{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4305", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-16T20:37:11.594Z", "datePublished": "2026-04-10T01:25:00.917Z", "dateUpdated": "2026-04-13T15:15:09.194Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T01:25:00.917Z"}, "affected": [{"vendor": "wproyal", "product": "Royal WordPress Backup, Restore & Migration Plugin \u2013 Backup WordPress Sites Safely", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link."}], "title": "Royal WordPress Backup & Restore Plugin <= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e0c658-b37c-4780-9589-6def9e36539b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-backup-reset/tags/1.0.16/royal-backup-reset.php#L803"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-backup-reset/tags/1.0.16/assets/backup-reminder.js#L751"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Froyal-backup-reset/tags/1.0.16&new_path=%2Froyal-backup-reset/tags/1.0.17"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abi Wiranata"}], "timeline": [{"time": "2026-04-09T12:23:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4305", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:08:42.377292Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:15:09.194Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4305", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:08:42.377292Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:11:48.506Z"}}], "cna": {"title": "Royal WordPress Backup & Restore Plugin <= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Abi Wiranata"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wproyal", "product": "Royal WordPress Backup, Restore & Migration Plugin \u2013 Backup WordPress Sites Safely", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-09T12:23:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e0c658-b37c-4780-9589-6def9e36539b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-backup-reset/tags/1.0.16/royal-backup-reset.php#L803"}, {"url": "https://plugins.trac.wordpress.org/browser/royal-backup-reset/tags/1.0.16/assets/backup-reminder.js#L751"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Froyal-backup-reset/tags/1.0.16&new_path=%2Froyal-backup-reset/tags/1.0.17"}], "descriptions": [{"lang": "en", "value": "The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T01:25:00.917Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4305", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:15:09.194Z", "dateReserved": "2026-03-16T20:37:11.594Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-10T01:25:00.917Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link."}], "id": "CVE-2026-4305", "lastModified": "2026-04-24T18:01:58.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-10T02:16:03.397", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/royal-backup-reset/tags/1.0.16/assets/backup-reminder.js#L751"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/royal-backup-reset/tags/1.0.16/royal-backup-reset.php#L803"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Froyal-backup-reset/tags/1.0.16&new_path=%2Froyal-backup-reset/tags/1.0.17"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e0c658-b37c-4780-9589-6def9e36539b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.16]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Royal WordPress Backup, Restore & Migration Plugin \u2013 Backup WordPress Sites Safely", "source": "cna", "vendor": "wproyal"}, "product": "royal_wordpress_backup,_restore_&_migration_plugin_\u2013_backup_wordpress_sites_safely", "vendor": "wproyal"}], "analysis": {"en": {"generated_at": "2026-04-10T02:20:40.022766+00:00", "value": {"mitigation_remediation": ["Update the Royal WordPress Backup & Restore Plugin to version 1.0.17 or newer", "Verify that the updated plugin is deployed and that the site no longer reflects the malicious input", "If an immediate update is not possible, modify the plugin or disable the wpr_pending_template parameter until a fix can be applied"], "summary": {"action": "Immediate Patch", "impact": "Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "All releases of the Royal WordPress Backup & Restore Plugin distributed by wproyal, under the name Royal WordPress Backup, Restore & Migration Plugin \u2013 Backup WordPress Sites Safely, until the release of version 1.0.17, are vulnerable. Administrators who are currently using any of these affected versions should push the update as soon as possible.", "description_and_impact": "The Royal WordPress Backup & Restore Plugin for WordPress contains a reflected cross\u2011site scripting flaw caused by inadequate validation of the wpr_pending_template parameter in all versions up to and including 1.0.16. Malicious input supplied via this parameter is echoed back into page content without proper escaping, allowing an attacker to execute arbitrary JavaScript in an administrator\u2019s browser. This can enable cookie theft, session hijacking, or site defacement.", "risk_and_exploitability": "The CVSS score for this vulnerability is 6.1, which indicates a moderate severity. An attacker does not need authentication; any user who receives a crafted link containing the wpr_pending_template parameter can trigger the flaw. EPSS data is unavailable and the issue is not listed in CISA\u2019s KEV catalog, but the straightforward web\u2011based attack path means the risk remains real for sites that have not applied the latest patch."}}}}, "created": "2026-04-10T08:36:06.063766+00:00", "updated": "2026-04-10T09:27:06.318622+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wproyal", "wproyal$PRODUCT$royal_wordpress_backup,_restore_&_migration_plugin_\u2013_backup_wordpress_sites_safely"]}