cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forbread-butter bread-butter

Direction: ascending
Nov 11, 2024

Bread & Butter: real lead capture, gated content & newsletter opt-ins # CVE-2024-51802

CVE, Research URL

CVE-2024-51802

Home page URL

Security reports for Bread & Butter: real lead capture, gated content & newsletter opt-ins

Application

Bread & Butter: real lead capture, gated content & newsletter opt-ins

Date
Nov 19, 2024
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bread & Butter IO Inc. Bread & Butter allows DOM-Based XSS.This issue affects Bread & Butter: from n/a through 7.4.857.
Affected versions
max 7.5.880.
Status
vulnerable
Dec 11, 2025

Bread & Butter: real lead capture, gated content & newsletter opt-ins # CVE-2025-12189

CVE, Research URL

CVE-2025-12189

Home page URL

Security reports for Bread & Butter: real lead capture, gated content & newsletter opt-ins

Application

Bread & Butter: real lead capture, gated content & newsletter opt-ins

Date
Dec 05, 2025
Research Description
The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 7.10.1321.
Status
vulnerable
Apr 23, 2026

Bread & Butter: real lead capture, gated content & newsletter opt-ins # CVE-2026-4279

CVE, Research URL

CVE-2026-4279

Home page URL

Security reports for Bread & Butter: real lead capture, gated content & newsletter opt-ins

Application

Bread & Butter: real lead capture, gated content & newsletter opt-ins

Date
Apr 22, 2026
Research Description
The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The customEventShortCodeButton() function takes the 'event' attribute value and directly interpolates it into a JavaScript string within an onclick HTML attribute without applying esc_attr() or esc_js(). Notably, the sister function customEventShortCode() properly uses esc_js() for the same attribute, but this was omitted in the button variant. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page and clicks the injected button.
Affected versions
max 8.2.0.25.
Status
vulnerable