Does MaxButtons – Create buttons have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is MaxButtons – Create buttons compatible with WordPress 6.8.5?

According to WordPress.org data, MaxButtons – Create buttons 9.8.5 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is MaxButtons – Create buttons compatible with PHP 7.0+?

MaxButtons – Create buttons requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is MaxButtons – Create buttons updated?

MaxButtons – Create buttons was last updated on Sep 15, 2025. Frequent updates are generally a positive security signal.

What is MaxButtons – Create buttons's security score?

MaxButtons – Create buttons has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

MaxButtons – Create buttons Security & Risk Analysis

wordpress.org/plugins/maxbuttons

Maxbuttons is the best and easiest button plugin for WordPress. Within minutes you can create beautiful buttons, share buttons and social icons.

70K active installs v9.8.5 PHP 7.0+ WP 5.0+ Updated Sep 15, 2025

butotn-creatorcss-wordpress-buttoncss3-button-generatorresponsive-buttonsshare-button

A · Safe

CVEs total13

Unpatched0

Last CVEApr 17, 2025

Plugin page Download

Safety Verdict

Is MaxButtons – Create buttons Safe to Use in 2026?

Generally Safe

Score 96/100

MaxButtons – Create buttons has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

13 known CVEsLast CVE: Apr 17, 2025Updated 8mo ago

Risk Assessment

The maxbuttons plugin v9.8.5 exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query preparedness (92% prepared statements) and has a notable number of nonce and capability checks (7 and 3 respectively), significant concerns arise from its attack surface. A substantial portion of its entry points, specifically 4 out of 6, are unprotected, including all 4 AJAX handlers. This lack of authorization on AJAX endpoints presents a direct risk of unauthorized actions. The taint analysis also reveals 2 high-severity flows with unsanitized paths, which could lead to critical security issues if exploited. The plugin's vulnerability history, with 13 known CVEs, predominantly in medium severity but including one high, suggests a recurring pattern of security weaknesses. While there are no currently unpatched CVEs, the sheer number of past vulnerabilities, particularly those related to information exposure, XSS, and CSRF, indicates a need for continuous vigilance and more robust secure coding practices to prevent future occurrences. The presence of bundled libraries like TinyMCE could also introduce risks if not kept up-to-date, although no specific issues are detailed here. Overall, while the plugin has strengths in certain areas, the unprotected attack surface and historical vulnerability trends necessitate careful management and prompt updates.

Key Concerns

Unprotected AJAX handlers
High severity taint flows (2)
24% proper output escaping
1 high severity CVE in history
12 medium severity CVEs in history

Vulnerabilities

13 published

MaxButtons – Create buttons Security Vulnerabilities

CVEs by Year

1 CVE in 2014

2014

1 CVE in 2017

2017

3 CVEs in 2022

2022

1 CVE in 2023

2023

6 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

13 total CVEs

CVE-2025-39444medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MaxButtons <= 9.8.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 17, 2025 Patched in 9.8.4 (7d)

CVE-2024-10555medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Button Plugin MaxButtons <= 9.8.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Button Width

Nov 29, 2024 Patched in 9.8.1 (25d)

CVE-2024-8968medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Button Plugin MaxButtons <= 9.8.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Text Color

Nov 29, 2024 Patched in 9.8.1 (25d)

CVE-2024-6499medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WordPress Button Plugin MaxButtons <= 9.7.8 - Full Path Disclosure

Aug 23, 2024 Patched in 9.8.0 (1d)

CVE-2024-3026medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Button Plugin MaxButtons <= 9.7.7 - Authenticated (Editor+) Stored Cross-Site Scripting

Jun 22, 2024 Patched in 9.7.8 (19d)

CVE-2023-7029medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Button Plugin MaxButtons <= 9.7.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Jan 23, 2024 Patched in 9.7.7 (189d)

CVE-2023-6594medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Button Plugin MaxButtons <= 9.7.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jan 8, 2024 Patched in 9.7.6 (204d)

CVE-2023-36503medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MaxButtons <= 9.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jun 23, 2023 Patched in 9.6 (214d)

CVE-2022-36346high · 8.8Cross-Site Request Forgery (CSRF)

WordPress Button Plugin MaxButtons <= 9.2 - Cross-Site Request Forgery

Aug 2, 2022 Patched in 9.3 (539d)

CVE-2022-38703medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MaxButtons <= 9.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Aug 2, 2022 Patched in 9.3 (539d)

WF-41f6e826-9326-40fa-80d0-4cff1dd72536-maxbuttonsmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Button Plugin MaxButtons <= 9.2 - Shortcode-Based Cross-Site Scripting

Jul 29, 2022 Patched in 9.3 (543d)

