Attack Vectors

WP Random Button (slug: wp-random-button) has a Medium-severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting versions 1.0 and earlier. The issue is tracked as CVE-2026-4086.

This is an authenticated attack scenario: a user with at least Contributor permissions (or higher) can embed malicious code through the wp_random_button shortcode attributes (cat, nocat, and text). Once that content is saved, the injected script can execute for anyone who views the affected page or post—often including marketing staff, executives, or site administrators reviewing content.

Because the CVSS vector indicates no user interaction is required (UI:N) and the scope is changed (S:C), organizations should treat this as a meaningful business risk even though the severity rating is not “High.”

Security Weakness

The vulnerability stems from insufficient input sanitization and output escaping of user-supplied shortcode attributes. According to the published advisory, the plugin’s random_button_html() function directly concatenates:

1) the cat and nocat values into HTML data- attributes without proper attribute escaping (for example, not using an equivalent of esc_attr()), and
2) the text value into HTML content without proper HTML escaping (for example, not using an equivalent of esc_html()).

This creates a stored XSS condition where attacker-controlled input can be stored in the database and later rendered in visitors’ browsers as executable script.

Remediation note: At the time of the advisory, there is no known patch available. Risk acceptance should be evaluated carefully, and many organizations will find it safer to remove the plugin and replace its functionality.

Technical or Business Impacts

Stored XSS in a WordPress environment can translate directly into brand, revenue, and compliance exposure. Potential impacts include:

Account compromise and privilege escalation: If an administrator or editor views an infected page while logged in, attackers may be able to hijack sessions or perform actions in the background, potentially leading to broader site takeover.

Marketing and analytics tampering: Injected scripts can be used to redirect campaigns, alter landing-page content, insert unauthorized links, or interfere with tracking—undermining attribution, conversion rates, and reporting accuracy.

Data exposure and compliance risk: While the CVSS score indicates low confidentiality and integrity impact, real-world outcomes can still include exposure of user data or unauthorized changes that raise regulatory concerns (especially if authenticated sessions, forms, or customer portals are involved).

Brand damage and customer trust: Visible defacement, unwanted pop-ups/redirects, or malicious content delivered to visitors can erode trust quickly and impact pipeline and revenue.

Operational disruption: Incident response, content audits, emergency plugin removals, and post-incident monitoring can pull teams away from revenue-generating work.

Recommended mitigations (given no known patch): Consider uninstalling WP Random Button and replacing it with a maintained alternative. In the interim, restrict who can publish or insert shortcodes, reduce Contributor permissions where possible, review recent content for unexpected shortcode usage, and consider adding additional web application firewall (WAF) controls and logging to detect suspicious script injection attempts.

Similar attacks (real examples): Stored/DOM XSS issues in widely used WordPress plugins and themes have been repeatedly exploited in the ecosystem. Examples include reported XSS vulnerabilities in WordPress core and ecosystem listings, and specific plugin CVEs such as CVE-2021-25036 and CVE-2023-6169.

References: Wordfence advisory source: WP Random Button – Stored XSS.