CVE-2026-4279 is a stored cross-site scripting vulnerability in the Bread & Butter WordPress plugin's 'breadbutter-customevent-button' shortcode. The issue arises from insufficient input sanitization and output escaping of the 'event' shortcode attribute in the customEventShortCodeButton() function. Unlike the related customEventShortCode() function, which properly escapes this input, the button variant directly interpolates the attribute into a JavaScript string within an onclick attribute without using esc_attr() or esc_js(). This flaw allows authenticated users with Contributor or higher privileges to inject arbitrary JavaScript that executes when the injected button is clicked by any user viewing the page. The vulnerability affects all versions up to and including 8.2.0.25. No patch or official fix has been disclosed as of the published date.

An attacker with Contributor-level or higher access can inject malicious JavaScript code into pages via the vulnerable shortcode attribute. This code executes in the context of users who view and interact with the injected button, potentially leading to session hijacking, privilege escalation, or other client-side attacks. The vulnerability does not allow unauthenticated exploitation and requires user interaction (clicking the injected button). The CVSS score of 6.4 reflects a medium impact with low attack complexity and no user interaction required for the initial injection but required for script execution.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level access to trusted users only to reduce risk. Avoid using the 'breadbutter-customevent-button' shortcode with untrusted input. Monitor for plugin updates from the vendor that address this vulnerability.