WordPress Button Plugin MaxButtons plugin <= 9.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Vulnerability

An authenticated Stored Cross-Site Scripting (XSS) vulnerability exists in the Max Foundry MaxButtons WordPress plugin. Versions up to and including 9.2 fail to properly sanitize user-supplied input in the button editor, allowing users with Administrator-level permissions to inject arbitrary JavaScript. The injected payload is stored and executed in the browsers of other users who view the affected button elements. [2]

Exploitation

An attacker must have an Administrator account (or equivalent role) on the WordPress site to leverage this vulnerability. By creating or editing a button, the attacker can insert malicious scripts into input fields that are not sanitized. Once the button is saved and rendered on a page, any visitor triggers the stored script. No additional user interaction beyond viewing the page is required. [2]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, redirection to malicious sites, or exfiltration of sensitive data. The attack is persistent, meaning the payload executes automatically for every visitor who encounters the compromised button. [2]

Mitigation

The vulnerability is fixed in MaxButtons version 9.3 or later. Users are strongly advised to update to the latest version (9.8.5 as of September 2025) via the WordPress plugin repository. [1] If immediate updating is not possible, users should restrict administrator access to trusted individuals only. No workaround other than removing the plugin or patching is available.