WP Paginate < 2.1.4 - Admin+ Stored Cross-Site Scripting

Vulnerability

The WP-Paginate WordPress plugin versions before 2.1.4 fail to sanitize and escape preset settings, allowing high-privilege users such as administrators to inject arbitrary JavaScript. This stored Cross-Site Scripting (XSS) vulnerability can be exploited even when the unfiltered_html capability is disallowed. The affected versions are all releases prior to 2.1.4 [2].

Exploitation

An attacker with administrator-level access to the WordPress site can inject malicious JavaScript into the plugin's preset settings. When other users (including lower-privileged users or visitors) view pages that use WP-Paginate, the injected script executes in their browsers. No additional user interaction is required beyond viewing the affected page [2].

Impact

Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of other users' sessions. This can lead to session hijacking, defacement, data theft, or further compromise of the WordPress site. The attacker gains the ability to perform actions as the victim user, potentially escalating privileges or exfiltrating sensitive information [2].

Mitigation

The vulnerability is fixed in version 2.1.4, released on 2021-01-05 [2]. Users should update to version 2.1.4 or later immediately. No workarounds are documented; updating the plugin is the only recommended mitigation.