CVE-2026-4279 is a stored cross-site scripting vulnerability in the Bread & Butter: AI-Powered Lead Intelligence WordPress plugin. The vulnerability exists because the customEventShortCodeButton() function interpolates the 'event' shortcode attribute directly into a JavaScript string within an onclick HTML attribute without applying proper escaping functions such as esc_attr() or esc_js(). This contrasts with the related customEventShortCode() function, which correctly escapes this attribute. As a result, authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript that executes when users interact with the injected button, potentially compromising user sessions or performing other malicious actions.

An attacker with Contributor-level access or higher can inject persistent malicious scripts into pages via the vulnerable shortcode attribute. These scripts execute in the context of users who view and click the injected button, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability does not allow unauthenticated attackers to exploit it, and it requires user interaction (clicking the button) to trigger the script execution. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction needed for initial injection but required for script execution, and impact on confidentiality and integrity but not availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level and higher permissions to trusted users only to reduce risk. Avoid using the 'breadbutter-customevent-button' shortcode with untrusted input. Monitor plugin updates from the vendor and apply official patches promptly once available.