CVE-2026-4279

Name of the Vulnerable Software and Affected Versions Bread & Butter versions prior to 8.2.0.26

Description Stored Cross-Site Scripting is possible via the 'breadbutter-customevent-button' shortcode. The customEventShortCodeButton() function fails to apply proper input sanitization and output escaping on the event shortcode attribute, directly interpolating the value into a JavaScript string within an onclick HTML attribute. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that execute when a user clicks the injected button.

Recommendations Update to a version newer than 8.2.0.25.