CVE Catalog

CVE-2026-13245

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

The MaxButtons plugin for WordPress up to version 9.8.5 is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts.

Risk Assessment

An unauthenticated attacker can trick an administrator or user into clicking a crafted link, leading to script execution in the victim's session context. This may result in cookie theft, session hijacking, or content manipulation.

Recommendation

Update the MaxButtons plugin to the latest available version immediately. If an update is not possible, temporarily disable the plugin until a patch is released.

Original NVD description (English source)

The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS