Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Button Block button-block allows Stored XSS.This issue affects Button Block: from n/a through <= 1.1.9.
Published: 2025-01-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the bPlugins Button Block plugin allows an attacker to inject malicious scripts that are stored and later rendered in the web page. If an attacker can create or edit a button block, the unsafe input is not properly neutralized, enabling them to execute arbitrary JavaScript in the context of authenticated users who view the affected page. This can lead to theft of session data, hijacking of user accounts, defacement of the site, or redirection to malicious destinations. The weakness is a classic stored XSS flaw, as identified by CWE‑79.

Affected Systems

All WordPress sites that have the bPlugins Button Block plugin installed in versions up to 1.1.9 are affected. The issue specifically targets the Button Block plugin without specifying a minimum WordPress core version, so any site using those releases is at risk.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation, which is not reflected in the CISA KEV catalog. The likely attack vector is via the WordPress admin interface where an attacker who can add or edit blocks can supply malicious payloads that are stored and later rendered to other visitors. Because the data is persisted, the impact persists until the content is removed or the plugin is upgraded. The weakness does not require network isolation or privileged server access, indicating that a compromised administrator account is sufficient for exploitation.

Generated by OpenCVE AI on May 1, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Button Block plugin to version 1.2.0 or later to eliminate the stored XSS flaw.
  • If an upgrade is not immediately possible, disable the Button Block plugin to prevent further data injection until a safe version is installed.
  • Apply defensive coding practices such as escaping or sanitizing any user‑supplied content before rendering, and consider adding a content‑security‑policy header to restrict script execution from unknown sources.

Generated by OpenCVE AI on May 1, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3019 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LLC Button Block allows Stored XSS.This issue affects Button Block: from n/a through 1.1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LLC Button Block allows Stored XSS.This issue affects Button Block: from n/a through 1.1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Button Block button-block allows Stored XSS.This issue affects Button Block: from n/a through <= 1.1.9.
Title WordPress Button Block plugin <= 1.1.6 - Cross Site Scripting (XSS) vulnerability WordPress Button Block plugin <= 1.1.9 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 25 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Bplugins
Bplugins button Block
CPEs cpe:2.3:a:bplugins:button_block:*:*:*:*:*:wordpress:*:*
Vendors & Products Bplugins
Bplugins button Block

Fri, 10 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LLC Button Block allows Stored XSS.This issue affects Button Block: from n/a through 1.1.6.
Title WordPress Button Block plugin <= 1.1.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Bplugins Button Block
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:37:10.639Z

Reserved: 2025-01-07T21:05:44.629Z

Link: CVE-2025-22815

cve-icon Vulnrichment

Updated: 2025-01-10T20:19:08.110Z

cve-icon NVD

Status : Modified

Published: 2025-01-09T16:16:31.543

Modified: 2026-04-23T15:23:40.473

Link: CVE-2025-22815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:15:27Z

Weaknesses