Does Button have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Button compatible with WordPress 6.9.4?

According to WordPress.org data, Button 1.1.32 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Button compatible with PHP 5.6+?

Button requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Button updated?

Button was last updated on Dec 3, 2025. Frequent updates are generally a positive security signal.

What is Button's security score?

Button has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Button Security & Risk Analysis

wordpress.org/plugins/button

Create beautiful buttons and social icons. Button plugin is powerful and easy to use. You can create any types of buttons such as css3 & 3D Buttons.

2K active installs v1.1.32 PHP 5.6+ WP 4.8+ Updated Dec 3, 2025

css3-responsive-buttonsdrop-down-buttonshare-buttonwhatsapp-buttonswordpress-button-plugin

A · Safe

CVEs total2

Unpatched0

Last CVEMar 28, 2024

Plugin page Download

Safety Verdict

Is Button Safe to Use in 2026?

Generally Safe

Score 99/100

Button has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Mar 28, 2024Updated 5mo ago

Risk Assessment

The "button" plugin v1.1.32 exhibits a generally positive security posture based on static analysis, with excellent practices in SQL query handling and output escaping, both at 100%. The plugin demonstrates awareness of WordPress security by including nonce and capability checks for its identified entry points, although these are limited. However, the presence of the `unserialize` function without further context on its usage is a significant concern, as it can be a vector for deserialization vulnerabilities if used with untrusted data. The vulnerability history reveals a pattern of past vulnerabilities, specifically Deserialization of Untrusted Data and Cross-site Scripting, which is concerning. While there are no currently unpatched CVEs, the existence of a past high-severity vulnerability in these categories warrants caution. Overall, the plugin has strengths in modern secure coding practices but is weakened by a potentially dangerous function and a history of exploitable vulnerabilities, indicating a need for vigilant monitoring and potentially code review around the `unserialize` usage.

Key Concerns

Presence of unserialize function
History of High severity vulnerability
History of Medium severity vulnerability

Vulnerabilities

2 published

Button Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2024-1872high · 8.8Deserialization of Untrusted Data

Button <= 1.1.27 - Authenticated (Contributor+) PHP Object Injection in button_shortcode

Mar 28, 2024 Patched in 1.1.28 (13d)

CVE-2023-23871medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Button <= 1.1.22 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 12, 2023 Patched in 1.1.23 (256d)

Version History

Button Release Timeline

v1.1.32Current

v1.1.31

v1.1.30

v1.1.29

v1.1.28

v1.1.271 CVE

v1.1.261 CVE

v1.1.251 CVE

v1.1.241 CVE

v1.1.231 CVE

v1.1.222 CVEs

CVE-2023-23871 CVE-2024-1872

v1.1.212 CVEs

CVE-2023-23871 CVE-2024-1872

v1.1.202 CVEs

CVE-2023-23871 CVE-2024-1872

v1.1.192 CVEs

CVE-2023-23871 CVE-2024-1872

v1.1.182 CVEs

CVE-2023-23871 CVE-2024-1872

v1.1.172 CVEs

CVE-2023-23871 CVE-2024-1872

v1.1.162 CVEs

CVE-2023-23871 CVE-2024-1872

v1.1.152 CVEs

CVE-2023-23871 CVE-2024-1872

v1.1.142 CVEs

CVE-2023-23871 CVE-2024-1872

v1.1.132 CVEs

CVE-2023-23871 CVE-2024-1872

Code Analysis

Analyzed Mar 16, 2026

Button Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

478 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$button_data = unserialize(get_post_meta($post_id,'button_custom_setting_'.$post_id, true));inc\duplicate.php:58

Output Escaping

100% escaped480 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

2 flows

button_duplicate_post_as_draft (inc\duplicate.php:6)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Button Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[WD_Button] inc\shortcode.php:10

