Description
The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
Published: 2026-04-10
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Royal WordPress Backup & Restore Plugin for WordPress contains a reflected cross‑site scripting flaw caused by inadequate validation of the wpr_pending_template parameter in all versions up to and including 1.0.16. Malicious input supplied via this parameter is echoed back into page content without proper escaping, allowing an attacker to execute arbitrary JavaScript in an administrator’s browser. This can enable cookie theft, session hijacking, or site defacement.

Affected Systems

All releases of the Royal WordPress Backup & Restore Plugin distributed by wproyal, under the name Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely, until the release of version 1.0.17, are vulnerable. Administrators who are currently using any of these affected versions should push the update as soon as possible.

Risk and Exploitability

The CVSS score for this vulnerability is 6.1, which indicates a moderate severity. An attacker does not need authentication; any user who receives a crafted link containing the wpr_pending_template parameter can trigger the flaw. EPSS data is unavailable and the issue is not listed in CISA’s KEV catalog, but the straightforward web‑based attack path means the risk remains real for sites that have not applied the latest patch.

Generated by OpenCVE AI on April 10, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Royal WordPress Backup & Restore Plugin to version 1.0.17 or newer
  • Verify that the updated plugin is deployed and that the site no longer reflects the malicious input
  • If an immediate update is not possible, modify the plugin or disable the wpr_pending_template parameter until a fix can be applied

Generated by OpenCVE AI on April 10, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wproyal
Wproyal royal Wordpress Backup, Restore & Migration Plugin – Backup Wordpress Sites Safely
Vendors & Products Wordpress
Wordpress wordpress
Wproyal
Wproyal royal Wordpress Backup, Restore & Migration Plugin – Backup Wordpress Sites Safely

Fri, 10 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
Title Royal WordPress Backup & Restore Plugin <= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wproyal Royal Wordpress Backup, Restore & Migration Plugin – Backup Wordpress Sites Safely
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-10T01:25:00.917Z

Reserved: 2026-03-16T20:37:11.594Z

Link: CVE-2026-4305

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-10T02:16:03.397

Modified: 2026-04-10T02:16:03.397

Link: CVE-2026-4305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:06Z

Weaknesses