[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$foCesV3Hymhkb6cjP8sjZUpC0Zj65s6S71KTGK9ufW-E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"source_links":35},"CVE-2026-4305","royal-wordpress-backup-restore-plugin-reflected-cross-site-scripting-via-wprpendingtemplate-parameter","Royal WordPress Backup & Restore Plugin \u003C= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter","The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.","royal-backup-reset",null,"\u003C=1.0.16","1.0.17","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-09 12:23:20","2026-04-10 01:25:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff9e0c658-b37c-4780-9589-6def9e36539b?source=api-prod",1,[22,23],"readme.txt","royal-backup-reset.php","researched",false,3,"This research plan outlines the steps to verify the Reflected Cross-Site Scripting (XSS) vulnerability in the Royal WordPress Backup & Restore Plugin (CVE-2026-4305).\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Reflected Cross-Site Scripting (XSS)\n*   **Parameter:** `wpr_pending_template` (via `GET`)\n*   **Vulnerable Version:** \u003C= 1.0.16\n*   **Sink:** The plugin echoes the `wpr_pending_template` parameter directly into the HTML of an admin page (likely the plugin dashboard or a notice on the plugins page) without proper sanitization or escaping using functions like `esc_attr()` or `esc_html()`.\n*   **Context:** This vulnerability is triggered during the plugin's activation flow or when navigating the plugin's admin pages.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin.php?page=royal-backup-reset` or `\u002Fwp-admin\u002Fplugins.php`\n*   **Payload Parameter:** `wpr_pending_template`\n*   **Authentication:** Requires an Administrator to click a malicious link (Unauthenticated attacker, Administrator victim).\n*   **Preconditions:** The Royal WordPress Backup & Restore Plugin must be installed and active.\n\n### 3. Code Flow\n1.  The function `royalbr_maybe_skip_activation_redirect()` (in `royal-backup-reset.php`) is hooked to `fs_redirect_on_activation_royal-backup-reset`.\n2.  It checks for the presence of `$_GET['wpr_pending_template']`.\n3.  While this specific function only returns `false` to prevent a redirect, the logic that \"resumes\" the template edit flow (as described in the code comments) subsequently retrieves this parameter from the `$_GET` superglobal.\n4.  The value is then outputted to the page (the \"sink\") to either populate a JavaScript variable for redirection or to display a \"pending\" status message\u002Flink to the administrator.\n5.  Since the parameter is not passed through `esc_html`, `esc_attr`, or `esc_url` before output, arbitrary HTML\u002FJavaScript injected into the parameter is executed by the browser.\n\n### 4. Nonce Acquisition Strategy\nReflected XSS vulnerabilities in GET parameters typically do not require a nonce because the vulnerability lies in the **rendering** of the page, not in a state-changing action that requires CSRF protection. The security context is provided by the administrator's active session.\n*   **Bypass:** No nonce is required for this specific exploit.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that an arbitrary script can be executed in the context of the WordPress admin.\n\n*   **Payload:** `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n*   **Target URL:** `http:\u002F\u002F[TARGET_IP]\u002Fwp-admin\u002Fadmin.php?page=royal-backup-reset&wpr_pending_template=%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n\n**Step-by-Step:**\n1.  **Login:** Use `browser_navigate` to authenticate as an administrator.\n2.  **Navigation:** Navigate to the plugin dashboard with the malicious parameter appended to the URL.\n3.  **Observation:** Use `http_request` to capture the raw HTML and verify the payload is reflected unescaped.\n4.  **Verification:** Use `browser_eval` to check if the alert\u002Fscript was executed.\n\n### 6. Test Data Setup\n*   **User:** An administrator account (default: `admin` \u002F `password`).\n*   **Plugin:** Royal WordPress Backup & Restore Plugin (slug: `royal-backup-reset`) version 1.0.16 installed and activated.\n*   **Commands:**\n    ```bash\n    wp plugin install royal-backup-reset --version=1.0.16 --activate\n    ```\n\n### 7. Expected Results\n*   The HTTP response from the server should contain the raw string `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n*   When viewed in a browser, the script should execute, triggering an alert box or other observable JavaScript behavior.\n\n### 8. Verification Steps (Post-Exploit)\nSince this is a reflected XSS (non-persistent), there are no database changes to verify. Verification is done by checking the response body of the HTTP request:\n1.  Perform a GET request using `http_request`.\n2.  Search the response body for the specific string:\n    ```bash\n    # Conceptually:\n    grep \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" response_body.html\n    ```\n3.  Confirm that the reflection is not escaped (i.e., it is not `&lt;script&gt;`).