PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13245 maxfoundry CVE debrief

The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability has a CVSS score of 6.1 and a severity of MEDIUM. The CVE was published on 2026-06-27T06:16:31.773Z and last modified on 2026-06-29T14:16:41.810Z.

Vendor
maxfoundry
Product
MaxButtons – Create buttons
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-27
Original CVE updated
2026-06-29
Advisory published
2026-06-27
Advisory updated
2026-06-29

Who should care

WordPress users who have installed the MaxButtons – Create buttons plugin, especially those using versions up to and including 9.8.5, should be aware of this vulnerability. Additionally, security teams responsible for monitoring and patching WordPress plugins should prioritize this CVE. Users of WordPress should ensure they are running the latest version of the plugin or apply necessary patches to mitigate the risk.

Technical summary

The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the 'view' parameter. This vulnerability exists due to insufficient input sanitization and output escaping in the plugin. An attacker can exploit this vulnerability by crafting a malicious link that, when clicked by a user, injects arbitrary web scripts into the page. This could lead to unauthorized actions on behalf of the user or theft of sensitive information. The vulnerability has been assigned a CVSS score of 6.1, indicating a medium severity level.

Defensive priority

Medium priority should be given to patching this vulnerability, as it allows for Reflected Cross-Site Scripting attacks. Immediate action is recommended to prevent potential exploitation.

Recommended defensive actions

  • Update the MaxButtons – Create buttons plugin to the latest version available.
  • Review and patch affected WordPress installations.
  • Monitor for suspicious activity related to the plugin.
  • Implement additional security measures such as Web Application Firewalls (WAFs) to detect and prevent XSS attacks.
  • Educate users about the risks of clicking on suspicious links.

Evidence notes

The CVE-2026-13245 record was obtained from the National Vulnerability Database (NVD) and provides details about the vulnerability in the MaxButtons – Create buttons plugin for WordPress. The vulnerability allows for Reflected Cross-Site Scripting via the 'view' parameter in all versions up to and including 9.8.5. The CVSS score for this vulnerability is 6.1, indicating a medium severity level. The CVE was published on 2026-06-27T06:16:31.773Z and last modified on 2026-06-29T14:16:41.810Z.

Official resources

This article is AI-assisted and based on the supplied source corpus.