CVE-2017-2169medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MaxButtons <= 6.18 - Cross-Site Scripting

May 16, 2017 Patched in 6.19 (2443d)

CVE-2014-7181medium · 4.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MaxButtons < 1.26.1 - Reflected Cross-Site Scripting

Sep 24, 2014 Patched in 1.26.1 (3608d)

Version History

MaxButtons – Create buttons Release Timeline

v9.8.5Current

v9.8.4

v9.8.21 CVE

CVE-2025-39444

v9.8.11 CVE

CVE-2025-39444

v9.8.03 CVEs

CVE-2024-10555 CVE-2024-8968 CVE-2025-39444

v9.7.84 CVEs

CVE-2024-10555 CVE-2024-8968 CVE-2025-39444 +1 more

v9.7.75 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +2 more

v9.7.66 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +3 more

v9.7.47 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +4 more

v9.7.37 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +4 more

v9.7.27 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +4 more

v9.7.17 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +4 more

v9.77 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +4 more

v9.67 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +4 more

v9.5.38 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +5 more

v9.5.28 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +5 more

v9.5.18 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +5 more

v9.58 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +5 more

v9.4.18 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +5 more

v9.48 CVEs

CVE-2024-3026 CVE-2024-10555 CVE-2024-8968 +5 more

Code Analysis

Analyzed Mar 16, 2026

MaxButtons – Create buttons Code Analysis

Dangerous Functions

Raw SQL Queries

24 prepared

Unescaped Output

239

75 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

92% prepared26 total queries

Output Escaping

24% escaped314 total outputs

Data Flows · Security

7 unsanitized

Data Flow Analysis

11 flows7 with unsanitized paths

updateButton (classes\controllers\editorController.php:132)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

MaxButtons – Create buttons Attack Surface

Entry Points6

Unprotected4

AJAX Handlers 4

authwp_ajax_mb_button_actionclasses\maxbuttons-class.php:140

authwp_ajax_maxajaxclasses\maxbuttons-class.php:142

authwp_ajax_maxbuttons_front_cssclasses\maxbuttons-class.php:154

noprivwp_ajax_maxbuttons_front_cssclasses\maxbuttons-class.php:155

Shortcodes 2

[maxbutton] classes\maxbuttons-class.php:106

[maxcollection] classes\maxbuttons-class.php:167

WordPress Hooks 40

filtermb/button/rawcssblocks\advanced.php:25

filterwp_link_query_argsclasses\controllers\editorController.php:17

filterwp_link_queryclasses\controllers\editorController.php:18

actionplugins_loadedclasses\integrations.php:14

filteradmin_footerclasses\max-utils.php:421

actionwp_footerclasses\max-utils.php:423

actionmb-display-logoclasses\maxbuttons-admin-helper.php:14

actionmb-display-titleclasses\maxbuttons-admin-helper.php:15

actionmb-display-tabsclasses\maxbuttons-admin-helper.php:16

actionmb-display-adsclasses\maxbuttons-admin-helper.php:17

actionmb-display-paginationclasses\maxbuttons-admin-helper.php:18

actionmb-display-collection-welcomeclasses\maxbuttons-admin-helper.php:19

actionadmin_noticesclasses\maxbuttons-admin-helper.php:131

actionplugins_loadedclasses\maxbuttons-class.php:103

filterwidget_textclasses\maxbuttons-class.php:105

actionmb-footerclasses\maxbuttons-class.php:108

actionwp_footerclasses\maxbuttons-class.php:109

filterplugin_action_linksclasses\maxbuttons-class.php:111

filterplugin_row_metaclasses\maxbuttons-class.php:112

actionadmin_enqueue_scriptsclasses\maxbuttons-class.php:117

actionadmin_enqueue_scriptsclasses\maxbuttons-class.php:118

actionadmin_initclasses\maxbuttons-class.php:120

actionadmin_initclasses\maxbuttons-class.php:122

actionadmin_initclasses\maxbuttons-class.php:123

actionadmin_menuclasses\maxbuttons-class.php:125

actionadmin_footerclasses\maxbuttons-class.php:126

filteradmin_footer_textclasses\maxbuttons-class.php:127

actionmb/editor/display_noticesclasses\maxbuttons-class.php:130

actionmb/collection/display_noticesclasses\maxbuttons-class.php:131

actionmb/header/display_noticesclasses\maxbuttons-class.php:132

actionmaxbuttons/ajax/getAjaxButtonsclasses\maxbuttons-class.php:135

actionmaxbuttons/ajax/mediaShortcodeOptionsclasses\maxbuttons-class.php:136

actionmaxbuttons/ajax/save_review_notice_statusclasses\maxbuttons-class.php:137

actionadmin_initclasses\maxbuttons-class.php:144

actionwp_enqueue_scriptsclasses\maxbuttons-class.php:158

actionmedia_buttonsclasses\maxbuttons-class.php:697

filtermce_buttonsclasses\maxbuttons-class.php:699

filtermce_external_pluginsclasses\maxbuttons-class.php:700

actionadmin_noticesmaxbuttons.php:35

actionadmin_noticesmaxbuttons.php:50

Maintenance & Trust

MaxButtons – Create buttons Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 15, 2025

