It has recently been discovered that there is a cross-site scripting (XSS) vulnerability in the plugin ‘WordPress Button Plugin MaxButtons’.
This vulnerability is particularly for version 6.18 of the plugin.
In part of the plugin’s code, where the pages and their actions are defined, the classes are not sanitized.
Sanitisation of fields and classes in PHP means to validate and make sure that the code/input is properly formatted.
When the fields and classes are not sanitised, you can pretty much make any request through the browser – to obtain any available Cookies, for instance.
Cookies in WordPress are tiny pieces of information which are stored on the computer that you are currently using. This information is later used to verify which user is logged on.
This vulnerability allows for tech-savvy users to access these Cookies which could potentially expose sensitive personal information, such as passwords and email addresses.
To patch this security gap, you must update your MaxButtons plugin to the latest version: 6.19.
Here are WPX hosting, we have already applied a security rule on all servers which checks for specific malicious requests and blocks them. However, we still highly recommend updating the plugin to ensure site safety.