WP-Safety

Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder Security & Risk Analysis

wordpress.org/plugins/buttonizer-multifunctional-button

Floating Menus, Sticky Buttons, & Popup builder. WhatsApp Chat, Facebook Messenger, Telegram, Live Chat, Call, SMS, Email & more.

80K active installs v3.4.12 PHP 7.0+ WP 4.7+ Updated Jan 28, 2026
action-buttoncallconversionmarketingsocial-sharing
100
A · Safe
CVEs total1
Unpatched0
Last CVENov 29, 2021
Plugin page Download
Safety Verdict

Is Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder Safe to Use in 2026?

Generally Safe

Score 100/100

Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 29, 2021Updated 2mo ago
Risk Assessment

The 'buttonizer-multifunctional-button' plugin, version 3.4.12, exhibits a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a notable number of nonce checks (27), significant concerns arise from its extensive attack surface. A substantial 27 out of 28 entry points, including all AJAX handlers and REST API routes, lack proper authentication or permission checks. This indicates a high potential for unauthorized access and manipulation of plugin functionalities by unauthenticated users.

The taint analysis shows three flows with unsanitized paths, although none are classified as critical or high severity. This suggests potential for localized issues, but the lack of severity is somewhat mitigated by the absence of raw SQL queries. The plugin's vulnerability history includes one medium-severity CVE related to Cross-site Scripting, last patched in late 2021. This historical pattern, combined with the current lack of proper authorization on numerous entry points, suggests a recurring need for careful attention to input sanitization and authorization mechanisms.

In conclusion, the plugin has strengths in its SQL handling and nonce implementation. However, the overwhelming number of unprotected entry points represents a critical security weakness. While taint analysis doesn't reveal immediate critical flaws, the historical vulnerability and the current unprotected endpoints necessitate caution. Further investigation into the specific nature of the unsanitized paths and the impact of unprotected AJAX/REST endpoints would be highly beneficial.

Key Concerns

  • AJAX handlers without auth checks
  • REST API routes without permission callbacks
  • Flows with unsanitized paths
  • Medium severity CVE in history
  • Unescaped output present
Vulnerabilities
1

Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2021-24992medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Buttonizer - Smart Floating Action Button <= 2.5.4 - Admin+ Stored Cross-Site Scripting

Nov 29, 2021 Patched in 2.5.5 (785d)
Code Analysis
Analyzed Mar 16, 2026

Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
8
14 escaped
Nonce Checks
27
Capability Checks
4
File Operations
2
External Requests
1
Bundled Libraries
1

Bundled Libraries

Freemius1.0

Output Escaping

64% escaped22 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
get (app\Legacy\Api\Buttons\ApiButtons.php:81)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
27 unprotected

Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder Attack Surface

Entry Points28
Unprotected27

AJAX Handlers 2

authwp_ajax_buttonizerapp\Legacy\Frontend\Ajax.php:31
noprivwp_ajax_buttonizerapp\Legacy\Frontend\Ajax.php:32

REST API Routes 25

GET/wp-json/buttonizer/analytics/overviewapp\Api\Analytics\Overview.php:32
GET/wp-json/buttonizer/connectapp\Api\Connection\Connect.php:35
GET/wp-json/buttonizer/disconnectapp\Api\Connection\Disconnect.php:37
GET/wp-json/buttonizer/editor_start_sessionapp\Api\Connection\StartEditorSession.php:33
GET/wp-json/buttonizer/syncapp\Api\Connection\Sync.php:34
GET/wp-json/buttonizer/migrateapp\Api\Settings\MigrateToStandalone.php:34
GET/wp-json/buttonizer/settingsapp\Api\Settings\UpdateSettings.php:33
GET/wp-json/buttonizer/delete_legacy_backupapp\Api\Utils\DeleteLegacyBackup.php:33
GET/wp-json/buttonizer/revert_legacyapp\Api\Utils\RevertToLegacy.php:33
GET/wp-json/buttonizer/buttonsapp\Legacy\Api\Buttons\ApiButtons.php:33
GET/wp-json/buttonizer/dashboardapp\Legacy\Api\Dashboard\ApiDashboard.php:30
GET/wp-json/buttonizer/page_rulesapp\Legacy\Api\PageRules\ApiPageRules.php:17
GET/wp-json/buttonizer/page_rules/blogsapp\Legacy\Api\PageRules\WordPressData\ApiBlogs.php:28
GET/wp-json/buttonizer/page_rules/categoriesapp\Legacy\Api\PageRules\WordPressData\ApiCategories.php:28
GET/wp-json/buttonizer/page_rules/debugapp\Legacy\Api\PageRules\WordPressData\ApiDebug.php:30
GET/wp-json/buttonizer/page_rules/pagesapp\Legacy\Api\PageRules\WordPressData\ApiPages.php:31
GET/wp-json/buttonizer/page_rules/rolesapp\Legacy\Api\PageRules\WordPressData\ApiRoles.php:31
GET/wp-json/buttonizer/settingsapp\Legacy\Api\Settings\ApiSettings.php:31
GET/wp-json/buttonizer/time_schedulesapp\Legacy\Api\TimeSchedules\ApiTimeSchedules.php:28
GET/wp-json/buttonizer/import_migrateapp\Legacy\Api\Utils\ApiImportMigrate.php:32
GET/wp-json/buttonizer/optinapp\Legacy\Api\Utils\ApiOptin.php:31
GET/wp-json/buttonizer/publishapp\Legacy\Api\Utils\ApiPublish.php:31
GET/wp-json/buttonizer/resetapp\Legacy\Api\Utils\ApiReset.php:31
GET/wp-json/buttonizer/revertapp\Legacy\Api\Utils\ApiRevert.php:31
GET/wp-json/buttonizer/wordpress/custom_cssapp\Legacy\Api\Wordpress\ApiCustomCss.php:28

