The plugin does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Add/edit a new button, set its Button action to “Website URL” and add the following payload as URL: javascript:alert(/XSS/) As label, the following payload can be used as well: Publish it and the XSS will be triggered when viewing the page with the button (w/o user interaction for the XSS in the label field, while clicking on it for the XSS in the URL)
CPE | Name | Operator | Version |
---|---|---|---|
buttonizer-multifunctional-button | lt | 2.5.5 |