WP Paginate < 2.1.9 - Admin+ Stored Cross-Site Scripting
Description
WP-Paginate plugin before 2.1.9 has a stored XSS vulnerability via an unescaped setting, allowing high privilege users to inject scripts when unfiltered_html is disallowed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WP-Paginate plugin before 2.1.9 has a stored XSS vulnerability via an unescaped setting, allowing high privilege users to inject scripts when unfiltered_html is disallowed.
Vulnerability
The WP-Paginate WordPress plugin before version 2.1.9 does not properly escape one of its settings. This flaw allows high privilege users (such as admins) to perform Stored Cross-Site Scripting (XSS) attacks when the unfiltered_html capability is disallowed for those users. The setting in question is not sanitized before being saved or output, making the plugin vulnerable to script injection [1].
Exploitation
An attacker needs high privilege (e.g., Administrator) access to the WordPress site where the WP-Paginate plugin is installed and active. The attacker can inject malicious JavaScript into the vulnerable setting via the plugin's settings page. When the setting is later rendered on a page (likely an admin-facing page or a front-end pagination element), the injected script executes in the browser of any user viewing that page [1].
Impact
Successful exploitation leads to Stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's session. This can result in session hijacking, defacement, or redirection to malicious sites. The impact is limited to users who have access to the pages where the setting is displayed, primarily other high privilege users or site visitors depending on where the pagination output appears [1].
Mitigation
The vulnerability is fixed in version 2.1.9 of the WP-Paginate plugin. Users should update to this version immediately. There is no known workaround other than updating. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/WP-Paginatedescription
- Range: <2.1.9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output escaping on a plugin setting allows stored cross-site scripting."
Attack vector
A high-privilege user (e.g., Administrator) can inject malicious JavaScript into the unescaped plugin setting. When the setting is rendered on a page, the stored script executes in the context of other users' browsers. The attack requires that unfiltered_html is disallowed for the attacker's role, making this a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] [ref_id=1].
Affected code
The WP-Paginate plugin before version 2.1.9 does not escape one of its settings [ref_id=1]. The advisory does not specify the exact file or function name responsible for the missing escaping.
What the fix does
The advisory states the vulnerability is fixed in version 2.1.9 [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably escapes the unescaped setting output using WordPress's built-in escaping functions (e.g., esc_html()) to prevent injected HTML or JavaScript from being interpreted as code.
Preconditions
- authAttacker must have a high-privilege WordPress role (e.g., Administrator) that can modify plugin settings.
- configThe unfiltered_html capability must be disallowed for the attacker's role.
- configThe WP-Paginate plugin must be installed and active, version prior to 2.1.9.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/016453e3-803b-4a67-8ea7-2d228c2998d4mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.