Description
WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Attackers can submit POST requests to the plugin settings page with script payloads in the preset parameter that are stored and executed when administrators view the settings.
Published: 2026-06-08
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP‑Paginate version 2.1.3 contains a stored cross‑site scripting flaw that lets an attacker inject script content through the preset parameter when submitting a POST request to the plugin’s settings page. The payload is persisted and executed whenever an administrator later views the settings, allowing the attacker to deface the site, execute arbitrary JavaScript and potentially harvest session cookies or perform malicious actions in the administrator’s browser context.

Affected Systems

The vulnerability affects MaxFoundry’s WP‑Paginate plugin, specifically version 2.1.3, which is used on WordPress websites. Any site running this exact version is vulnerable, regardless of other WordPress components.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, and the exploitability requires an authenticated user with write access to the plugin’s settings. The EPSS score is not available and the vulnerability is not listed in CISA KEV, suggesting it may not yet be widely exploited. However, once the malicious script is stored it can impact any administrator who views the settings, potentially leading to session hijacking, credential theft, or site defacement. The lack of public exploitation data does not diminish the risk of a targeted attack exploiting this stored XSS.

Generated by OpenCVE AI on June 8, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP‑Paginate to a patched version that removes the XSS vulnerability.
  • If an immediate update is unavailable, limit access to the plugin settings page to a minimal set of trusted administrators and apply a web application firewall rule to block script tags or JavaScript in the preset parameter.
  • Conduct an audit of all plugin input points for proper output encoding and implement generic XSS defenses such as using WordPress escaping functions or content security policy headers.

Generated by OpenCVE AI on June 8, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 08 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Attackers can submit POST requests to the plugin settings page with script payloads in the preset parameter that are stored and executed when administrators view the settings.
Title WordPress Plugin WP-Paginate 2.1.3 Stored XSS via preset
First Time appeared Maxfoundry
Maxfoundry wp-paginate
Weaknesses CWE-79
CPEs cpe:2.3:a:maxfoundry:wp-paginate:2.1.3:*:*:*:*:wordpress:*:*
Vendors & Products Maxfoundry
Maxfoundry wp-paginate
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Maxfoundry Wp-paginate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T01:55:25.110Z

Reserved: 2026-06-07T22:04:07.971Z

Link: CVE-2021-47982

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T02:16:22.190

Modified: 2026-06-08T02:16:22.190

Link: CVE-2021-47982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T04:30:15Z

Weaknesses