CVE-2026-4086

Name of the Vulnerable Software and Affected Versions WP Random Button plugin for WordPress versions prior to 1.0.

Description The WP Random Button plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp random button' shortcode. This is a result of inadequate input sanitization and output escaping of user-provided shortcode attributes. The random button html() function directly combines the 'cat' and 'nocat' parameters into HTML data-attributes without proper escaping, and the 'text' parameter into HTML content without escaping. This allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages, which will then execute when a user accesses the affected page.

Recommendations Update the WP Random Button plugin to a version later than 1.0.