{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8776", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-08T20:46:56.901Z", "datePublished": "2025-10-03T11:17:17.971Z", "dateUpdated": "2026-04-08T17:09:18.861Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:18.861Z"}, "affected": [{"vendor": "mikemayhem3030", "product": "Epic Bootstrap Buttons", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Epic Bootstrap Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018icol\u2019 parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Epic Bootstrap Buttons <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via icol Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91ddc368-bfe5-4581-aa99-ac9f4bcf9da4?source=cve"}, {"url": "https://plugins.svn.wordpress.org/epic-bootstrap-buttons/trunk/epicboot.php"}, {"url": "https://wordpress.org/plugins/epic-bootstrap-buttons/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-10-02T22:12:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-03T18:16:53.255958Z", "id": "CVE-2025-8776", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:17:19.897Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8776", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-03T18:16:53.255958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:17:11.748Z"}}], "cna": {"title": "Epic Bootstrap Buttons <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via icol Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mikemayhem3030", "product": "Epic Bootstrap Buttons", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-02T22:12:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91ddc368-bfe5-4581-aa99-ac9f4bcf9da4?source=cve"}, {"url": "https://plugins.svn.wordpress.org/epic-bootstrap-buttons/trunk/epicboot.php"}, {"url": "https://wordpress.org/plugins/epic-bootstrap-buttons/#developers"}], "descriptions": [{"lang": "en", "value": "The Epic Bootstrap Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018icol\u2019 parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:18.861Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8776", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:18.861Z", "dateReserved": "2025-08-08T20:46:56.901Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-03T11:17:17.971Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Epic Bootstrap Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018icol\u2019 parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8776", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-03T12:15:45.167", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/epic-bootstrap-buttons/trunk/epicboot.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/epic-bootstrap-buttons/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91ddc368-bfe5-4581-aa99-ac9f4bcf9da4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:55:46.987599+00:00", "value": {"mitigation_remediation": ["Update the Epic Bootstrap Buttons plugin to the latest release that contains the fix for the icol parameter XSS vulnerability.", "If a newer version is unavailable, remove or disable the plugin entirely to eliminate the attack surface.", "Limit Contributor and higher roles to trusted users, or downgrade them to lower\u2011privilege roles that cannot modify plugin settings or content."], "summary": {"action": "Patch or Disable", "impact": "Stored Cross\u2011Site Scripting that can be triggered by authenticated contributors and above"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Epic Bootstrap Buttons plugin installed in any version up to and including 1.0. The CVE specifies only these versions; newer releases, if available, are not known to be affected. Administrators should check the plugin\u2019s version and confirm whether any installed instance falls within the vulnerable range.", "description_and_impact": "The Epic Bootstrap Buttons plugin for WordPress contains an input validation flaw in the icol parameter. Attackers who can log in with Contributor or higher roles can embed arbitrary JavaScript payloads that are stored and rendered on subsequent page loads. This stored cross\u2011site scripting (CWE\u201179) allows malicious code to run in the browsers of any visitor to the affected page, potentially exposing session cookies, defacing content, or redirecting users to phishing sites. The vulnerability is purely an input sanitization failure without additional privilege escalation.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score of < 1% denotes a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The risk remains moderate but the likelihood of real\u2011world exploitation remains low."}}}}, "created": "2025-10-06T14:42:54.144738+00:00", "updated": "2026-04-21T19:00:36.141278+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}