CVE-2026-13245
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
The MaxButtons plugin for WordPress up to version 9.8.5 is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts.
Risk Assessment
An unauthenticated attacker can trick an administrator or user into clicking a crafted link, leading to script execution in the victim's session context. This may result in cookie theft, session hijacking, or content manipulation.
Recommendation
Update the MaxButtons plugin to the latest available version immediately. If an update is not possible, temporarily disable the plugin until a patch is released.
Original NVD description (English source)
The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

