Description
The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2026-05-28
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy Updates Manager WordPress plugin contains a reflected Cross‑Site Scripting flaw that allows an attacker to inject arbitrary web scripts via the un‑sanitised "paged" parameter in the pagination() function. Because the value is reflected back to the browser without proper escaping, clicking a crafted link can cause malicious code to execute in the context of an administrator’s session. This could lead to session hijacking, credential theft, or defacement of the site.

Affected Systems

Affected products are the Easy Updates Manager plugin from David Anderson, versions up to and including 9.0.20. No newer versions are known to contain the issue. WordPress sites that have never updated the plugin beyond 9.0.20 remain vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation data. The attacker would need to convince an admin to visit a malicious URL that includes a crafted "paged" value, which is a social‑engineering requirement; the vulnerability is not exploitable without user interaction.

Generated by OpenCVE AI on May 28, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Updates Manager to version 9.0.21 or later, which implements proper sanitisation and output escaping for the "paged" parameter.
  • If an immediate upgrade is not possible, limit exposure by removing or disabling the pagination feature in the plugin configuration, or by adding request‑level filtering that rejects non‑numeric or excessively long values for the "paged" parameter.
  • Apply custom validation and escaping on the "paged" input using WordPress functions such as wp_unslash() and esc_attr() before rendering it, and verify that no scripts are allowed via web‑app security testing.

Generated by OpenCVE AI on May 28, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link.
Title Easy Updates Manager <= 9.0.20 - Reflected Cross-Site Scripting via 'paged' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:33:53.918Z

Reserved: 2026-05-01T19:28:13.961Z

Link: CVE-2026-7660

cve-icon Vulnrichment

Updated: 2026-05-28T10:33:48.615Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T08:16:37.240

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-7660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T08:30:12Z

Weaknesses