Description
The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-downloader' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Animated Buttons WordPress plugin allows authenticated contributors or higher to add a shortcode that accepts arbitrary user supplied attributes. Because the plugin fails to sanitize these attributes and escape the resulting output, any injected script will be stored and executed whenever a page containing the shortcode is loaded, effectively granting the attacker the ability to run arbitrary Javascript in the browsers of all visitors to that page.

Affected Systems

WordPress sites that have the Animated Buttons plugin installed, in any version up to and including 1.0.0. The vulnerability applies to any environment where the site administrator has granted Contributor or higher role permissions to users, as only such users can create or edit content with the plugin's shortcode.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation of this flaw is currently not widespread, and it is not listed in the CISA KEV catalog. Nevertheless, an attacker who has Contributor or higher access can persistently inject malicious scripts that will run in the browsers of all visitors on affected pages. The necessary conditions—having contributor privileges and adding a page or post with the auto‑downloader shortcode—are relatively low barriers for site administrators or malicious insiders. Once injected, the script can read cookies, hijack sessions, or perform other client‑side attacks on unsuspecting users.

Generated by OpenCVE AI on April 20, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Animated Buttons plugin to the newest release that removes the vulnerable shortcode or, if no update is available, uninstall the plugin entirely.
  • Restrict Contributor and higher roles from the site, or implement a role‑based policy that limits who can create or edit content with the auto‑downloader shortcode.
  • If the plugin must remain in use, modify its code to properly sanitize all shortcode attributes and escape output before rendering, or apply a reputable security hardening plugin that blocks XSS injection.

Generated by OpenCVE AI on April 20, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16075 The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-downloader' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 21 May 2025 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 May 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-downloader' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Animated Buttons <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:24.397Z

Reserved: 2025-05-02T13:03:56.183Z

Link: CVE-2025-4221

cve-icon Vulnrichment

Updated: 2025-05-21T10:11:30.489Z

cve-icon NVD

Status : Deferred

Published: 2025-05-21T12:16:23.157

Modified: 2026-06-17T09:32:47.793

Link: CVE-2025-4221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')