CVE-2025-14113 - Vulnerability Details

- Viitor Button Shortcodes <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute

Description

The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-01-07

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Viitor Button Shortcodes plugin is vulnerable to stored cross‑site scripting via the 'link' shortcode attribute. Supplying a malicious value in this attribute allows an authenticated attacker with Contributor or higher privileges to inject arbitrary JavaScript into pages. When the affected page is viewed, the injected script executes in the context of the site, enabling actions such as cookie theft, session hijacking, or defacement.

Affected Systems

The vulnerability affects all releases of Viitor Button Shortcodes up to and including version 3.0.0. The product is distributed by ViitorcloudVC and is commonly used on WordPress sites that allow contributors to create or edit content.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests that the likelihood of exploitation observed in the wild is low, and the vulnerability is not listed in CISA KEV. However, exploitation requires at least Contributor‑level access, which is common on many sites. An attacker who can add or edit posts can exploit the flaw to inject scripts that run for all users who visit the compromised page, potentially leading to widespread compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

viitorcloudvc

Viitor Button Shortcodes

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.0.0

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Viitor Button Shortcodes to a version newer than 3.0.0 where the sanitization flaw has been fixed.
If an upgrade is not feasible, remove or disable the plugin to eliminate the attack vector.
Restrict Contributor and similar roles from adding shortcodes, or modify role capabilities to prevent the use of the vulnerable 'link' attribute.
Audit existing content for unexpected JavaScript or suspicious 'link' attributes and remediate any findings.

Generated by OpenCVE AI on April 21, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/viitor-shortcodes/tags/3.0.0/includes/class-ww-vcsc-shortcodes.php#L51
https://plugins.trac.wordpress.org/browser/viitor-shortcodes/trunk/includes/class-ww-vcsc-shortcodes.php#L51
https://www.wordfence.com/threat-intel/vulnerabilities/id/61488a15-b49f-4381-9a35-746c39f25967?source=cve

History

Thu, 08 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Wed, 07 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 Jan 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Viitor Button Shortcodes <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/viitor-shortcodes/tags/3.0.0/includes/class-ww-vcsc-shortcodes.php#L51 https://plugins.trac.wordpress.org/browser/viitor-shortcodes/trunk/includes/class-ww-vcsc-shortcodes.php#L51 https://www.wordfence.com/threat-intel/vulnerabilities/id/61488a15-b49f-4381-9a35-746c39f25967?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-07T09:20:58.219Z

Updated: 2026-04-08T16:56:47.655Z

Reserved: 2025-12-05T15:02:34.468Z

Link: CVE-2025-14113

Vulnrichment

Updated: 2026-01-07T15:17:56.909Z

NVD

Status : Deferred

Published: 2026-01-07T12:16:52.547

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14113

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T16:45:15Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object