CVE-2026-1780 in CRPaid Link Manager Plugin
Summary
by MITRE • 03/18/2026
The [CR]Paid Link Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2026
The CVE-2026-1780 vulnerability affects the CR Paid Link Manager plugin for WordPress, representing a critical security flaw that undermines the integrity of web applications. This vulnerability exists within plugin versions up to and including 0.5, making it a persistent threat that has not been addressed in recent updates. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's URL path handling, creating an exploitable condition that affects all users regardless of their authentication status.
The technical flaw manifests as a reflected cross-site scripting vulnerability that occurs when the plugin fails to properly sanitize user-supplied input from URL parameters. This weakness allows attackers to inject malicious scripts that are then reflected back to users who visit the compromised page. The vulnerability operates at the application layer where user input is directly incorporated into web page responses without proper validation or encoding. According to CWE-79, this represents a classic reflected cross-site scripting weakness where attacker-controlled data flows through the application to a user's browser, creating an execution environment for malicious code.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with a vector for more sophisticated attacks including session hijacking, credential theft, and redirection to malicious sites. Unauthenticated attackers can exploit this vulnerability by crafting malicious URLs that, when clicked by unsuspecting users, execute arbitrary scripts in the victim's browser context. This makes the vulnerability particularly dangerous in environments where users frequently click on links from emails, social media, or other sources. The attack requires social engineering to succeed, as users must be tricked into clicking the malicious link, but once clicked, the exploit can compromise the user's session and potentially lead to complete account takeover.
The vulnerability aligns with ATT&CK technique T1566.001 which describes the use of spearphishing with links to deliver malware or exploit code. The reflected nature of the XSS means that the malicious payload is not stored on the server but is instead reflected from the web application in response to a user's request. This makes detection more challenging as the attack is ephemeral and occurs only during the specific request that triggers the vulnerability. Security professionals should note that this vulnerability represents a common pattern in web application security where input validation is insufficient to prevent malicious code execution.
Mitigation strategies should focus on immediate plugin updates to the latest version where the vulnerability has been patched, as well as implementing proper input validation and output escaping mechanisms. Organizations should also consider implementing content security policies to limit script execution, monitoring for suspicious URL patterns, and educating users about the dangers of clicking untrusted links. Additionally, network-level protections such as web application firewalls can provide additional layers of defense against exploitation attempts. The vulnerability highlights the importance of regular security audits and the need for developers to implement proper sanitization practices in all user-facing input handling code.