{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4086", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T20:53:29.047Z", "datePublished": "2026-03-21T03:26:32.836Z", "dateUpdated": "2026-04-08T16:34:53.414Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:53.414Z"}, "affected": [{"vendor": "newbiesup", "product": "WP Random Button", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the random_button_html() function directly concatenates the 'cat' and 'nocat' parameters into HTML data-attributes without esc_attr(), and the 'text' parameter into HTML content without esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b9e11f5-5a05-4867-abd8-fb07c84a49b0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-random-button/trunk/wp-random-button.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-random-button/tags/1.0/wp-random-button.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-random-button/trunk/wp-random-button.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-random-button/tags/1.0/wp-random-button.php#L50"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "timeline": [{"time": "2026-03-20T15:06:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T18:17:33.400910Z", "id": "CVE-2026-4086", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:18:10.629Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4086", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T18:17:33.400910Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:17:58.598Z"}}], "cna": {"title": "WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "newbiesup", "product": "WP Random Button", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:06:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b9e11f5-5a05-4867-abd8-fb07c84a49b0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-random-button/trunk/wp-random-button.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-random-button/tags/1.0/wp-random-button.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-random-button/trunk/wp-random-button.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-random-button/tags/1.0/wp-random-button.php#L50"}], "descriptions": [{"lang": "en", "value": "The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the random_button_html() function directly concatenates the 'cat' and 'nocat' parameters into HTML data-attributes without esc_attr(), and the 'text' parameter into HTML content without esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:32.836Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4086", "state": "PUBLISHED", "dateUpdated": "2026-03-23T18:18:10.629Z", "dateReserved": "2026-03-12T20:53:29.047Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:32.836Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the random_button_html() function directly concatenates the 'cat' and 'nocat' parameters into HTML data-attributes without esc_attr(), and the 'text' parameter into HTML content without esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin WP Random Button para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los atributos del shortcode 'cat', 'nocat' y 'text' del shortcode 'wp_random_button' en todas las versiones hasta la 1.0, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada insuficiente y un escape de salida inadecuado en los atributos del shortcode proporcionados por el usuario. Espec\u00edficamente, la funci\u00f3n random_button_html() concatena directamente los par\u00e1metros 'cat' y 'nocat' en atributos de datos HTML sin esc_attr(), y el par\u00e1metro 'text' en contenido HTML sin esc_html(). Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-4086", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:17:41.020", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-random-button/tags/1.0/wp-random-button.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-random-button/tags/1.0/wp-random-button.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-random-button/trunk/wp-random-button.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-random-button/trunk/wp-random-button.php#L50"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b9e11f5-5a05-4867-abd8-fb07c84a49b0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Random Button", "source": "cna", "vendor": "newbiesup"}, "product": "wp_random_button", "vendor": "newbiesup"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:21:32.191773+00:00", "value": {"mitigation_remediation": ["Update the WP Random Button plugin to the latest version that includes proper escaping.", "If an update is not available, consider disabling the plugin or removing it entirely to stop the vulnerability.", "Restrict Contributor and higher roles from adding or editing content that uses the wp_random_button shortcode.", "Apply a Content Security Policy that blocks inline scripts to mitigate potential XSS impact.", "Verify any existing malicious content is removed from posts or pages using the shortcode."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the WP Random Button plugin version 1.0 or earlier installed. The plugin is provided by the vendor newbiesup. Any WordPress installation that uses this plugin is vulnerable unless it is updated to a newer, secure release.", "description_and_impact": "The WP Random Button plugin stores user\u2011supplied shortcode attributes without proper escaping. An attacker with Contributor level or higher can embed malicious scripts in the 'cat', 'nocat', or 'text' attributes. When a page containing the malicious shortcode is viewed, the injected script runs in the visitor\u2019s browser, giving the attacker the ability to steal session cookies, deface content, or perform further attacks. This is a classic stored XSS that can affect all users who view the compromised post or page.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 6.4, indicating moderate severity. No EPSS score is published, and the issue is not listed in the CISA KEV catalog. Exploitation requires authenticated Contributor or higher privileges on the WordPress site. Once the attacker can edit posts or pages, they can insert the malicious shortcode. After insertion, any unauthenticated visitor who loads the affected page will execute the stored script, making the attack highly scalable once the payload is in place."}}}}, "created": "2026-03-23T09:51:02.201291+00:00", "updated": "2026-03-25T14:42:37.463418+00:00", "vendors": ["newbiesup", "newbiesup$PRODUCT$wp_random_button", "wordpress", "wordpress$PRODUCT$wordpress"]}