Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cleanshooter ICS Button ics-button allows Stored XSS.This issue affects ICS Button: from n/a through <= 0.6.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input that results in stored cross‑site scripting (XSS) in the Cleanshooter:ICS Button WordPress plugin. An attacker can inject arbitrary JavaScript that is persistently rendered in web pages served by sites that use the plugin. This flaw allows the execution of malicious code in the browsers of users who view the affected content. The weakness is classified as CWE‑79.

Affected Systems

WordPress sites that have installed the Cleanshooter:ICS Button plugin version 0.6 or earlier are vulnerable. No other vendors or product lines are listed as affected according to the CNA data.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity vulnerability. The EPSS score of <1% suggests a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s data input interfaces that store unsanitized user submissions, allowing an attacker to submit crafted payloads via the WordPress admin interface or content submission forms. Exploitation does not require elevated privileges on the host and can affect any visitor who loads the compromised content.

Generated by OpenCVE AI on May 2, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Cleanshooter:ICS Button plugin to a version higher than 0.6.
  • If an update is not immediately available, deactivate or remove the plugin until a patched version is released.
  • Sanitize or delete any plugin‑stored content that may contain injected scripts to prevent execution by site visitors.

Generated by OpenCVE AI on May 2, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2850 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Motacek ICS Button allows Stored XSS.This issue affects ICS Button: from n/a through 0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Motacek ICS Button allows Stored XSS.This issue affects ICS Button: from n/a through 0.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cleanshooter ICS Button ics-button allows Stored XSS.This issue affects ICS Button: from n/a through <= 0.6.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Motacek ICS Button allows Stored XSS.This issue affects ICS Button: from n/a through 0.6.
Title WordPress ICS Button plugin <= 0.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:35:47.803Z

Reserved: 2025-01-07T10:23:33.284Z

Link: CVE-2025-22574

cve-icon Vulnrichment

Updated: 2025-01-07T16:30:21.841Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:53.667

Modified: 2026-06-17T08:48:23.407

Link: CVE-2025-22574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')