This vulnerability is an improper neutralization of input during web page generation that allows an attacker to store a malicious script in the MaxButtons plugin data. The stored script can then be executed whenever a page that renders the button is viewed, potentially compromising the browser session of any site visitor. Because the injection is stored in the site's database, the effect persists across users and sessions. The weakness is a classic Cross‑Site Scripting flaw (CWE‑79).

The MaxButtons WordPress plugin released by Maxfoundry, for versions up through 9.8.3, is affected. Users of any WordPress installation running a version of the plugin that is not newer than 9.8.3 may be vulnerable.

The CVSS score of 5.9 indicates a moderate severity, and the EPSS score of less than 1 percent suggests that, as of the latest data, the probability of exploitation is low. The vulnerability is not listed in CISA’s KEV catalog, so no known active exploits are reported. The likely attack requires an attacker to inject a malicious input into the plugin’s interface or storage mechanism—typically by creating or editing a button. Because the data is rendered on public pages, an unauthenticated user who can view the affected page will be subject to the payload. If the plugin restricts creation to privileged users, the risk is confined to those accounts; otherwise, any visitor could be impacted. Given the moderate CVSS and very low EPSS, the overall risk remains moderate but should be mitigated promptly.