WordPress Button Plugin MaxButtons < 9.7.8 - Editor+ Stored XSS
Description
The WordPress Button Plugin MaxButtons WordPress plugin before 9.7.8 does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping of parameters allows stored Cross-Site Scripting."
Attack vector
An attacker with Editor-level access (or higher) can inject malicious JavaScript into parameters that the plugin fails to sanitize and escape [ref_id=1]. When an administrator or other user views the affected page, the stored script executes in their browser, leading to Cross-Site Scripting (XSS) [CWE-79]. The attack requires authentication with at least an Editor role and the ability to save or update button settings within the plugin.
Affected code
The advisory does not specify exact function or file names within the MaxButtons plugin. The vulnerability exists in the plugin's handling of parameters that are not sanitized or escaped before output, affecting versions before 9.7.8 [ref_id=1].
What the fix does
The advisory states the fix was released in version 9.7.8 of the MaxButtons plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation involves properly sanitizing and escaping the vulnerable parameters before output to prevent stored XSS. Users should update to version 9.7.8 or later.
Preconditions
- authAttacker must have a WordPress user role of Editor or higher
- configThe MaxButtons plugin must be installed and active with a version before 9.7.8
- inputAttacker must be able to access the button editing interface to inject malicious input
Reproduction
The advisory at [ref_id=1] does not include explicit reproduction steps or a proof of concept beyond stating the vulnerability class. No detailed PoC is provided in the bundle.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/aba9d8a5-20a7-49e5-841c-9cfcb9bc6144/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.