MEDIUM 6.4

CVE-2021-47982: WP-Paginate 2.1.3 Stored XSS in Plugin Settings

WordPress administrators using the WP-Paginate plugin version 2.1.3 should be aware of a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious scripts into the plugin's settings. An attacker with login credentials can submit crafted requests to the plugin configuration page, embedding JavaScript payloads that are permanently stored in the database and executed whenever site administrators access those settings. This means the payload runs in the admin's browser session, potentially allowing the attacker to steal session tokens, modify site content, create new admin accounts, or perform other harmful actions on behalf of the compromised administrator.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Attackers can submit POST requests to the plugin settings page with script payloads in the preset parameter that are stored and executed when administrators view the settings.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2021-47982 is a stored XSS vulnerability (CWE-79) in WP-Paginate 2.1.3. The plugin fails to properly sanitize user input in the 'preset' parameter when processing POST requests to its settings page. Input validation and output encoding are insufficient, allowing authenticated users to inject malicious JavaScript that persists in the WordPress database. When an administrator accesses the plugin settings page, the unescaped payload executes in their browser context with their privileges. The CVSS v3.1 score of 6.4 (MEDIUM severity) reflects the requirement for prior authentication and the limited scope of impact, though the ability to affect site administrators elevates practical risk.

Business impact

A compromised WordPress administrator account—even temporarily via XSS—can lead to widespread site defacement, malware installation, data exfiltration, or permanent loss of control. Stored XSS targeting admins is particularly dangerous because it may go unnoticed and can be weaponized to create persistent backdoors or privilege escalation chains. For multi-author sites, a lower-privileged authenticated attacker (editor or contributor) could escalate influence by compromising the admin session. The impact extends beyond a single infection; the malicious payload survives plugin updates and site restarts until explicitly removed from the database.

Affected systems

WordPress installations using WP-Paginate version 2.1.3 are affected. The vulnerability requires the attacker to have existing authentication credentials (user account), limiting the threat actor pool but not eliminating it—shared hosting environments, insider threats, and compromised user accounts all increase exposure. Any site running the affected plugin version and allowing multiple users (even low-privilege roles) is at risk if those users are malicious or their credentials are compromised. Verify your current plugin version against your WordPress admin dashboard and check the official WP-Paginate repository for the exact range of vulnerable versions.

Exploitability

The vulnerability is relatively straightforward to exploit for anyone with valid WordPress login credentials. No special tools, zero-days, or complex techniques are required—a simple POST request with a JavaScript payload in the preset parameter is sufficient. The low complexity (AC:L in CVSS) reflects this accessibility. However, the requirement for authenticated access (PR:L) means the attacker must first obtain valid credentials through other means: phishing, credential stuffing, or social engineering. Once stored, the payload executes automatically, making detection and containment difficult without database-level inspection. This is not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but that status can change as awareness grows.

Remediation

The immediate action is to update WP-Paginate to a patched version released after the vulnerability was disclosed. Check the plugin's official repository or vendor advisory for the specific version that addresses CVE-2021-47982 and apply it urgently to all affected installations. Simultaneously, audit your WordPress user accounts—review all active users, disable any with suspicious creation dates or unexplained access patterns, and reset passwords for high-privilege accounts (Administrator, Editor). For environments with multiple administrators or editors, coordinate this carefully to avoid lockout. As a defense-in-depth measure, use WordPress security plugins to monitor admin settings changes and restrict plugin access by role. Consider limiting plugin installation and update permissions to a dedicated administrator role.

Patch guidance

Consult the WP-Paginate plugin repository (wordpress.org/plugins/wp-paginate/) and the official vendor advisory for the patched version number. WordPress plugin updates should be applied through the WordPress admin dashboard or via command line (wp plugin update wp-paginate if using WP-CLI). Test the update in a staging environment first to confirm compatibility with your site and other plugins. After patching, verify that the preset parameter on the plugin settings page no longer accepts or stores unescaped HTML/JavaScript. Clear browser cache and re-authenticate to the admin dashboard to ensure the fix is fully loaded.

