the ‘icol’ parameter. 4) Encourage or enforce the use of Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5) Regularly audit and sanitize all user-generated content before rendering it on web pages, applying strict output encoding practices. 6) Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 7) Consider temporarily disabling or replacing the Epic Bootstrap Buttons plugin if immediate patching is not possible. 8) Educate site administrators and contributors about the risks of XSS and safe content management practices to reduce inadvertent exploitation.