PHP min version7.0

Downloads5.2M

Community Trust

Rating98/100

Number of ratings1,093

Active installs70K

Alternatives

MaxButtons – Create buttons Alternatives

Button

button

Create beautiful buttons and social icons. Button plugin is powerful and easy to use. You can create any types of buttons such as css3 & 3D Buttons.

2K 2 CVEs

AddToAny Share Buttons

add-to-any

Share buttons for WordPress including the AddToAny button, Facebook, Bluesky, Mastodon, WhatsApp, Pinterest, Reddit, many more, and follow icons too.

300K 3 CVEs

Social Sharing Plugin – Sassy Social Share

sassy-social-share

The Simplest and Optimized Social Share buttons. Facebook, X, Reddit, Pinterest, Whatsapp, Grok, ChatGPT, Gab, Gettr and over 100 more.

100K 11 CVEs

Social Icons Widget & Block – Social Media Icons & Share Buttons

social-icons-widget-by-wpzoom

Social media icons plugin for WordPress - Add 400+ social icons and share buttons. Gutenberg block, widget & Elementor support. GDPR compliant.

100K 3 CVEs

Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More

themeisle-companion

Add modules like share buttons, header & footer scripts, disable comments, reading progress bar, custom fonts, custom login page & more in one plugin.

100K 20 CVEs

Developer Profile

MaxButtons – Create buttons Developer Profile

maxfoundry

5 plugins · 103K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

423 days

View full developer profile

Detection Fingerprints

How We Detect MaxButtons – Create buttons

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/maxbuttons/classes/simplehtmldom/simplehtmldom_1.5/simple_html_dom.php/wp-content/plugins/maxbuttons/classes/simplehtmldom/simplehtmldom_1.5/read.php/wp-content/plugins/maxbuttons/classes/simplehtmldom/simplehtmldom_1.5/DOMNode.php/wp-content/plugins/maxbuttons/classes/simplehtmldom/simplehtmldom_1.5/DOMDocument.php/wp-content/plugins/maxbuttons/classes/simplehtmldom/simplehtmldom_1.5/DOMNodeList.php/wp-content/plugins/maxbuttons/classes/simplehtmldom/simplehtmldom_1.5/UTF8.php/wp-content/plugins/maxbuttons/classes/simplehtmldom/simplehtmldom_1.5/Inject.php/wp-content/plugins/maxbuttons/classes/simple_template/simple_template.php+5 more

Script Paths

/wp-content/plugins/maxbuttons/js/maxbuttons.js/wp-content/plugins/maxbuttons/js/maxbuttons.admin.js/wp-content/plugins/maxbuttons/js/maxbuttons.shortcode.js/wp-content/plugins/maxbuttons/js/maxbuttons.editor.js

Version Parameters

maxbuttons/style.css?ver=maxbuttons/js/maxbuttons.js?ver=maxbuttons/js/maxbuttons.admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

maxbuttonmb-frontend-buttonmb-shortcode-wrapper

HTML Comments

Data Attributes

data-mb-iddata-mb-icondata-mb-icon-sizedata-mb-icon-colordata-mb-icon-positiondata-mb-target

JS Globals

MaxButtonsmb

REST Endpoints

/wp-json/maxbuttons/v1/button//wp-json/maxbuttons/v1/buttons/

Shortcode Output

<div class="mb-shortcode-wrapper"><a href="" class="maxbutton

FAQ

MaxButtons – Create buttons Security & Risk Analysis

Is MaxButtons – Create buttons Safe to Use in 2026?

Generally Safe

Key Concerns

MaxButtons – Create buttons Security Vulnerabilities

CVEs by Year

Severity Breakdown

MaxButtons – Create buttons Release Timeline

MaxButtons – Create buttons Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

MaxButtons – Create buttons Attack Surface

AJAX Handlers 4

Shortcodes 2

MaxButtons – Create buttons Maintenance & Trust

Maintenance Signals

Community Trust

MaxButtons – Create buttons Alternatives

Button

AddToAny Share Buttons

Social Sharing Plugin – Sassy Social Share

Social Icons Widget & Block – Social Media Icons & Share Buttons

Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More

MaxButtons – Create buttons Developer Profile

How We Detect MaxButtons – Create buttons

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about MaxButtons – Create buttons