CVE-2023-6594

Name of the Vulnerable Software and Affected Versions MaxButtons plugin for WordPress versions up to, and including, 9.7.4

Description The MaxButtons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue affects multi-site installations and installations where unfiltered html has been disabled. Administrators can give button creation privileges to users with lower levels, such as contributor+, which would allow those lower-privileged users to carry out attacks.

Recommendations For MaxButtons plugin for WordPress versions up to, and including, 9.7.4, update to a version later than 9.7.4 to resolve the issue. As a temporary workaround, consider restricting the unfiltered html capability to prevent lower-privileged users from exploiting the vulnerability. Restrict access to the admin settings to minimize the risk of exploitation. Avoid giving button creation privileges to users with lower levels until the issue is resolved.