WWordPress Vulnerability Database

Hong Kong Cyber Alert Button Plugin XSS(CVE20240711)

Cross Site Scripting (XSS) in WordPress Buttons Shortcode and Widget Plugin
0
Shares
0
0
0
0
Plugin Name Buttons Shortcode and Widget
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2024-0711
Urgency Low
CVE Publish Date 2026-01-30
Source URL CVE-2024-0711

Stored XSS in “Buttons Shortcode and Widget” (≤ 1.16) — What WordPress Site Owners Must Do Now

Author: Hong Kong Security Expert

Publish date: 2026-01-30

Description: A deep-dive analysis of the stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin “Buttons Shortcode and Widget” (≤ 1.16). Technical background, exploitation scenarios, detection, emergency mitigation and long-term remediation guidance.

Executive summary

On 2026-01-30 a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin “Buttons Shortcode and Widget” (versions ≤ 1.16) was disclosed (CVE-2024-0711). The vulnerability allows an attacker with contributor-level access to store malicious JavaScript inside a shortcode attribute or content which is later executed when privileged users (or site visitors in some scenarios) render the affected page or interact with certain UI elements. The issue is a stored (persistent) XSS and has a CVSS score of 6.5.

Although the vulnerability requires an attacker to have the ability to publish content (Contributor role) or lure a privileged user into performing some action, its persistence and ability to execute in the context of the site make it a serious concern. In this post I walk through:

  • What happened and why it matters
  • How stored XSS in a shortcode context typically works
  • Realistic exploitation scenarios
  • How to detect if your site is affected
  • Emergency mitigations you can apply right now
  • Developer guidance on properly fixing the plugin
  • Long-term hardening and monitoring recommendations

This guide is written for WordPress administrators, agencies, developers and security-conscious site owners, from the perspective of a Hong Kong security professional experienced with incident response and web application hardening.

What is stored XSS and why this vulnerability matters

Stored XSS occurs when an attacker is able to store malicious script content on the server (in the database, post content, widget options, etc.) and that content is served back to other users in a way that allows the script to execute in their browsers. Unlike reflected XSS, a stored XSS payload persists and can affect any user that views the infected content.

In the case of the “Buttons Shortcode and Widget” plugin, the shortcode handling fails to properly validate and escape input and/or output. That allows a malicious actor to embed script-like content inside shortcode attributes or content. When the shortcode is rendered later (for example when an admin previews a post, or a privileged user loads the editor or dashboard area that renders the shortcode output), the malicious JavaScript runs with the privileges of the browser user visiting the page.

Why it’s serious:

  • Persistent reach — once stored, the payload can affect many users over time.
  • Privileged target — the vulnerability requires the ability to store content (Contributor role in this case), but execution can impact editors, administrators or other higher-privileged users.
  • Post-exploitation impact — an executed script can steal cookies, perform actions on behalf of the user, inject additional payloads, install backdoors, or manipulate site content.

The disclosure indicates user interaction is required (a privileged user must visit a crafted page or click a link), but that doesn’t reduce the importance of rapid mitigation: attackers can combine social engineering with the stored payload to escalate their opportunities.

A technical high-level overview

Vulnerable pattern (conceptual):

  • A shortcode callback accepts attributes from the shortcode input without validating or escaping them properly.
  • The plugin later outputs those attributes directly into HTML (for example, inside an href, onclick, or innerHTML context) without escaping.
  • Because attributes can contain quote characters and other markup, an attacker can inject script hooks (e.g., event handlers or script tags) that execute in the browser.

Typical vulnerable flow:

  1. Contributor posts content containing a shortcode, e.g. [button url=”…”] (malicious payload embedded in attribute or content).
  2. The plugin saves that shortcode to the database as part of the post content or widget options.
  3. When an administrator/editor/visitor loads the page, the plugin renders the shortcode and inserts the unescaped attribute content into the HTML.
  4. The browser treats the injected content as script/handler and executes it.

Important: avoid searching for exact exploit payloads here; the pattern above is what developers need to address.

Exploitation scenarios — what an attacker can realistically do

Understanding how an attacker could chain this vulnerability into a practical attack helps prioritize mitigation.

  1. Privileged-account injection (insider or compromised account)

    An attacker gains a Contributor account (via weak passwords, compromised registrations, or social engineering). They add a post or widget with a crafted shortcode that includes malicious content. An Editor or Administrator later visits the post (preview or edit), causing inline JavaScript to execute in their browser. The script could attempt to create a new admin user (via REST API calls using the admin’s credentials), exfiltrate REST nonces or cookies, or inject additional backdoors.

  2. Social engineering + stored payload

    Malicious content remains hidden in a post or widget, and attackers send a specially crafted link to an Administrator urging them to preview content. The payload executes when the admin clicks the link; potential outcomes include session theft and unauthorized changes.

  3. Visitor-targeted attack

    If the stored payload executes for anonymous visitors, this can be used to redirect users to phishing sites, show fake payment forms, or display ads.

  4. Lateral movement on multi-site or multi-author environments

    On larger installs with many authors, an attacker could target a high-value author or an editor by ensuring the malicious content is in a frequently visited page.

How to detect whether your site is affected

Detection should combine automated scans with targeted manual checks.

  1. Check plugin versions

    If your site runs “Buttons Shortcode and Widget” plugin version ≤ 1.16, treat this as potentially vulnerable until the plugin is updated and verified.

  2. Search database for suspicious shortcode usage

    Look for occurrences of the plugin’s shortcodes in post_content or widget options. Use WP-CLI for quick checks:

    wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[button%';"
wp db query "SELECT option_name, option_value FROM wp_options WHERE option_value LIKE '%[button%';"

    Inspect results for unexpected HTML attributes, embedded script-like content, or suspicious encodings (base64, JS-escaped payloads).

  3. Search for