Description
The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the random_button_html() function directly concatenates the 'cat' and 'nocat' parameters into HTML data-attributes without esc_attr(), and the 'text' parameter into HTML content without esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The WP Random Button plugin stores user‑supplied shortcode attributes without proper escaping. An attacker with Contributor level or higher can embed malicious scripts in the 'cat', 'nocat', or 'text' attributes. When a page containing the malicious shortcode is viewed, the injected script runs in the visitor’s browser, giving the attacker the ability to steal session cookies, deface content, or perform further attacks. This is a classic stored XSS that can affect all users who view the compromised post or page.

Affected Systems

WordPress sites that have the WP Random Button plugin version 1.0 or earlier installed. The plugin is provided by the vendor newbiesup. Any WordPress installation that uses this plugin is vulnerable unless it is updated to a newer, secure release.

Risk and Exploitability

The vulnerability receives a CVSS score of 6.4, indicating moderate severity. No EPSS score is published, and the issue is not listed in the CISA KEV catalog. Exploitation requires authenticated Contributor or higher privileges on the WordPress site. Once the attacker can edit posts or pages, they can insert the malicious shortcode. After insertion, any unauthenticated visitor who loads the affected page will execute the stored script, making the attack highly scalable once the payload is in place.

Generated by OpenCVE AI on March 21, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Random Button plugin to the latest version that includes proper escaping.
  • If an update is not available, consider disabling the plugin or removing it entirely to stop the vulnerability.
  • Restrict Contributor and higher roles from adding or editing content that uses the wp_random_button shortcode.
  • Apply a Content Security Policy that blocks inline scripts to mitigate potential XSS impact.
  • Verify any existing malicious content is removed from posts or pages using the shortcode.

Generated by OpenCVE AI on March 21, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Newbiesup
Newbiesup wp Random Button
Wordpress
Wordpress wordpress
Vendors & Products Newbiesup
Newbiesup wp Random Button
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the random_button_html() function directly concatenates the 'cat' and 'nocat' parameters into HTML data-attributes without esc_attr(), and the 'text' parameter into HTML content without esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Newbiesup Wp Random Button
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:53.414Z

Reserved: 2026-03-12T20:53:29.047Z

Link: CVE-2026-4086

cve-icon Vulnrichment

Updated: 2026-03-23T18:17:58.598Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:41.020

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-4086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:37Z

Weaknesses