WordPress Button Plugin MaxButtons – Authenticated Stored Cross-Site Scripting – CVE-2023-6594 | WordPress Plugin Vulnerability Report

Plugin Name: WordPress Button Plugin MaxButtons

Key Information:

  • Software Type: Plugin
  • Software Slug: maxbuttons
  • Software Status: Active
  • Software Author: maxfoundry
  • Software Downloads: 4,640,344
  • Active Installs: 100,000
  • Last Updated: January 8, 2024
  • Patched Versions: 9.7.6
  • Affected Versions: <= 9.7.4

Vulnerability Details:

  • Name: WordPress Button Plugin MaxButtons <= 9.7.4
  • Title: Authenticated (Administrator+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2023-6594
  • CVSS Score: 4.4
  • Publicly Published: January 8, 2024
  • Researcher: Rafshanzani Suhada
  • Description: The WordPress Button Plugin MaxButtons is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.7.4. This is due to insufficient input sanitization and output escaping. Authenticated attackers, with administrator-level permissions and above, can inject arbitrary web scripts in pages that execute whenever a user accesses an injected page. This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled, allowing lower-privileged users (contributor+) to carry out attacks.


The WordPress Button Plugin MaxButtons has a vulnerability in versions up to and including 9.7.4, allowing authenticated attackers with administrator-level permissions and above to perform Stored Cross-Site Scripting. This vulnerability has been patched in version 9.7.6.

Detailed Overview:

The vulnerability arises from insufficient input sanitization and output escaping in admin settings, allowing authenticated attackers to inject arbitrary web scripts. This poses a risk for administrators and, in certain configurations, lower-privileged users. The patch in version 9.7.6 addresses these security concerns.

Advice for Users:

  • Immediate Action: Update the WordPress Button Plugin MaxButtons to version 9.7.6 or later.
  • Check for Signs of Vulnerability: Review admin settings for any unauthorized changes or injected scripts.
  • Alternate Plugins: Consider alternative button plugins with similar functionality.
  • Stay Updated: Regularly update your WordPress plugins to the latest versions to avoid vulnerabilities.


The swift response from MaxButtons developers in releasing version 9.7.6 emphasizes the importance of timely updates. Users are advised to ensure they are running version 9.7.6 or later to secure their WordPress installations.


Simplifying Website Security for Busy Owners

As a busy website owner without ample time to stay on top of every threat, keeping your site secure can feel impossible. But vulnerabilities like the one recently patched in the popular MaxButtons plugin only reinforce why vigilance matters. In this post I’ll simplify security for you by clearly explaining the vulnerability, your risk level, and actionable ways to lock down your website in minutes.

Understanding the MaxButtons Vulnerability

MaxButtons helps over 100,000 WordPress users customize buttons and call-to-action elements. This week a security researcher disclosed a vulnerability in versions up to 9.7.4 enabling some authenticated users to inject malicious scripts without authorization.

Specifically, the bug stems from insufficient input sanitization in admin settings. Users with admin access could exploit this to introduce rogue JavaScript or HTML designed to trigger when other visitors load affected pages. Depending on the script’s nature this could enable nuisances like auto-playing audio/video rather than directly stealing data.

The developers have now released version 9.7.6 to fully fix the vulnerability, scoring a moderate 4.4 CVSS severity rating due to limiting the affected user roles. Still, MaxButtons users face unnecessary risk until updating.

Assessing Your Site’s Risk Level

While branded moderately severe rather than extremely critical, the vulnerability still poses unnecessary website exposure risks if admins freely access settings. Attackers could leverage scripts for everything from annoying visitors to attempting drive-by malware downloads or mining cryptocurrency using visitor hardware.

The good news is that sites restricting admin permissions likely face minimal real-world risk even before patching. But everyone should still update regardless since the script injection vector exists without good reason. Eliminating unnecessary vulnerabilities keeps your site safer regardless of the low current exploitation probability.

Updating to Eliminate the Vulnerability

If MaxButtons is active on your WordPress site, you should:

- Immediately update to v9.7.6, which specifically repairs this bug by escaping outputs.

- Check all admin settings scripts for anything suspicious or unintended.

- Consider temporarily limiting admin access until assessing the script risk.

- Enforce the principle of least privilege in user roles where feasible.

Staying Secure Long-Term

MaxButtons has faced 6 previous vulnerabilities since 2014, indicating systemic issues around data validation. From arbitrary file deletion to stored XSS and beyond, threats inevitably arise without diligent auditing and patching.

As tempting as neglecting security feels for overloaded owners, a well-hardened site takes little effort:

- Enable automatic background updates for plugins to remove the manual chore.

- Minimize plugins and themes to only reputable options essential for your needs.

- Leverage managed WordPress hosts handling technical tasks like updates for you.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Button Plugin MaxButtons Vulnerability– Authenticated Stored Cross-Site Scripting – CVE-2023-6594 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment