CVE-2023-3666: 
WordPress vulnerability analysis and mitigation

The Sticky Side Buttons WordPress plugin before version 2.0.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-3666. The vulnerability was discovered and publicly disclosed on September 3, 2025. The issue affects high-privilege users such as administrators in WordPress installations, particularly in multisite setups where the unfiltered_html capability is disallowed (WPScan, AttackerKB).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. Specifically, the Button Text area in the admin panel can be exploited to execute stored XSS attacks. The vulnerability has been assigned a CVSS v3.1 base score of 3.5 (Low), with attack vector being Network-based, requiring high privileges, and no user interaction needed for exploitation (WPScan).

The vulnerability allows high-privilege users to perform Stored Cross-Site Scripting attacks in environments where the unfiltered_html capability is disabled. This is particularly significant in multisite WordPress installations where such restrictions are commonly implemented (WPScan).

The vulnerability has been patched in version 2.0.0 of the Sticky Side Buttons plugin. Users are advised to upgrade to this version or later to mitigate the security risk (WPScan).