WordPress Hooks 12

actionplugins_loadedbutton.php:31

actioninitinc\cpt\button-cpt.php:3

filtermanage_edit-wd_button_columnsinc\cpt\button-cpt.php:36

actionmanage_wd_button_posts_custom_columninc\cpt\button-cpt.php:37

actionadd_meta_boxesinc\cpt\button-cpt.php:91

actionin_admin_headerinc\cpt\button-cpt.php:156

actionsave_postinc\cpt\button-cpt.php:194

actionadmin_action_button_duplicate_post_as_draftinc\duplicate.php:86

filterpost_row_actionsinc\duplicate.php:98

actionadmin_enqueue_scriptsinc\enqueue.php:3

actionwp_headinc\shortcode.php:4

actionwidgets_initinc\widget.php:136

Maintenance & Trust

Button Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 3, 2025

PHP min version5.6

Downloads108K

Community Trust

Rating90/100

Number of ratings53

Active installs2K

Alternatives

Button Alternatives

AddToAny Share Buttons

add-to-any

Share buttons for WordPress including the AddToAny button, Facebook, Bluesky, Mastodon, WhatsApp, Pinterest, Reddit, many more, and follow icons too.

300K 3 CVEs

Social Sharing Plugin – Sassy Social Share

sassy-social-share

The Simplest and Optimized Social Share buttons. Facebook, X, Reddit, Pinterest, Whatsapp, Grok, ChatGPT, Gab, Gettr and over 100 more.

100K 11 CVEs

Social Icons Widget & Block – Social Media Icons & Share Buttons

social-icons-widget-by-wpzoom

Social media icons plugin for WordPress - Add 400+ social icons and share buttons. Gutenberg block, widget & Elementor support. GDPR compliant.

100K 3 CVEs

Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More

themeisle-companion

Add modules like share buttons, header & footer scripts, disable comments, reading progress bar, custom fonts, custom login page & more in one plugin.

100K 20 CVEs

MaxButtons – Create buttons

maxbuttons

Maxbuttons is the best and easiest button plugin for WordPress. Within minutes you can create beautiful buttons, share buttons and social icons.

70K 13 CVEs

Developer Profile

Button Developer Profile

BurgerThemes

38 plugins · 20K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

135 days

View full developer profile

Detection Fingerprints

How We Detect Button

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/button/assets/css/bootstrap.min.css/wp-content/plugins/button/assets/js/bootstrap.min.js/wp-content/plugins/button/assets/js/admin/button-effect-script.js/wp-content/plugins/button/assets/js/admin/button-color-picker.js/wp-content/plugins/button/assets/css/admin/metaboxes-style.css/wp-content/plugins/button/assets/css/admin/jquery.numberedtextarea.css/wp-content/plugins/button/assets/js/admin/jquery.numberedtextarea.js/wp-content/plugins/button/assets/js/admin/admin.js+3 more

Script Paths

/wp-content/plugins/button/assets/js/bootstrap.min.js/wp-content/plugins/button/assets/js/admin/button-effect-script.js/wp-content/plugins/button/assets/js/admin/button-color-picker.js/wp-content/plugins/button/assets/js/admin/jquery.numberedtextarea.js/wp-content/plugins/button/assets/js/admin/admin.js/wp-content/plugins/button/assets/js/admin/button-preview.js

Version Parameters

button/assets/css/bootstrap.min.css?ver=button/assets/js/bootstrap.min.js?ver=button/assets/js/admin/button-effect-script.js?ver=button/assets/js/admin/button-color-picker.js?ver=button/assets/css/admin/metaboxes-style.css?ver=button/assets/css/admin/jquery.numberedtextarea.css?ver=button/assets/js/admin/jquery.numberedtextarea.js?ver=button/assets/js/admin/admin.js?ver=button/assets/js/admin/button-preview.js?ver=

HTML / DOM Fingerprints

CSS Classes

shortcode_meta_box

Data Attributes

button_custom_setting

JS Globals

php_vars

Shortcode Output

[WD_Button id=

FAQ

Button Security & Risk Analysis

Is Button Safe to Use in 2026?

Generally Safe

Key Concerns

Button Security Vulnerabilities

CVEs by Year

Severity Breakdown

Button Release Timeline

Button Code Analysis

Dangerous Functions Found

Output Escaping

Data Flow Analysis

Button Attack Surface

Shortcodes 1

Button Maintenance & Trust

Maintenance Signals

Community Trust

Button Alternatives

AddToAny Share Buttons

Social Sharing Plugin – Sassy Social Share

Social Icons Widget & Block – Social Media Icons & Share Buttons

Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More

MaxButtons – Create buttons

Button Developer Profile

How We Detect Button

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Button