WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. The WordPress plugin is an application plugin. WordPress Custom TinyMCE Shortcode Buttons plugin version 1.1 and earlier is vulnerable to a cross-site scripting vulnerability caused by a failure to clean and escape the PHP_SELF variable before exporting it back to the properties of the administrative page. attribute back to the admin page is not cleaned up and escaped before being exported, an attacker can use this vulnerability to execute JavaScript code on the client side.