A vulnerability was found in newbiesup WP Random Button Plugin up to 1.0 on WordPress. It has been declared as problematic . This affects the function random_button_html of the component Shortcode Handler . Executing a manipulation of the argument nocat can lead to cross site scripting. This vulnerability appears as CVE-2026-4086 . The attack may be performed from remote. There is no available exploit. It is recommended to upgrade the affected component.