\n\n### 9. Alternative Approaches\nIf the reflection does not occur on the `page=royal-backup-reset` dashboard, it may occur on the main `plugins.php` page if the plugin triggers a notice upon activation\u002Fresume:\n*   **Alternative URL:** `\u002Fwp-admin\u002Fplugins.php?wpr_pending_template=%22%3E%3Cscript%3Ealert(1)%3C\u002Fscript%3E`\n\nIf the sink is inside a JavaScript string (e.g., `var redirect = '...';`):\n*   **JS-Breakout Payload:** `';alert(1);\u002F\u002F`\n*   **Target URL:** `\u002Fwp-admin\u002Fadmin.php?page=royal-backup-reset&wpr_pending_template=%27%3Balert(1)%3B%2F%2F`","The Royal WordPress Backup & Restore Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' GET parameter in versions up to 1.0.16. This occurs because the plugin fails to sanitize or escape the parameter before echoing it back into the administrative dashboard, allowing arbitrary script execution when an administrator clicks a malicious link.","\u002F\u002F royal-backup-reset\u002Froyal-backup-reset.php line 26\nadd_filter( 'fs_redirect_on_activation_royal-backup-reset', 'royalbr_maybe_skip_activation_redirect' );\n\n\u002F**\n * Conditionally prevents Freemius activation redirect during template edit flow.\n *\n * @since 1.0.0\n * @param bool $redirect Whether to redirect.\n * @return bool False to prevent redirect, original value otherwise.\n *\u002F\n\u002F\u002F royal-backup-reset\u002Froyal-backup-reset.php line 34\nfunction royalbr_maybe_skip_activation_redirect( $redirect ) {\n\t\u002F\u002F Check if we're returning from a template edit flow.\n\t\u002F\u002F The wpr_pending_template parameter now contains the edit URL (not just \"1\").\n\tif ( isset( $_GET['wpr_pending_template'] ) || get_transient( 'wpr_pending_template_edit' ) ) { \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n\t\treturn false; \u002F\u002F Prevent redirect.\n\t}\n\treturn $redirect;\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-backup-reset\u002F1.0.16\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-backup-reset\u002F1.0.17\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-backup-reset\u002F1.0.16\u002Freadme.txt\t2026-02-24 08:43:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-backup-reset\u002F1.0.17\u002Freadme.txt\t2026-03-03 11:04:18.000000000 +0000\n@@ -1,36 +1,44 @@\n-=== Royal WP Backup, Restore and Database Reset - Website Backups made Easy ===\n+=== Royal Wordpress Backup & Restore Plugin - Backup Wordpress Sites Safely ===\n Contributors: wproyal\n-Tags: backup, cloud backup, database backup, restore, reset database\n-Stable tag: 1.0.16\n+Tags: backup plugin, wordpress backup, database backup, restore, reset database\n+Stable tag: 1.0.17\n Requires at least: 5.0\n Tested up to: 6.9.1\n Requires PHP: 7.4\n License: GPLv2 or later\n License URI: https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\n \n-Create a WP Website backups easy and Restore whenever you need. Schedule automatic backups, Cloud Backups, Database backup. Built in database reset tool.\n+WordPress backup plugin to create full website backups and restore them easily, smart pre-update backup reminders, built-in database reset tool and more!\n \n == Description ==\n \n-https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=4SZ9r8mOt1M\n+Royal Backup & Restore is a powerful and **easy-to-use** WordPress backup plugin that helps you protect your website by creating full site backups, database backups, and automatic scheduled backups in just a few clicks. Whether you want to secure your website from crashes, plugin conflicts, hacking attempts, or update failures, this plugin ensures your WordPress site can always be **restored quickly and safely**.\n+\n+Unlike other WordPress backup plugins, Royal Backup includes a **unique smart** backup reminder system that **automatically prompts** you to create a backup before updating plugins, themes, or installing new ones — preventing accidental data loss.\n \n-Royal Backup, Restore & Reset is a comprehensive WordPress plugin that provides complete backup, restore, and WP reset functionality for your WordPress website. Whether you need to create regular website backups, migrate your site, or database reset, this plugin has you covered.\n+With Royal Backup, you can create complete WordPress backups including database, plugins, themes, uploads, and wordpress core files (PRO version), then restore your website instantly with one-click restore. The plugin also supports automatic backup scheduling (PRO version), allowing you to run hourly, daily, weekly, or monthly backups without manual effort.\n+\n+You can also securely store backups in **cloud storage** (PRO version) such as Google Drive, Dropbox, and Amazon S3, manage multiple backup locations, and perform selective backup and restore operations. Additionally, the built-in database reset tool lets you instantly reset WordPress to a fresh state without reinstalling.