CVE-2023-6594

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

4.8MEDIUM

EPSS

0.1%

top 73.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Maxfoundry Maxbuttons – Create Buttons Maxfoundry Maxbuttons

Timeline

PublishedJan 9

Latest updateApr 11

Description

The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unf…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:NExploitability: 1.3 | Impact: 2.7

Affected Packages2 packages

▶NVDmaxfoundry/maxbuttons9.7.4

▶CVEListV5maxfoundry/maxbuttons_–_create_buttons9.7.4

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

VulDB

Button Plugin up to 9.7.4 on WordPress cross site scripting↗2026-04-11

▶

GHSA

GHSA-792w-295c-v45g: The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and↗2024-01-09

▶

CVEList

WordPress Button Plugin MaxButtons <= 9.7.4 - Authenticated (Administrator+) Stored Cross-Site Scripting↗2024-01-09

▶