Shortcodes 1

[buttonizer] init.php:207
WordPress Hooks 24
actionadmin_menuapp\Admin\Admin.php:36
actionadmin_enqueue_scriptsapp\Admin\Admin.php:39
filterscript_loader_tagapp\Admin\Admin.php:42
actionadmin_noticesapp\Admin\Admin.php:56
actionadmin_initapp\Legacy\Admin\Admin.php:30
actionadmin_enqueue_scriptsapp\Legacy\Admin\Admin.php:32
actionadmin_menuapp\Legacy\Admin\Admin.php:34
filtershow_admin_barapp\Legacy\Admin\Admin.php:141
actionwp_enqueue_scriptsapp\Legacy\Frontend\Ajax.php:30
filterstyle_loader_tagapp\Legacy\Frontend\Ajax.php:33
actionupgrader_process_completeapp\Legacy\Utils\Maintain.php:32
actionadmin_bar_menuapp\Legacy\Utils\Maintain.php:34
actiontemplate_redirectinit.php:108
actionwp_enqueue_scriptsinit.php:113
actionwp_headinit.php:130
actionwp_footerinit.php:162
actioninitinit.php:210
actionadmin_bar_menuinit.php:213
actionrest_api_initinit.php:220
actionrest_api_initlegacy.php:43
filterconnect_messagelegacy.php:79
filtersupport_forum_urllegacy.php:83
filterplugin_iconlegacy.php:88
actioninitlegacy.php:93
Maintenance & Trust

Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 28, 2026
PHP min version7.0
Downloads2.2M

Community Trust

Rating90/100
Number of ratings146
Active installs80K
Alternatives

Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder Alternatives

Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element

Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element

floating-awesome-button

A
100

Floating Awesome Button (FAB) helps website owner, getting more conversion, by adding interactive element such as (Sticky Button, Popup, Toast, etc)

800 No CVEs
Simple CTA Button

Simple CTA Button

simple-cta-button

A
100

特定のページにシンプルなCTAボタンを表示。PC/スマホ表示選択、表示タイミング設定機能付き。

40 No CVEs
GB Quick launch

GB Quick launch

gb-quick-launch

A
85

Hover over an icon to discover clickable icons with information. They can have a URL or a Contact form, a shortcode, or any content you choose.

0 No CVEs
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

popup-maker

A
91

Want to boost sales & marketing efforts? Use your favorite forms & builder. Unlimited popups & impressions, keep your data, no monthly subscription.

700K 18 CVEs
Jetpack Social

Jetpack Social

jetpack-social

A
100

Write once, publish everywhere. Reach your target audience by sharing your content with Jetpack Social!

30K No CVEs
Developer Profile

Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder Developer Profile

Buttonizer

3 plugins · 190K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
155 days
View full developer profile
Detection Fingerprints

How We Detect Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/buttonizer-multifunctional-button/assets/app/index.html/wp-content/plugins/buttonizer-multifunctional-button/assets/app/common.js/wp-content/plugins/buttonizer-multifunctional-button/assets/app/app.js
Script Paths
/wp-content/plugins/buttonizer-multifunctional-button/assets/app/index.html/wp-content/plugins/buttonizer-multifunctional-button/assets/app/common.js/wp-content/plugins/buttonizer-multifunctional-button/assets/app/app.js
Version Parameters
buttonizer-multifunctional-button/style.css?ver=buttonizer_admin_js?ver=

HTML / DOM Fingerprints

CSS Classes
buttonizer-button
HTML Comments
WELCOME TO THE BUTTONIZER SOURCE CODE!No script kiddies please!
Data Attributes
data-buttonizer-id
JS Globals
buttonizer_admin
REST Endpoints
/wp-json/buttonizer
Shortcode Output
[buttonizer]
FAQ

Frequently Asked Questions about Buttonizer – Floating Menus, Sticky Buttons, & Popup Builder