CVE-2026-15283 in WPvivid Backup for MainWP Plugininfo

Summary

by MITRE • 07/10/2026

The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.9.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The WPvivid Backup for MainWP plugin presents a critical stored cross-site scripting vulnerability that compromises the security of WordPress multisite environments. This vulnerability exists within all versions up to and including 0933 and stems from inadequate input sanitization mechanisms combined with insufficient output escaping procedures. The flaw specifically targets administrative settings where user-provided data is stored without proper validation or encoding, creating a persistent vector for malicious script injection that can affect all users who access compromised pages.

The technical implementation of this vulnerability allows authenticated attackers holding administrator-level permissions or higher to execute arbitrary web scripts within the context of other users' browsers. This occurs because the plugin fails to properly sanitize user inputs when storing configuration settings, and does not adequately escape output before rendering content on admin pages. The stored nature of this XSS flaw means that malicious scripts persist in the database and execute automatically whenever affected pages are accessed by any user with appropriate privileges, creating a continuous threat vector.

The operational impact of this vulnerability extends beyond simple script execution to encompass potential privilege escalation and data theft scenarios. Attackers can leverage this vulnerability to steal administrative credentials, modify plugin settings, access sensitive configuration data, or redirect users to malicious websites. The restriction that affects only multisite installations with unfiltered_html disabled actually increases the attack surface by limiting the available protections that would otherwise prevent such injections from taking effect.

This vulnerability aligns with CWE-79 which defines improper neutralization of input during web page generation in a web application, and maps directly to ATT&CK technique T1566.001 for credential harvesting through phishing attacks. The attack chain typically involves gaining administrative access to the WordPress installation, navigating to the affected plugin settings, injecting malicious scripts that persist across user sessions, and then executing these payloads when other administrators or users view compromised pages.

Mitigation strategies should include immediate patching to versions beyond 0933 where input sanitization has been properly implemented. Organizations must also implement strict access controls limiting administrative privileges to only essential personnel, deploy web application firewalls with XSS detection capabilities, and conduct regular security audits of plugin configurations. Additionally, administrators should consider implementing content security policies that restrict script execution within the WordPress admin environment. Regular vulnerability scanning and monitoring for unauthorized configuration changes can help detect exploitation attempts before they cause significant damage, while user education about suspicious administrative activities remains crucial for early threat identification.

The vulnerability demonstrates the critical importance of input validation and output escaping in web application security, particularly within plugin ecosystems where third-party code interacts with core WordPress functionality. Proper implementation of these security controls would prevent the persistence of malicious scripts and maintain the integrity of the WordPress administration interface across multisite installations.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!