CVE-2026-4279
Received Received - Intake
Stored XSS in Bread & Butter WordPress Plugin Button Shortcode

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: Wordfence

Description
The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The customEventShortCodeButton() function takes the 'event' attribute value and directly interpolates it into a JavaScript string within an onclick HTML attribute without applying esc_attr() or esc_js(). Notably, the sister function customEventShortCode() properly uses esc_js() for the same attribute, but this was omitted in the button variant. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page and clicks the injected button.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4279
EUVD
EUVD-2026-24686
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bread_and_butter plugin to 8.2.0.25 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability exists in the Bread & Butter WordPress plugin versions up to and including 8.2.0.25 due to insufficient input sanitization on the 'breadbutter-customevent-button' shortcode. Immediate mitigation steps include updating the plugin to a version later than 8.2.0.25 where this issue is fixed.

Additionally, restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with at least Contributor access to exploit.


Can you explain this vulnerability to me?

The Bread & Butter plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'breadbutter-customevent-button' shortcode in all versions up to and including 8.2.0.25.

This vulnerability arises because the 'event' attribute of the shortcode is not properly sanitized or escaped before being inserted into a JavaScript string within an onclick HTML attribute.

Specifically, the function customEventShortCodeButton() interpolates the 'event' attribute directly without using proper escaping functions like esc_attr() or esc_js(), allowing attackers to inject arbitrary scripts.

Authenticated users with Contributor-level access or higher can exploit this to inject malicious scripts that execute when any user clicks the injected button on a page.


How can this vulnerability impact me? :

This vulnerability allows attackers with Contributor-level access or above to inject malicious JavaScript code into pages via the vulnerable shortcode.

When other users visit these pages and click the injected button, the malicious scripts execute, potentially leading to theft of user credentials, session hijacking, or unauthorized actions performed on behalf of the user.

Because the attack requires authenticated access, it can be used to escalate privileges or compromise site integrity from within the user base.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart