Stored Cross-Site Scripting in Epic Bootstrap Buttons for WordPress
CVE-2025-8776

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Epic Bootstrap Buttons
Vendor: CVE Published:; 3 October 2025

What is CVE-2025-8776?

The Epic Bootstrap Buttons plugin for WordPress exhibits a vulnerability to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping via the 'icol' parameter. This flaw allows authenticated users with Contributor-level access or greater to inject malicious web scripts into pages. These scripts will execute automatically when another user accesses an affected page, potentially compromising user sessions or leading to further exploitation.

Affected Version(s)

Epic Bootstrap Buttons * <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.svn.wordpress.org/epic-bootstrap-buttons/...

https://wordpress.org/plugins/epic-bootstrap-buttons/#dev...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 3, 2025
Vulnerability Reserved
Aug 8, 2025

Credit

Muhammad Yudha - DJ

JSON