WordPress MaxButtons Plugin <= 9.5.3 is vulnerable to Cross Site Scripting (XSS)
Description
Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Max Foundry WordPress Button Plugin MaxButtons plugin <= 9.5.3 versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-Site Scripting in MaxButtons plugin <=9.5.3 allows contributor+ users to inject arbitrary JavaScript.
Vulnerability
Cross-Site Scripting vulnerability in the MaxButtons plugin (versions up to and including 9.5.3) for WordPress. Authenticated users with at least contributor-level access can inject malicious scripts through the plugin's button creation functionality. [1]
Exploitation
An attacker must have a WordPress account with contributor privileges or higher. They can craft a button with malicious JavaScript payloads that will be stored and executed when the button is rendered on a page. No additional user interaction beyond viewing the page is needed.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or other client-side attacks. The scope is limited to the affected WordPress site.
Mitigation
The vulnerability is fixed in MaxButtons version 9.5.4 and later [1]. Users should update to the latest version (9.8.5 as of the reference). If unable to update, restrict contributor-level accounts or review button content for malicious code.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Max Foundry/WordPress Button Plugin MaxButtonsv5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.