CVE-2025-23449

High

Published: 22 January 2025

Published

22 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0023 45.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in davidpuc Simple shortcode buttons simple-shortcode-buttons allows Reflected XSS.This issue affects Simple shortcode buttons: from n/a through <= 1.3.2.

Security Summary

CVE-2025-23449 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin Simple Shortcode Buttons by davidpuc. This issue affects all versions of the plugin from n/a through 1.3.2 inclusive.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility with low attack complexity, no required privileges, and user interaction needed for exploitation. Remote attackers can deliver a reflected XSS payload, such as via malicious links or inputs processed by the plugin, tricking authenticated users into executing scripts in their browsers. This enables limited impacts on confidentiality, integrity, and availability, with a changed scope that may affect other users or site resources through the victim's context.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/simple-shortcode-buttons/vulnerability/wordpress-simple-shortcode-buttons-plugin-1-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/simple-shortcode-buttons/vulnerability/wordpress-simple-shortcode-buttons-plugin-1-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com