Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
WP Random Button plugin: Malicious scripts can be injected in pages
CVE-2026-4086
Summary
The WP Random Button plugin for WordPress is affected. If an attacker with Contributor-level access or higher injects malicious code into pages, it can be executed when users visit those pages. To protect your site, update the plugin to the latest version or remove it if you don't need it.
Original title
The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up...
Original description
The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the random_button_html() function directly concatenates the 'cat' and 'nocat' parameters into HTML data-attributes without esc_attr(), and the 'text' parameter into HTML content without esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/wp-random-button/tags/1.0/wp-random-b...
- https://plugins.trac.wordpress.org/browser/wp-random-button/tags/1.0/wp-random-b...
- https://plugins.trac.wordpress.org/browser/wp-random-button/trunk/wp-random-butt...
- https://plugins.trac.wordpress.org/browser/wp-random-button/trunk/wp-random-butt...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0b9e11f5-5a05-4867-abd...
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026