CVE-2025-4221: 
WordPress vulnerability analysis and mitigation

The Animated Buttons plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-4221) discovered in all versions up to and including 1.0.0. The vulnerability was disclosed on May 21, 2025, affecting the plugin's 'auto-downloader' shortcode functionality (NVD CVE, Wiz Analysis).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the 'auto-downloader' shortcode. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD CVE, Wiz Analysis).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to theft of sensitive information or manipulation of page content (Wiz Analysis).

No specific mitigation steps or patches have been publicly released yet. Website administrators running the Animated Buttons plugin should consider disabling the plugin until a security update is available (Wiz Analysis).