Vulnerability in MaxButtons Plugin for WordPress Exposes Sites to Stored XSS Attacks
CVE-2024-10555
Key Information:
- Vendor
- WordPress
- Status
- WordPress Button Plugin Maxbuttons
- Vendor
- CVE Published:
- 20 December 2024
Badges
Summary
CVE-2024-10555 is a critical vulnerability affecting the MaxButtons plugin for WordPress, specifically versions prior to 9.8.1. This flaw arises from improper sanitization and escaping of certain settings within the plugin. As a consequence, high-privilege users, including administrators, can exploit this vulnerability to carry out Stored Cross-Site Scripting (XSS) attacks, posing a considerable risk to website security. Even in configurations where unfiltered HTML capabilities are disabled—such as in multisite environments—attackers can still use this vulnerability to inject malicious scripts. Website administrators are strongly urged to upgrade to the latest version of the MaxButtons plugin to mitigate potential security risks.
Affected Version(s)
WordPress Button Plugin MaxButtons 0 < 9.8.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved