Description
The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The customEventShortCodeButton() function takes the 'event' attribute value and directly interpolates it into a JavaScript string within an onclick HTML attribute without applying esc_attr() or esc_js(). Notably, the sister function customEventShortCode() properly uses esc_js() for the same attribute, but this was omitted in the button variant. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page and clicks the injected button.
Published: 2026-04-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) via the Bread & Butter shortcode
Action: Patch Immediately
AI Analysis

Impact

Stored Cross‑Site Scripting (XSS) occurs when the 'breadbutter-customevent-button' shortcode accepts an 'event' attribute that is not sanitized. The value is inserted directly into an onclick attribute of a JavaScript string without escaping. A compromised value allows an authenticated contributor‑level user to inject malicious JavaScript that runs when any page visitor clicks the button. The CWE for this flaw is 79.

Affected Systems

All editions of the Bread & Butter WordPress plugin from original release through and including version 8.2.0.25 are affected. The flaw can be exercised on any WordPress installation that has the plugin installed and an authenticated user with Contributor or higher privileges. Only the authenticated user can inject the payload; reflected or unauthenticated attacks are not supported by the current code.

Risk and Exploitability

The CVSS base score of 6.4 indicates a moderate severity vulnerability, and the EPSS score is not available. The exploit requires the attacker to log in as a Contributor or higher, and it targets the web application layer rather than the network. Because the payload is stored in a page and triggers upon a button click, an attacker can potentially steal session cookies, deface content, or perform other malicious actions. The vulnerability is listed in no CISA KEV catalog, but the moderate CVSS and the requirement for authenticated access still make it a notable security concern for site administrators.

Generated by OpenCVE AI on April 22, 2026 at 09:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bread & Butter plugin to a version that includes the fix (any release newer than 8.2.0.25).
  • Configure role‑permission settings to remove Contributor or higher privileges from users who should not be able to insert the affected shortcode.
  • Remove or sanitize any existing pages or posts containing the insecure button shortcode to eliminate stored payloads.

Generated by OpenCVE AI on April 22, 2026 at 09:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Breadbutter
Breadbutter bread & Butter: Ai-powered Lead Intelligence
Wordpress
Wordpress wordpress
Vendors & Products Breadbutter
Breadbutter bread & Butter: Ai-powered Lead Intelligence
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The customEventShortCodeButton() function takes the 'event' attribute value and directly interpolates it into a JavaScript string within an onclick HTML attribute without applying esc_attr() or esc_js(). Notably, the sister function customEventShortCode() properly uses esc_js() for the same attribute, but this was omitted in the button variant. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page and clicks the injected button.
Title Bread & Butter: Content Gating for Verified Leads <= 8.2.0.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Breadbutter Bread & Butter: Ai-powered Lead Intelligence
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T18:22:11.861Z

Reserved: 2026-03-16T15:41:42.321Z

Link: CVE-2026-4279

cve-icon Vulnrichment

Updated: 2026-04-22T18:22:04.673Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:25.160

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:27Z

Weaknesses