The Smart Floating / Sticky Buttons WordPress plugin released before version 2.5.5 had a security flaw that could allow users with high-level privileges to carry out Cross-Site Scripting attacks even when a setting that prevents such attacks was turned on. This was because some parameters weren’t properly checked and secured before they were displayed.