Bread & Butter WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Bread & Butter plugin for WordPress, affecting all versions through 8.2.0.25. The issue arises from inadequate input sanitization and output escaping on the 'event' attribute of the 'breadbutter-customevent-button' shortcode. The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary scripts that execute when a user clicks the injected button on the page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can use the 'breadbutter-customevent-button' shortcode. The 'event' attribute can be set to a value that includes JavaScript code, which will be executed when the button is clicked.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.