The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The customEventShortCodeButton() function takes the 'event' attribute value and directly interpolates it into a JavaScript string within an onclick HTML attribute without applying esc_attr() or esc_js(). Notably, the sister function customEventShortCode() properly uses esc_js() for the same attribute, but this was omitted in the button variant. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page and clicks the injected button.
The Bread & Butter WordPress plugin versions up to 8.2.0.25 contain a Stored Cross-Site Scripting vulnerability in the 'breadbutter-customevent-button' shortcode due to insufficient input sanitization. Authenticated attackers with Contributor-level access can inject malicious scripts that execute when users interact with affected pages.
تحتوي إضافة Bread & Butter لـ WordPress على ثغرة Stored XSS في دالة customEventShortCodeButton() حيث يتم إدراج قيمة خاصية 'event' مباشرة في سلسلة JavaScript دون تطبيق esc_attr() أو esc_js(). يمكن للمهاجمين المصرحين بمستوى المساهم أو أعلى حقن نصوص برمجية عشوائية تُنفذ عند وصول المستخدمين إلى الصفحة والنقر على الزر المحقون.
The Bread & Butter WordPress plugin versions up to 8.2.0.25 contain a Stored Cross-Site Scripting vulnerability in the 'breadbutter-customevent-button' shortcode due to insufficient input sanitization. Authenticated attackers with Contributor-level access can inject malicious scripts that execute when users interact with affected pages.
Update the Bread & Butter plugin to version 8.2.0.26 or later immediately. If immediate patching is not possible, restrict Contributor-level access to trusted users only and disable the 'breadbutter-customevent-button' shortcode if not essential. Review all pages using this shortcode for malicious content.
قم بتحديث إضافة Bread & Butter إلى الإصدار 8.2.0.26 أو أحدث فوراً. إذا لم يكن التحديث الفوري ممكناً، قيّد وصول مستوى المساهم للمستخدمين الموثوقين فقط وعطّل shortcode 'breadbutter-customevent-button' إذا لم يكن ضرورياً. راجع جميع الصفحات التي تستخدم هذا shortcode بحثاً عن محتوى ضار.