\n \n 🚀 Visit Plugin [Homepage](https:\u002F\u002Froyal-elementor-addons.com\u002Froyal-backup-reset\u002F?ref=rea-wpo-pp-details-tab)\n \n = ✅Key Features of Free Version =\n \n-* **Unique Feature - Backup Notification During Theme or Plugin Updates or Installation - No other plugin offers this feature** - ⏩ [See Video](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=4SZ9r8mOt1M&t=27s). Plugin will remind you to make backup before activating or updating themes or plugins\n+* **Unique Feature - Backup Notification During Theme or Plugin Updates or Installation - No other plugin offers this feature** - ⏩ [See Video](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=4SZ9r8mOt1M&t=27s). Plugin will remind you to make wordpress backup before activating or updating themes or plugins\n * **Full Website Backups** - Backup your entire WordPress website including database, plugins, themes, uploads, and other files\n * **Full Website Restore** - Restore your entire WordPress website including database, plugins, themes, uploads, and other files\n-* **Assign Custom Names to your Backups** - Assign custom names to backups for easy identification and organization.\n-* **Backup Component Downloads** - Download individual backup components such as the database, plugins, themes, and more.\n-* **Background Backup** - Feel free to refresh or close the browser window during backups — this won’t break the backup process.\n-* **Backup & Restore Progress Tracking** - Real-time progress updates during backup and restore operations\n-* **Database Reset** - Reset your WordPress database to a fresh installation - You do not need to reinstall WP, simple one click and your WP reverts to original fresh state.\n+* **Assign Custom Names to your Backups** - Assign custom names to wordpress backups for easy identification and organization.\n+* **Backup Component Downloads** - Download individual wordpress backup components such as the database, plugins, themes, and more.\n+* **Background Backup** - Feel free to refresh or close the browser window during wordpress backups — this won’t break the backup process.\n+* **Backup & Restore Progress Tracking** - Real-time progress updates during wordpress backup and restore operations\n+* **Database Reset** - Reset your WordPress database to a fresh installation - You do not need to reinstall Wordpress, simple one click and your Wordpress reverts to original fresh state.\n * **Backup Management Simple User interface** - View, download, restore, and delete website backups from a simple interface\n \n-= 🌟Royal Backup PRO Version - Key Features =\n+= ✅Video overview of Backup Notification During Theme or Plugin Updates =\n+\n+https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=4SZ9r8mOt1M\n+\n+= 🌟Key Features of PRO Version =\n \n https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=toQF4kf02nU\n \n@@ -44,9 +52,9 @@\n * **Selective Backup** - Choose specific components to backup — such as the database, plugins, themes, WordPress core files, or uploads — individually.\n * **Selective Restore** - Choose specific components to restore - such as the database, plugins, themes, WordPress core files, or uploads — individually.\n * **Backup Rename** - Rename your backups to improve identification, organization, and management.\n-* **Customizable Defaults** - Save your preferred backup and restore settings as defaults — so you don’t need to preselect them every time you perform a backup or restore.\n+* **Customizable Defaults** - Save your preferred Wordpress backup and restore settings as defaults — so you don’t need to preselect them every time you perform a backup or restore.\n * **Incremental Backups (Coming Soon)** - Backup only the files and folders that have changed since your last backup, saving both time and storage space.\n-* **Wordpress Multisite Network Support (Coming Soon)** - Full support for WordPress Multisite networks, all WP Multisite files and databases will be stored in the backup.\n+* **Wordpress Multisite Network Support (Coming Soon)** - Full support for WordPress Multisite networks, all Wordpress Multisite files and databases will be stored in the backup.\n * **Clear Uploads Directory** - Perform a full cleanup of the uploads folder during a database reset for a completely fresh start.\n * **Priority Support** - Get direct support from the developers whenever you need help with your backups.\n \n@@ -73,22 +81,22 @@\n \n = WordPress Admin Method =\n \n- 1. Go to you administration area in WordPress `Plugins > Add`\n+ 1. Go to your administration area in WordPress `Plugins > Add`\n  2. Look for `Royal Backup` (use search form)\n  3. Click on Install and activate the plugin\n  4. After activating Royal Backup plugin you will see it in the admin dashboard menu with the name Royal Backup\n  5. Create your first backup using the \"Create Backup\" tab > Select what to include in the backup, Press \"Start Backup Process\" Button\n  6. To Restore your backup navigate to Restore Site section, choose backup to restore and press Restore button\n- 7. To Delete your backup navigate to Restore Site section and press Remove button. This will completle remove all backups files and folders. This action can't be undone\n+ 7. To Delete your backup navigate to Restore Site section and press Remove button. This will completely remove all backups files and folders. This action can't be undone\n \n = FTP Method =\n \n 1. Upload the `royal-backup-reset` folder to the `\u002Fwp-content\u002Fplugins\u002F` directory\n 2. Activate the Royal Backup, Restore & Reset plugin through the 'Plugins' menu in