Detection guidance

Search your WordPress database for suspicious JavaScript or HTML fragments in WP-Paginate configuration values, particularly in any preset-related options. Use database query tools or WordPress security plugins (e.g., Wordfence, Sucuri) to scan for indicators of XSS injection. Review WordPress admin access logs and activity audit logs for unusual POST requests to /wp-admin/options-general.php?page=wp-paginate or similar settings pages, especially those originating from unexpected IP addresses or user accounts. Monitor for new admin account creation or unauthorized role changes. Implement Content Security Policy (CSP) headers to limit the impact of any stored XSS that may have already been injected.

Why prioritize this

Although the CVSS score is MEDIUM (6.4), this vulnerability should be prioritized due to its stored nature and targeting of administrator accounts. Stored XSS in admin panels is more dangerous than reflected variants because it persists and executes automatically. The low barrier to exploitation for authenticated users, combined with the high-value target (administrator sessions), justifies fast-track remediation. If your WordPress site has multiple contributors or editors, the risk is elevated—any compromised lower-privilege account becomes a pivot point for admin compromise. It is not yet actively exploited in the wild (not in KEV), which creates a brief window to patch before threat actors increase reconnaissance.

Risk score, explained

The CVSS v3.1 score of 6.4 (MEDIUM) accounts for: (1) network-based attack vector (AV:N) requiring an internet connection but no special network positioning; (2) low attack complexity (AC:L)—straightforward exploitation with no race conditions or environmental weaknesses; (3) low privilege requirement (PR:L)—attacker must be authenticated, but not as a high-privilege user; (4) no user interaction (UI:N)—the payload executes automatically when admin views settings, not requiring the admin to click a link; (5) changed scope (S:C)—the compromise of one admin can affect other resources or accounts on the site; (6) low confidentiality and integrity impact (C:L, I:L) because the attacker gains visibility into and can modify admin-level content; and (7) no availability impact (A:N) since the attack does not disrupt service. The medium severity appropriately reflects that this is serious but not a network-wide remote code execution vulnerability.

Frequently asked questions

Can a WordPress user without admin access exploit this vulnerability?

Yes. The vulnerability requires authentication, but not administrator role. Any user with Editor, Author, Contributor, or even Subscriber role who can reach the WP-Paginate settings page (if the plugin allows it) could potentially inject the payload. The stored payload then executes when any administrator accesses the settings, compromising the admin session. This makes even low-privilege account compromise a serious risk.

Does updating the plugin automatically remove already-injected payloads?

No. Patching the plugin prevents future injection, but any malicious script already stored in the WordPress database will remain unless manually removed. After updating, you must inspect and clean the database to remove any existing XSS payloads. Use your database management tool or a security plugin to query wp_options and other relevant tables for suspicious JavaScript or HTML fragments related to WP-Paginate settings.

How can I detect if my site has been compromised by this vulnerability?

Check WordPress admin activity logs and database query logs for unusual POST requests to the WP-Paginate settings page, especially from low-privilege or unfamiliar user accounts. Use a WordPress security plugin to scan for stored XSS indicators and review recent admin user creation or role changes. Examine the WP-Paginate preset option in the wp_options database table for encoded or obfuscated JavaScript. Also monitor for unexpected admin-level actions such as plugin installations or theme changes that may have occurred after the payload was injected.

Is there a way to mitigate this if I cannot patch immediately?

As a short-term measure, restrict access to the WP-Paginate settings page using a WordPress capability manager or role editor plugin, limiting it to a single trusted administrator account. Implement Web Application Firewall (WAF) rules to block requests with JavaScript or HTML patterns in the preset parameter. Enable two-factor authentication (2FA) on all admin accounts to reduce session hijacking risk. Regularly audit user accounts and activity logs. However, these are temporary controls; patching should be your primary goal.

This analysis is provided for informational purposes and should not be construed as legal advice or a guarantee of security. CVE-2021-47982 details are based on available public information as of the publication date. Vulnerability scoring, affected product lists, and patch availability are subject to change. Organizations should verify patch version numbers and availability directly with the WP-Paginate vendor or the official WordPress plugin repository before deployment. SEC.co does not guarantee the completeness or accuracy of exploit details or detection signatures and recommends testing all security controls in a non-production environment before enterprise deployment. Always follow your organization's change management and testing procedures when applying security patches. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).