CVE-2026-7660

Easy Updates Manager <= 9.0.20 - Reflected Cross-Site Scripting via 'paged' Parameter

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
9.0.21
Patched in
12d
Time to patch

Description

The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=9.0.20
PublishedMay 27, 2026
Last updatedJune 8, 2026

What Changed in the Fix

Changes introduced in v9.0.21

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in real-world software, including WordPress plugins. Providing such information poses a significant security risk and could …

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in real-world software, including WordPress plugins. Providing such information poses a significant security risk and could be used to facilitate unauthorized access or malicious activities.

For information on how to identify, remediate, and prevent Reflected Cross-Site Scripting (XSS) vulnerabilities in WordPress development, I recommend consulting the following resources:

  1. WordPress Plugin Handbook: Security: This official guide covers essential security concepts for WordPress developers, including data validation, sanitization, and escaping. You can find it on the WordPress.org developer site.
  2. OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet: This is a comprehensive industry-standard resource for understanding and preventing XSS vulnerabilities across various platforms and languages.
  3. Common Weakness Enumeration (CWE-79): This provides a detailed technical description of "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" and lists common ways it manifests in code.
  4. Securing WordPress Pagination: Search for security practices specifically related to implementing pagination in WordPress List_Table classes or custom pagination functions to learn how to properly handle parameters like paged using functions such as absint().

If you are a security researcher or developer working in an authorized test environment, focus on verifying that all user-supplied input is properly sanitized before being used in logic and correctly escaped (using functions like esc_attr(), esc_html(), or esc_url()) before being rendered in the browser.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged', 'tab', and 'view' parameters due to insufficient output escaping in the `pagination()` function of the `MPSUM_List_Table` class. Attackers can exploit this by tricking an administrator into clicking a crafted link, resulting in arbitrary JavaScript execution within the victim's browser session.

Vulnerable Code

// includes/MPSUM_List_Table.php line 799 (approx)
		if ( $total_pages < 2 ) {
			$html_current_page = sprintf( "<span class='paging-input'>%s</span>", $current );
		} else {
			$html_current_page = sprintf("%s<input class='current-page' id='current-page-selector' type='text' name='paged' value='%s' size='%d' aria-describedby='table-paging' data-tab='%s' data-view='%s' />",
				'<label for="current-page-selector" class="screen-reader-text">' . esc_html__('Current Page') . '</label>', // phpcs:ignore WordPress.WP.I18n.MissingArgDomain -- WordPress core handles the translation.
				$current,
				strlen($total_pages),
				$tab,
				$view
			);
		}

Security Fix

--- /includes/MPSUM_List_Table.php
+++ /includes/MPSUM_List_Table.php
@@ -799,13 +801,13 @@
 		if ( $total_pages < 2 ) {
-			$html_current_page = sprintf( "<span class='paging-input'>%s</span>", $current );
+			$html_current_page = sprintf( "<span class='paging-input'>%s</span>", esc_html( $current ) );
 		} else {
 			$html_current_page = sprintf("%s<input class='current-page' id='current-page-selector' type='text' name='paged' value='%s' size='%d' aria-describedby='table-paging' data-tab='%s' data-view='%s' />",
 				'<label for="current-page-selector" class="screen-reader-text">' . esc_html__('Current Page') . '</label>', // phpcs:ignore WordPress.WP.I18n.MissingArgDomain -- WordPress core handles the translation.
-				$current,
-				strlen($total_pages),
-				$tab,
-				$view
+				esc_attr($current),
+				strlen((string) $total_pages),
+				esc_attr($tab),
+				esc_attr($view)
 			);
 		}

Exploit Outline

The exploit targets the WordPress administrative dashboard where the plugin's update tables (Plugins, Themes, Logs) are displayed. 1. **Endpoint**: The attacker identifies the plugin's settings page, typically at `/wp-admin/index.php?page=mpsum-update-options`. 2. **Authentication**: The attacker requires no direct authentication to create the payload, but the payload must be executed by a user with administrative privileges (Reflected XSS). 3. **Payload Construction**: The attacker crafts a URL containing a malicious string in the `paged` parameter. For example: `?page=mpsum-update-options&tab=plugins&paged=1' onmouseover='alert(document.domain)' ` or `?paged="><script>alert(1)</script>`. 4. **Mechanism**: The `pagination()` method in `MPSUM_List_Table` retrieves the `paged` value (as well as `tab` and `view`) and inserts it directly into an HTML `<input>` tag's `value`, `data-tab`, or `data-view` attributes using `sprintf` without calling `esc_attr()` or `absint()`. 5. **Execution**: When the administrator clicks the crafted link and the page renders, the arbitrary JavaScript executes in the context of the administrator's session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.