WordPress\n-3. In the WP appearance menu go to in Royal Backup to start using the plugin\n+3. In the Wordpress appearance menu go to in Royal Backup to start using the plugin\n 4. Create your first backup using the \"Create Backup\" tab > Select what to include in the backup > Press \"Start Backup Process\" Button\n-5. To Restor your backup navigate to Restore Site section, choose backup to restore and press Restore button\n-6. To Delete your backup navigate to Restore Site section and press Remove button. This will completle remove all backups files and folders. This action can't be undone\n+5. To Restore your backup navigate to Restore Site section, choose backup to restore and press Restore button\n+6. To Delete your backup navigate to Restore Site section and press Remove button. This will completely remove all backups files and folders. This action can't be undone\n \n \n \n@@ -96,7 +104,7 @@\n \n = How to create My First Website Backup? =\n \n-Navigate in Plugin main Menu - Look for \"Royal Backup\" Name in your WP admin dashboard, Navigate to \"Create Backup\" tab > Select what to include in the backup > Press \"Start Backup Process\" Button. Congratulations your first website backup is created.\n+Navigate in Plugin main Menu - Look for \"Royal Backup\" Name in your Wordpress admin dashboard, Navigate to \"Create Backup\" tab > Select what to include in the backup > Press \"Start Backup Process\" Button. Congratulations your first website backup is created.\n \n = How to restore my Website Backup? =\n \n@@ -117,11 +125,11 @@\n * Plugins folder\n * Themes folder\n * Uploads folder (Where images, videos and similar files are stored)\n-* WP Core files (Only In PRO Version)\n+* Wordpress Core files (Only In PRO Version)\n \n = Is it safe to reset my database? =\n \n-This feature is mainly for testers or for those who want to reset WP to fresh install and Start from Scratch. The database reset feature will delete all your Content and Settings. Your current user account will be preserved. **Always create a backup before resetting!**\n+This feature is mainly for testers or for those who want to reset Wordpress to fresh install and Start from Scratch. The database reset feature will delete all your Content and Settings. Your current user account will be preserved. **Always create a backup before resetting!**\n \n == Screenshots ==\n \n@@ -133,6 +141,9 @@\n 6. Mini Database Reset Icon\n \n == Changelog ==\n+= 1.0.17 =\n+* Minor Improvements.\n+\n = 1.0.16 =\n * Performance Improvements.\n \n\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-backup-reset\u002F1.0.16\u002Froyal-backup-reset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-backup-reset\u002F1.0.17\u002Froyal-backup-reset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-backup-reset\u002F1.0.16\u002Froyal-backup-reset.php\t2026-02-24 08:43:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Froyal-backup-reset\u002F1.0.17\u002Froyal-backup-reset.php\t2026-03-03 11:04:18.000000000 +0000\n@@ -4,7 +4,7 @@\n  * Plugin URI: http:\u002F\u002Fwordpress.org\u002Fplugins\u002Froyal-backup-reset\u002F\n  * Description: Complete backup, restore and reset functionality for WordPress websites.\n  * Author: wproyal\n- * Version: 1.0.16\n+ * Version: 1.0.17\n  * Requires at least: 5.0\n  * Requires PHP: 7.4\n  * Tested up to: 6.9.1\n@@ -207,7 +207,7 @@\n \n \u002F\u002F Set plugin version for asset cache busting and compatibility checks.\n if ( ! defined( 'ROYALBR_VERSION' ) ) {\n-\tdefine( 'ROYALBR_VERSION', '1.0.16' );\n+\tdefine( 'ROYALBR_VERSION', '1.0.17' );\n }\n \n \u002F\u002F Initialize plugin-wide constants including paths and configuration.","The exploit targets the plugin's dashboard or activation flow by injecting a malicious payload into the 'wpr_pending_template' GET parameter. \n\n1. Target URL: An attacker crafts a URL such as `http:\u002F\u002F[site]\u002Fwp-admin\u002Fadmin.php?page=royal-backup-reset&wpr_pending_template=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n2. Delivery: The attacker tricks an authenticated administrator into clicking this link, often via a phishing email or a malicious site.\n3. Execution: When the administrator's browser loads the page, the plugin logic retrieves the `wpr_pending_template` value. Because the plugin subsequently reflects this value into the HTML response (e.g., inside a status message or JavaScript variable) without escaping, the `\u003Cscript>` tag is rendered and executed in the context of the administrator's session.\n4. Impact: The script can then perform administrative actions on the site, such as creating a new administrator user or stealing session cookies.","gemini-3-flash-preview","2026-04-16 16:19:29","2026-04-16 16:20:02",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.0.16","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-backup-reset\u002Ftags\u002F1.0.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-backup-reset.1.0.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-backup-reset\u002Ftags\u002F1.0.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Froyal-backup-reset.1.0.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Froyal-backup-reset\u002Ftags"]