| Vector: | Remote |
| Severity: | Low |
| Patch: | Unpatched |
| Impact: | Cross-site Scripting (XSS) |
| Software: | WordPress MaxButtons: WordPress Button Generator Plugin 1.x , vulnerable versions: <=1.26.0 |
A cross-site scripting (XSS) vulnerability has been discovered in WordPress Button Generator Plugin.
Vulnerability is caused by an input validation error in the "id" GET parameter to "wp-admin/admin.php" (when "page" is set to "maxbuttons-controller" and "action" is set to "button"). A remote attacker can send a specially crafted HTTP request to the vulnerable application and execute arbitrary html and scripting code in user`s browser in context of a vulnerable website.
Further exploitation of this vulnerability may result in stealing potentially sensitive to the user information, such as cookies, or disguising the information presented on the website.
CVE ID: CVE-2014-7181
Links:
