MaxButtons < 9.8.1 - Admin+ Stored XSS via Button Width

Vulnerability

The WordPress Button Plugin MaxButtons, versions before 9.8.1, fails to sanitize and escape some of its settings, specifically those related to button width. This allows high-privilege users (such as admins) to inject malicious scripts through the settings interface. The vulnerability is particularly dangerous in multisite environments where the unfiltered_html capability is disallowed for admins, as the plugin bypasses the usual restrictions [1].

Exploitation

An attacker with administrator-level access to the WordPress admin panel can navigate to the MaxButtons settings and insert a crafted XSS payload into a button width field. No special network position or user interaction beyond the admin's own actions is required to store the payload. The stored script will then execute when any user views the affected page (e.g., a page with the manipulated button), leading to a stored XSS attack [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other users' browsers, including less-privileged users and potentially other admins. This can lead to session hijacking, defacement, or redirection to malicious sites. The impact is limited to actions possible within the WordPress admin interface, but the attacker gains the ability to perform actions on behalf of the victim user [1].

Mitigation

Update to version 9.8.1, which fixes the issue by properly sanitizing and escaping the affected settings. The fix was released in the same timeline as the public disclosure (2024-11-29). No workarounds are documented; the only reliable mitigation is applying the update [1].

If the plugin is no longer maintained or cannot be updated, consider removing it and replacing it with an alternative that has proper input sanitization.