CVE-2026-4279 Overview
CVE-2026-4279 is a Stored Cross-Site Scripting (XSS) vulnerability in the Bread & Butter plugin for WordPress, affecting all versions up to and including 8.2.0.25. The flaw resides in the breadbutter-customevent-button shortcode handler. The customEventShortCodeButton() function interpolates the event shortcode attribute directly into a JavaScript string within an onclick HTML attribute without calling esc_attr() or esc_js(). Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes when any user views the page and clicks the injected button. The issue is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Authenticated Contributor-level users can store malicious JavaScript that executes in any visitor's browser session, enabling session theft, account takeover, and admin privilege escalation.
Affected Products
- Bread & Butter plugin for WordPress, all versions through 8.2.0.25
- WordPress sites permitting Contributor-level or higher accounts to use shortcodes
- Any site where the breadbutter-customevent-button shortcode is rendered to visitors
Discovery Timeline
- 2026-04-22 - CVE-2026-4279 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-4279
Vulnerability Analysis
The vulnerability exists in src/Base/Shortcode.php within the customEventShortCodeButton() function. The handler accepts an event attribute from the shortcode and concatenates that value into a generated onclick JavaScript handler. Because no escaping is applied, attacker-supplied content breaks out of the JavaScript string context and executes as code. The sister function customEventShortCode() correctly applies esc_js() to the same attribute, demonstrating the developers' intent. The button variant simply omitted the escaping call. Contributors can save posts containing the shortcode, and the payload executes when any later viewer, including administrators, clicks the rendered button.
Root Cause
The root cause is missing output escaping. WordPress provides esc_attr() for HTML attribute contexts and esc_js() for inline JavaScript string contexts. Neither function is invoked on the event attribute before it is written into the onclick handler. This creates a nested context, JavaScript inside an HTML attribute, where attacker input is treated as code. Source review of the affected lines is available in the WordPress Plugin Trac at line 364 and line 380.
Attack Vector
An authenticated attacker holding at least Contributor privileges authors a post containing the breadbutter-customevent-button shortcode with a crafted event attribute. The payload terminates the JavaScript string and appends arbitrary code such as a fetch request that exfiltrates cookies or invokes the WordPress REST API on behalf of the viewer. Execution occurs in the victim's browser when they click the button, inheriting the victim's session privileges.
Further technical detail is documented in the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-4279
Indicators of Compromise
- Post or page content containing [breadbutter-customevent-button] shortcodes with suspicious event attribute values containing quotes, parentheses, or script fragments
- Outbound browser requests from authenticated admin sessions to unfamiliar external hosts shortly after page render
- New administrator accounts or unexpected role changes following Contributor activity
- WordPress audit log entries showing Contributor edits to pages later viewed by privileged users
Detection Strategies
- Scan the wp_posts table for the breadbutter-customevent-button shortcode and inspect every event attribute value for non-alphanumeric characters
- Deploy a Web Application Firewall (WAF) rule that flags shortcode attributes containing single quotes, backslashes, or angle brackets
- Enable Content Security Policy (CSP) reporting to capture inline script execution attempts originating from onclick handlers
Monitoring Recommendations
- Monitor Contributor and Author account activity for unusual post submissions referencing Bread & Butter shortcodes
- Log and review all administrative actions following page views of Contributor-authored content
- Alert on unexpected outbound HTTP requests from administrator browser sessions to non-allowlisted domains
How to Mitigate CVE-2026-4279
Immediate Actions Required
- Audit all installed copies of the Bread & Butter plugin and identify sites running version 8.2.0.25 or earlier
- Remove or restrict the breadbutter-customevent-button shortcode from Contributor-editable content until a patched release is deployed
- Review existing posts for malicious event attribute values and sanitize or delete affected entries
- Rotate authentication cookies and force password resets for administrator accounts that viewed suspect content
Patch Information
At the time of publication, the vendor source referenced in NVD is the trunk and tagged 8.2.0.25 branch in the WordPress Plugin Trac repository. Administrators should upgrade to the next vendor release that introduces esc_js() or esc_attr() on the event attribute, mirroring the fix already present in customEventShortCode().
Workarounds
- Restrict the Contributor role from using shortcodes by applying a kses filter or removing shortcode support from untrusted roles
- Apply a custom mu-plugin that wraps the shortcode output and calls esc_js() on the event attribute before render
- Deploy a WAF rule that blocks POST requests containing the shortcode with quote or backslash characters in the event attribute
- Disable the Bread & Butter plugin entirely on sites where the custom event button feature is not required
# Example mu-plugin filter to harden the vulnerable shortcode
# Save as wp-content/mu-plugins/breadbutter-xss-mitigation.php
add_filter('the_content', function($content) {
return preg_replace_callback(
'/\[breadbutter-customevent-button([^\]]*)\]/',
function($m) {
return '[breadbutter-customevent-button' . esc_attr($m[1]) . ']';
},
$content
);
}, 1);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.


