WordPress Button Plugin MaxButtons Vulnerability – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode – CVE-2023-7029 | WordPress Plugin Vulnerability Report

Plugin Name: WordPress Button Plugin MaxButtons

Key Information:

  • Software Type: Plugin
  • Software Slug: maxbuttons
  • Software Status: Active
  • Software Author: maxfoundry
  • Software Downloads: 4,681,976
  • Active Installs: 100,000
  • Last Updated: January 23, 2024
  • Patched Versions: 9.7.7
  • Affected Versions: <= 9.7.6

Vulnerability Details:

  • Name: WordPress Button Plugin MaxButtons <= 9.7.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
  • Title: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2023-7029
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: January 23, 2024
  • Researcher: Webbernaut
  • Description: The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including 9.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 9.7.6.


The WordPress Button Plugin MaxButtons for WordPress has a vulnerability in versions up to and including 9.7.6 that allows authenticated users with contributor-level access or higher to inject arbitrary web scripts via insufficiently sanitized plugin shortcode attributes. This cross-site scripting vulnerability has been patched in version 9.7.7.

Detailed Overview:

A vulnerability in the WordPress MaxButtons plugin allows authenticated users with contributor-level access or higher to store cross-site scripts (XSS) that will execute when pages containing the injected shortcodes are viewed. This is due to insufficient validation and escaping of user-supplied shortcode attributes. The vulnerability was discovered by researcher Webbernaut and impacts all versions up to and including 9.7.6. It has been given the identifier CVE-2023-7029 and a CVSS severity score of 6.4 (Medium). The vulnerability allows injection of JavaScript or other browser-executable code. If successfully exploited, this could lead to exposure of sensitive user data, session hijacking, or other attacks. The developers have patched the vulnerability in version 9.7.7, so users should update as soon as possible.

Advice for Users:

  1. Immediate Action: Update to version 9.7.7 or higher as soon as possible.
  2. Check for Signs of Vulnerability: Review shortcodes and content updated by lower privilege users for unauthorized scripts.
  3. Alternate Plugins: Consider using alternate button plugins like Easy Buttons for WordPress or WP Button Plugin as a precaution.
  4. Stay Updated: Enable automatic updates on all plugins to receive security fixes as they become available.


The prompt patch from MaxButtons developers addresses this stored XSS vulnerability impacting authenticated contributors and higher. Users should install version 9.7.7 immediately to prevent potential compromise of user accounts, sessions, or sites.




Detailed Report:

Running a small business while also managing your company website is extremely challenging. You simply don’t have time to stay on top of all the latest security issues impacting the plugins and platforms you rely on. But ignoring potential website vulnerabilities leaves you open to attacks that can bring your business grind to a halt.

This is exactly what’s happening with those still using outdated versions of the popular WordPress plugin MaxButtons. This plugin, which has over 4 million downloads and 100,000+ active installs, has a recently disclosed vulnerability allowing lower-privilege users to inject malicious code. In this post, I’ll provide a plain English overview of the issue and clear advice to protect your site.

About MaxButtons

MaxButtons is a WordPress plugin that provides an interface to create and manage custom WordPress buttons with rich functionality. It has been available since 2014 and is developed by maxfoundry.

The Vulnerability Explained

In MaxButtons versions up to and including 9.7.6, there is a vulnerability that enables user accounts set at the Contributor level or higher to inject harmful JavaScript code that will execute when a vulnerable page is viewed. This is possible because of insufficient validation of attributes supplied via shortcodes.

Why You Should Be Concerned

This vulnerability, dubbed “authenticated stored cross-site scripting”, has been given a CVSS severity score of 6.4 (Medium). If exploited, it could allow attackers to pull off various malicious actions including:

  • Access and compromise user accounts
  • Steal or manipulate sensitive visitor data
  • Deface site content
  • Redirect site visitors for financial gain
  • Install backdoors for further attacks

The impact depends on the attackers motivations, but the risks are clearly serious. Even if you have trusted contributors, you face threats from compromised accounts and potential insider actions.

Updating MaxButtons to Patch the Vulnerability

The good news is the MaxButtons developers have addressed this vulnerability in version 9.7.7. Updating now prevents exploitation moving forward. Be aware that any content already containing injected scripts will still need to be identified and removed.

To update and secure MaxButtons, follow these steps:

  1. Log into your WordPress dashboard
  2. Go to Plugins > Installed Plugins
  3. Click “Update” next to MaxButtons if available or “Update Available” link
  4. Click “Update Plugins”
  5. Confirm your site now runs MaxButtons version 9.7.7 or higher

If automatic updates are enabled, your site may have already updated itself. But be sure to double check, as theme and site conflicts can sometimes interfere with auto-updates.

A Troubling History of Vulnerabilities

This is unfortunately not a isolated incident for MaxButtons. The plugin has had 7 previous publicly disclosed vulnerabilities over the past decade. This history highlights why sites relying on MaxButtons need to be extremely vigilant regarding security updates.

Protecting Your Website Starts with You

As a business owner without an in-house technical team, the burden of website security falls directly upon your shoulders. But ignoring plugin and platform vulnerabilities in WordPress and its vast ecosystem leaves your business ripe for compromise.

While stays fully up-to-date with threats and available fixes simply isn’t realistic, you must make a commitment to regular review of update requirements. Enabling automatic background updates where possible is a good start. Seeking professional website support to handle protections and alert you to critical vulnerabilities can greatly reduce risk as well.

By taking ownership of securing your website, you give your business the best chance to avoid the roiling aftermath of an attack or exploitation. Don’t wait until it’s too late – make steady progress now to lock things down. Your business depends on it.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Button Plugin MaxButtons Vulnerability – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode – CVE-2023-7029 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment