CVE-2024-50414 in Button contact VR Plugin
Summary
by MITRE • 10/29/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Buttonizer Button contact VR button-contact-vr allows Stored XSS.This issue affects Button contact VR: from n/a through <= 4.7.9.1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/07/2026
The vulnerability identified as CVE-2024-50414 represents a critical cross-site scripting flaw that specifically targets the Buttonizer Button contact VR plugin for WordPress. This weakness falls under the category of improper input neutralization during web page generation, creating an avenue for malicious actors to inject persistent script code into web pages viewed by other users. The vulnerability is classified as a stored XSS vulnerability, meaning that the malicious payload is permanently stored on the server and executed whenever affected pages are accessed, rather than being transmitted through a single request.
The technical implementation of this vulnerability stems from insufficient sanitization and validation of user-supplied input within the plugin's contact form processing functionality. When users submit data through the VR button contact forms, the plugin fails to properly escape or encode special characters that could be interpreted as HTML or JavaScript code. This inadequate input handling creates a persistent vector where attackers can embed malicious scripts that will execute in the context of other users' browsers. The vulnerability affects all versions of the Button contact VR plugin from version n/a through and including version 4.7.9.1, indicating a widespread exposure across a significant portion of the plugin's user base. This exposure level suggests that the flaw has been present for an extended period, potentially allowing for prolonged exploitation without detection.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it provides attackers with the capability to execute arbitrary code within the browser context of authenticated users. This could enable session hijacking, credential theft, redirection to malicious sites, or the execution of additional attacks through the compromised user's privileges. The stored nature of the vulnerability means that once exploited, the malicious code remains persistent and will affect any user who accesses the affected pages, potentially compromising a large number of users simultaneously. The attack surface is particularly concerning given that this is a WordPress plugin vulnerability, which typically serves as a gateway for broader compromise of WordPress installations, potentially allowing attackers to escalate privileges or access sensitive administrative functions.
Security mitigation for this vulnerability requires immediate patching of the affected plugin to version 4.7.9.2 or later, which should include proper input sanitization and output encoding mechanisms. Organizations should implement comprehensive input validation that filters or escapes potentially dangerous characters including angle brackets, quotes, and script tags. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and represents a classic example of how insufficient input validation leads to persistent script execution. From an attack framework perspective, this vulnerability would be categorized under ATT&CK technique T1566.001 for initial access through spearphishing attachments and potentially T1071.001 for application layer protocol usage. Network administrators should also consider implementing web application firewalls with XSS detection capabilities and monitor for suspicious user activity or unexpected script injections in the affected plugin's data handling processes.