CVE-2026-7660
Description
The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Easy Updates Manager (WordPress) via unsanitized 'paged' parameter, allowing arbitrary script injection in administrator pages.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the Easy Updates Manager plugin for WordPress (versions up to and including 9.0.20). The flaw resides in the pagination() function of the MPSUM_List_Table class. The 'paged' parameter is taken from user input without sufficient sanitization or output escaping, allowing injection of arbitrary web scripts [1], [2], [3].
Exploitation
An attacker can craft a malicious URL containing a 'paged' parameter with embedded JavaScript. The victim must be an authenticated administrator who is tricked into clicking the crafted link. The page where the pagination output is rendered (likely an admin list table view) will then execute the injected script in the context of the victim's session [1].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the browser of an administrator. This can lead to theft of session cookies, modification of page content, or actions on behalf of the administrator within the WordPress admin area, potentially compromising site integrity [1].
Mitigation
The vulnerability is fixed in plugin version 9.0.21, released on an unspecified date. The patch is available in the WordPress plugin repository and can be applied via an update in the WordPress admin dashboard [1]. No workaround is provided for unfixed versions.
- https://plugins.trac.wordpress.org/changeset/3531188/stops-core-theme-and-plugin-updates/trunk/includes/MPSUM_List_Table.php
- https://plugins.trac.wordpress.org/browser/stops-core-theme-and-plugin-updates/trunk/includes/MPSUM_List_Table.php#L800
- https://plugins.trac.wordpress.org/browser/stops-core-theme-and-plugin-updates/tags/9.0.20/includes/MPSUM_List_Table.php#L800
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=9.0.20
- Range: <=9.0.20
Patches
1r3531188Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/stops-core-theme-and-plugin-updates/tags/9.0.20/includes/MPSUM_List_Table.phpnvd
- plugins.trac.wordpress.org/browser/stops-core-theme-and-plugin-updates/tags/9.0.20/includes/MPSUM_Plugins_List_Table.phpnvd
- plugins.trac.wordpress.org/browser/stops-core-theme-and-plugin-updates/trunk/includes/MPSUM_List_Table.phpnvd
- plugins.trac.wordpress.org/browser/stops-core-theme-and-plugin-updates/trunk/includes/MPSUM_Plugins_List_Table.phpnvd
- plugins.trac.wordpress.org/changeset/3531188/stops-core-theme-and-plugin-updates/trunk/includes/MPSUM_List_Table.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/bbbd989c-4d69-45c9-bcb9-44f9ab98b969nvd
News mentions
0No linked articles in our index yet.