CVE-2025-2510: 
WordPress vulnerability analysis and mitigation

The Frndzk Expandable Bottom Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via 'text' parameter in versions up to and including 1.0. The vulnerability was discovered and disclosed on March 25, 2025. This security issue affects WordPress installations, specifically multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue due to insufficient input sanitization and output escaping. The CVSS v3.1 base score is 5.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability specifically affects the 'text' parameter in the plugin, which fails to properly sanitize user input (Wordfence).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. The impact is particularly significant for multi-site installations and installations where unfiltered_html has been disabled (NVD).

As of March 20, 2025, the plugin has been temporarily closed and is not available for download pending a full review (WordPress Plugin). Site administrators are advised to remove or disable the plugin until a security fix is available.