CVE-2025-5535 in e.nigma Buttons Plugin
Summary
by MITRE • 06/26/2025
The e.nigma buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/26/2025
The e.nigma buttons plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 1.1.3. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's 'button' shortcode implementation, creating a persistent security weakness that can be exploited by authenticated attackers possessing contributor-level privileges or higher. The flaw allows malicious actors to inject arbitrary web scripts into pages that will execute whenever any user accesses those compromised pages, making it particularly dangerous due to its stored nature and the broad execution scope it provides.
The technical implementation of this vulnerability resides in the plugin's handling of user-supplied attributes within the button shortcode functionality. When administrators or contributors create or modify content using the plugin's shortcode, the system fails to properly sanitize or escape input parameters before storing them in the database. This insufficient validation creates a persistent XSS vector where malicious scripts can be stored and later executed in the context of any user's browser who accesses pages containing the compromised shortcode. The vulnerability specifically targets the shortcode processing logic, which processes user inputs without adequate security measures to prevent script injection attacks.
From an operational perspective, this vulnerability poses significant risks to WordPress installations using the affected plugin. Attackers with contributor-level access or higher can leverage this weakness to execute malicious code in the browsers of other users, potentially leading to session hijacking, credential theft, or further system compromise. The stored nature of the vulnerability means that once injected, malicious scripts persist indefinitely until manually removed, making detection and remediation more challenging. The impact extends beyond individual user sessions to potentially affect entire WordPress installations, especially when multiple contributors have access to the system.
Security professionals should prioritize immediate remediation of this vulnerability by updating to the latest version of the e.nigma buttons plugin where the XSS issues have been addressed. Organizations should also implement additional defensive measures such as monitoring for unauthorized shortcode modifications, implementing content security policies to mitigate potential script execution, and conducting regular security audits of installed plugins. The vulnerability aligns with CWE-79 (Cross-Site Scripting) and represents a clear violation of secure coding practices that should be addressed through proper input validation and output escaping mechanisms. This issue also maps to ATT&CK technique T1566.001 (Phishing: Spearphishing Attachment) and T1059.001 (Command and Scripting Interpreter: Visual Basic) as attackers could use the stored XSS to deliver malicious payloads or establish persistence within targeted environments.