WordPress Button Plugin MaxButtons < 9.7.8 – Editor+ Stored XSS | CVE 2024-3026

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks

Proof of Concept

1. Create an new button
2. Change the "Custom Rel Tag" field to: 123" onmouseover="alert(1)" 
3. Save the button.
4. Insert it within a page or post using its shortcode.
5. Browse the page and hover over the button.

Affects Plugins

maxbuttons

Fixed in 9.7.8

References

CVE

CVE-2024-3026

URL

https://research.cleantalk.org/cve-2024-3026/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.5 (low)

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

aba9d8a5-20a7-49e5-841c-9cfcb9bc6144

Timeline

Publicly Published

2024-06-22 (about 1 year ago)

Added

2024-06-22 (about 1 year ago)

Last Updated

2024-07-09 (about 1 year ago)

Other

Published

Title

Published

2023-06-26

Title

Direct checkout, Add to cart redirect for Woocommerce < 2.1.49 - Admin+ Stored XSS

Published

2023-07-07

Title

Video Gallery < 1.3.13 - Admin+ Stored XSS

Published

2023-09-01

Title

WP Default Feature Image <= 1.0.1.1 - Admin+ Stored XSS

Published

2016-04-29

Title

MainWP <= 3.1.2 - Unauthenticated Stored Cross-Site Scripting (XSS)

Published

2025-07-16

Title

Radio Player Shoutcast & Icecast < 4.4.8 - Reflected Cross-Site Scripting