Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
[junkie-button url="http://example.com" style="grey" size="small" type="round" target='" onmouseover="alert(/XSS/)"'] Button Text[/junkie-button]