{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4221", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-02T13:03:56.183Z", "datePublished": "2025-05-21T09:21:52.591Z", "dateUpdated": "2026-04-08T17:30:24.397Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:24.397Z"}, "affected": [{"vendor": "baswaniyash", "product": "Animated Buttons", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-downloader' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Animated Buttons <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e778399f-f7fe-47c5-9722-b833d78f475c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/animated-buttons/trunk/Animated_Buttons.php#L52"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-05-20T20:30:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-21T10:11:28.867278Z", "id": "CVE-2025-4221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T10:16:10.420Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4221", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-21T10:11:28.867278Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T10:11:30.489Z"}}], "cna": {"title": "Animated Buttons <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "baswaniyash", "product": "Animated Buttons", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-20T20:30:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e778399f-f7fe-47c5-9722-b833d78f475c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/animated-buttons/trunk/Animated_Buttons.php#L52"}], "descriptions": [{"lang": "en", "value": "The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-downloader' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:24.397Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4221", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:24.397Z", "dateReserved": "2025-05-02T13:03:56.183Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-21T09:21:52.591Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-downloader' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Animated Buttons para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode \"auto-downloader\" del complemento en todas las versiones hasta la 1.0.0 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-4221", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-21T12:16:23.157", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/animated-buttons/trunk/Animated_Buttons.php#L52"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e778399f-f7fe-47c5-9722-b833d78f475c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:48:14.859042+00:00", "value": {"mitigation_remediation": ["Update the Animated Buttons plugin to the newest release that removes the vulnerable shortcode or, if no update is available, uninstall the plugin entirely.", "Restrict Contributor and higher roles from the site, or implement a role\u2011based policy that limits who can create or edit content with the auto\u2011downloader shortcode.", "If the plugin must remain in use, modify its code to properly sanitize all shortcode attributes and escape output before rendering, or apply a reputable security hardening plugin that blocks XSS injection."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Animated Buttons plugin installed, in any version up to and including 1.0.0. The vulnerability applies to any environment where the site administrator has granted Contributor or higher role permissions to users, as only such users can create or edit content with the plugin's shortcode.", "description_and_impact": "The Animated Buttons WordPress plugin allows authenticated contributors or higher to add a shortcode that accepts arbitrary user supplied attributes. Because the plugin fails to sanitize these attributes and escape the resulting output, any injected script will be stored and executed whenever a page containing the shortcode is loaded, effectively granting the attacker the ability to run arbitrary Javascript in the browsers of all visitors to that page.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation of this flaw is currently not widespread, and it is not listed in the CISA KEV catalog. Nevertheless, an attacker who has Contributor or higher access can persistently inject malicious scripts that will run in the browsers of all visitors on affected pages. The necessary conditions\u2014having contributor privileges and adding a page or post with the auto\u2011downloader shortcode\u2014are relatively low barriers for site administrators or malicious insiders. Once injected, the script can read cookies, hijack sessions, or perform other client\u2011side attacks on unsuspecting users."}}}}, "created": "2026-04-20T23:00:14.117213+00:00", "updated": "2026-04-20T23:00:14.117225+00:00", "vendors": []}