CVE-2025-10190

The WP Easy Toggles plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.9.0. The vulnerability exists in the plugin's 'toggles' shortcode, which fails to properly sanitize user-supplied attributes and escape output and escape attributes, allowing malicious script injection [1].

Exploitation requires an authenticated attacker with at least contributor-level access. The attacker can inject arbitrary web scripts through the shortcode attributes, which are then stored and executed when the page is saved. These scripts execute whenever a user accesses the compromised page, making it a stored XSS attack [1].

The impact is that an attacker can execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, defacement, or redirection to malicious sites, affecting any user who views the injected page [1].

As of October 9, 2025, the plugin has been closed and is no longer available for download due to this security issue. Users are advised to remove the plugin and seek alternatives, as no patched version exists [1].