CVE-2026-4086 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Random Button plugin for WordPress, affecting all versions up to and including 1.0. The vulnerability stems from the plugin's random_button_html() function, which improperly handles user input from shortcode attributes 'cat', 'nocat', and 'text'. Specifically, the 'cat' and 'nocat' parameters are concatenated directly into HTML data-attributes without using esc_attr(), and the 'text' parameter is inserted into HTML content without esc_html(). This lack of proper input sanitization and output escaping allows an authenticated attacker with Contributor-level privileges or higher to inject arbitrary JavaScript code that is stored persistently within the website's content. When any user visits a page containing the malicious shortcode, the injected script executes in their browser context, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The vulnerability requires authentication but no additional user interaction to trigger. The CVSS 3.1 base score of 6.4 reflects a network attack vector with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes are currently published, and no known exploits have been reported in the wild as of the publication date.

The primary impact of CVE-2026-4086 is the potential compromise of user confidentiality and integrity through stored XSS attacks. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors, including administrators and other privileged users. This can lead to session hijacking, credential theft, unauthorized actions, defacement, or distribution of malware. Since the vulnerability is stored, the malicious payload persists and affects all users who access the infected pages. Although availability is not directly impacted, the reputational damage and potential data breaches can be severe for organizations relying on the affected plugin. Given WordPress's widespread use globally, websites using WP Random Button are at risk, especially those with multiple contributors. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the risk remains significant in multi-user environments such as blogs, corporate sites, and community portals.

1. Immediately restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious shortcode injection. 2. Monitor existing content for suspicious shortcode usage and remove or sanitize any untrusted inputs in 'cat', 'nocat', and 'text' attributes. 3. Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads in shortcode attributes. 4. If possible, disable or remove the WP Random Button plugin until a security patch is released. 5. For developers or site administrators with coding expertise, apply temporary manual fixes by sanitizing and escaping shortcode attributes using esc_attr() for data-attributes and esc_html() for HTML content before output. 6. Educate content contributors about the risks of injecting untrusted code and enforce strict content review policies. 7. Regularly audit user accounts and revoke unnecessary Contributor or higher privileges. 8. Stay updated with the plugin vendor or WordPress security advisories for official patches or updates addressing this vulnerability.