MaxButtons < 9.8.1 - Admin+ Stored XSS via Text Color
Description
The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MaxButtons plugin before 9.8.1 allows admin-level stored XSS via unsanitized settings, bypassing unfiltered_html restriction.
Vulnerability
The WordPress Button Plugin MaxButtons before version 9.8.1 fails to sanitize and escape some of its settings, leading to a stored Cross-Site Scripting (XSS) vulnerability [1]. This issue is particularly exploitable in multisite configurations where the unfiltered_html capability is disallowed for administrators.
Exploitation
An attacker with admin-level privileges can inject malicious JavaScript into a plugin setting, such as the text color field. When the setting is rendered on a page, the script executes in the context of other admin users' sessions [1].
Impact
Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the browser of other administrators. This could lead to session hijacking, data theft, or further privilege escalation within the WordPress installation [1].
Mitigation
The vulnerability is fixed in version 9.8.1 of the MaxButtons plugin. Users should update to this version or later immediately. No workarounds are provided in the available references, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <9.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/cab4d23e-e857-4b2f-b1ca-fbafd37524e0/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.