CVE-2025-60154

Vulnerability

Overview

The MWW Disclaimer Buttons plugin for WordPress (versions up to and including 3.41) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker with sufficient privileges to inject arbitrary HTML and JavaScript code that is stored on the server and later executed in the browsers of visitors.

Exploitation

Conditions

Exploitation requires a privileged user role (e.g., administrator or editor) to perform an action such as clicking a crafted link or submitting a malicious form [1]. The attacker must first gain or trick a privileged user into injecting the payload. Once stored, the malicious script executes automatically when any user visits the affected page, without requiring further interaction from the victim.

Impact

A successful attack can lead to script injection, enabling actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity.

Mitigation

The vendor has released version 3.5 which resolves the issue [1]. Users are strongly advised to update immediately. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins only [1].