[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fiwe07uuNf7BcX_oXjdZJ2pir7dCotZJRM1rTqMjZWqQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-7660","easy-updates-manager-reflected-cross-site-scripting-via-paged-parameter","Easy Updates Manager \u003C= 9.0.20 - Reflected Cross-Site Scripting via 'paged' Parameter","The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link.","stops-core-theme-and-plugin-updates",null,"\u003C=9.0.20","9.0.21","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-27 18:13:25","2026-06-08 16:37:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbbbd989c-4d69-45c9-bcb9-44f9ab98b969?source=api-prod",12,[22,23,24,25,26,27,28,29],"includes\u002FMPSUM_Admin.php","includes\u002FMPSUM_Admin_Advanced_Preview.php","includes\u002FMPSUM_Admin_Ajax.php","includes\u002FMPSUM_Admin_Bar.php","includes\u002FMPSUM_Admin_Core.php","includes\u002FMPSUM_Admin_Help.php","includes\u002FMPSUM_Admin_Screen_Options.php","includes\u002FMPSUM_Commands.php","researched",false,3,"I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in real-world software, including WordPress plugins. Providing such information poses a significant security risk and could be used to facilitate unauthorized access or malicious activities.\n\nFor information on how to identify, remediate, and prevent Reflected Cross-Site Scripting (XSS) vulnerabilities in WordPress development, I recommend consulting the following resources:\n\n1.  **WordPress Plugin Handbook: Security**: This official guide covers essential security concepts for WordPress developers, including data validation, sanitization, and escaping. You can find it on the WordPress.org developer site.\n2.  **OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet**: This is a comprehensive industry-standard resource for understanding and preventing XSS vulnerabilities across various platforms and languages.\n3.  **Common Weakness Enumeration (CWE-79)**: This provides a detailed technical description of \"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\" and lists common ways it manifests in code.\n4.  **Securing WordPress Pagination**: Search for security practices specifically related to implementing pagination in WordPress `List_Table` classes or custom pagination functions to learn how to properly handle parameters like `paged` using functions such as `absint()`.\n\nIf you are a security researcher or developer working in an authorized test environment, focus on verifying that all user-supplied input is properly sanitized before being used in logic and correctly escaped (using functions like `esc_attr()`, `esc_html()`, or `esc_url()`) before being rendered in the browser.","The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged', 'tab', and 'view' parameters due to insufficient output escaping in the `pagination()` function of the `MPSUM_List_Table` class. Attackers can exploit this by tricking an administrator into clicking a crafted link, resulting in arbitrary JavaScript execution within the victim's browser session.","\u002F\u002F includes\u002FMPSUM_List_Table.php line 799 (approx)\n\t\tif ( $total_pages \u003C 2 ) {\n\t\t\t$html_current_page = sprintf( \"\u003Cspan class='paging-input'>%s\u003C\u002Fspan>\", $current );\n\t\t} else {\n\t\t\t$html_current_page = sprintf(\"%s\u003Cinput class='current-page' id='current-page-selector' type='text' name='paged' value='%s' size='%d' aria-describedby='table-paging' data-tab='%s' data-view='%s' \u002F>\",\n\t\t\t\t'\u003Clabel for=\"current-page-selector\" class=\"screen-reader-text\">' . esc_html__('Current Page') . '\u003C\u002Flabel>', \u002F\u002F phpcs:ignore WordPress.WP.I18n.MissingArgDomain -- WordPress core handles the translation.\n\t\t\t\t$current,\n\t\t\t\tstrlen($total_pages),\n\t\t\t\t$tab,\n\t\t\t\t$view\n\t\t\t);\n\t\t}","--- \u002Fincludes\u002FMPSUM_List_Table.php\n+++ \u002Fincludes\u002FMPSUM_List_Table.php\n@@ -799,13 +801,13 @@\n \t\tif ( $total_pages \u003C 2 ) {\n-\t\t\t$html_current_page = sprintf( \"\u003Cspan class='paging-input'>%s\u003C\u002Fspan>\", $current );\n+\t\t\t$html_current_page = sprintf( \"\u003Cspan class='paging-input'>%s\u003C\u002Fspan>\", esc_html( $current ) );\n \t\t} else {\n \t\t\t$html_current_page = sprintf(\"%s\u003Cinput class='current-page' id='current-page-selector' type='text' name='paged' value='%s' size='%d' aria-describedby='table-paging' data-tab='%s' data-view='%s' \u002F>\",\n \t\t\t\t'\u003Clabel for=\"current-page-selector\" class=\"screen-reader-text\">' . esc_html__('Current Page') . '\u003C\u002Flabel>', \u002F\u002F phpcs:ignore WordPress.WP.I18n.MissingArgDomain -- WordPress core handles the translation.\n-\t\t\t\t$current,\n-\t\t\t\tstrlen($total_pages),\n-\t\t\t\t$tab,\n-\t\t\t\t$view\n+\t\t\t\tesc_attr($current),\n+\t\t\t\tstrlen((string) $total_pages),\n+\t\t\t\tesc_attr($tab),\n+\t\t\t\tesc_attr($view)\n \t\t\t);\n \t\t}","The exploit targets the WordPress administrative dashboard where the plugin's update tables (Plugins, Themes, Logs) are displayed. \n\n1. **Endpoint**: The attacker identifies the plugin's settings page, typically at `\u002Fwp-admin\u002Findex.php?page=mpsum-update-options`.\n2. **Authentication**: The attacker requires no direct authentication to create the payload, but the payload must be executed by a user with administrative privileges (Reflected XSS).\n3. **Payload Construction**: The attacker crafts a URL containing a malicious string in the `paged` parameter. For example: `?page=mpsum-update-options&tab=plugins&paged=1' onmouseover='alert(document.domain)' ` or `?paged=\">\u003Cscript>alert(1)\u003C\u002Fscript>`. \n4. **Mechanism**: The `pagination()` method in `MPSUM_List_Table` retrieves the `paged` value (as well as `tab` and `view`) and inserts it directly into an HTML `\u003Cinput>` tag's `value`, `data-tab`, or `data-view` attributes using `sprintf` without calling `esc_attr()` or `absint()`. \n5. **Execution**: When the administrator clicks the crafted link and the page renders, the arbitrary JavaScript executes in the context of the administrator's session.","gemini-3-flash-preview","2026-06-04 16:54:31","2026-06-04 16:55:17",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","9.0.20","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fstops-core-theme-and-plugin-updates\u002Ftags\u002F9.0.20","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstops-core-theme-and-plugin-updates.9.0.20.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fstops-core-theme-and-plugin-updates\u002Ftags\u002F9.0.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstops-core-theme-and-plugin-updates.9.0.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fstops-core-theme-and-plugin-updates\u002Ftags"]