CVE-2026-0681 in Extended Random Number Generator Plugin
Summary
by MITRE • 02/04/2026
The Extended Random Number Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/05/2026
The Extended Random Number Generator plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2026-0681 that affects all versions up to and including 1.1. This vulnerability resides within the plugin's settings handling mechanism and represents a significant security flaw that could compromise entire WordPress installations. The vulnerability specifically targets the sanitization and escaping of user inputs, creating an avenue for malicious code injection that persists across user sessions and page visits.
The technical flaw stems from inadequate input validation and output escaping mechanisms within the plugin's administrative interface. When administrators modify plugin settings, the system fails to properly sanitize user-provided data before storing it in the database. This insufficient sanitization allows malicious scripts to be stored alongside legitimate configuration data, where they remain dormant until executed during subsequent page loads. The vulnerability operates under CWE-79 which classifies it as a cross-site scripting weakness, specifically a stored XSS variant that persists in the server's database rather than being reflected in HTTP responses.
Attackers exploiting this vulnerability require administrator-level access to the WordPress installation, which significantly reduces the attack surface but does not eliminate the risk entirely. The vulnerability's impact is particularly severe in multi-site installations where the compromised plugin settings could affect multiple sites within a single WordPress network. Additionally, the vulnerability only manifests in installations where the unfiltered_html capability has been disabled, which is a common security hardening practice that makes the exploitation more targeted but still dangerous. This specific condition aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter, where attackers leverage the stored script execution capability to maintain persistence.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including credential theft, session hijacking, and data exfiltration. Once an attacker successfully injects malicious scripts through the compromised plugin settings, they can establish persistent access to the WordPress administrative interface and potentially compromise the entire site. The vulnerability's persistence across page loads means that the malicious code executes automatically whenever any user accesses pages that contain the injected scripts, making it particularly effective for long-term attacks. This stored nature of the vulnerability also means that even if the initial injection point is patched, the malicious code remains active in the database until manually removed.
Mitigation strategies for CVE-2026-0681 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should also implement comprehensive monitoring of plugin settings changes and establish strict access controls for administrative accounts. The vulnerability's requirement for administrator-level access makes privilege management crucial, as attackers who can escalate privileges or compromise administrative credentials pose the greatest risk. Regular security audits of WordPress installations should include verification of plugin integrity and proper sanitization of all user inputs. Additionally, implementing Content Security Policy headers and other web application firewalls can provide additional layers of protection against exploitation attempts, though these measures should complement rather than replace proper input validation and sanitization.