CVE-2026-7660 affects Easy Updates Manager in versions up to 9.0.20 and it is a reflected Cross Site Scripting issue in the admin pagination flow. The vulnerable path is the Updates Options plugins tab, where the paged request parameter can be reflected into the value attribute of the current page input when action=eum_ajax is present. A successful attack requires an administrator or another user with update management access to open a crafted admin URL, so the practical risk is a privileged reflected script sink that can execute in the WordPress dashboard if the browser accepts the injected attribute payload.
| CVE | CVE-2026-7660 |
| Plugin Version | Easy Updates Manager <= 9.0.20, fixed in 9.0.21 |
| All Time | 7 924 400 |
| Active installations | 300 000+ |
| Publicly Published | May 27, 2026 |
| Last Updated | May 28, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://www.cve.org/CVERecord?id=CVE-2026-7660 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stops-core-theme-and-plugin-updates/easy-updates-manager-9020-reflected-cross-site-scripting-via-paged-parameter |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| April 10, 2026 | Plugin testing and vulnerability detection in Easy Updates Manager have been completed |
| May 13, 2026 | The plugin author released version 9.0.21 with validation and output escaping fixes after responsible disclosure |
| May 27, 2026 | Public vulnerability publication by Wordfence |
| May 28, 2026 | Published CVE-2026-7660 in the CVE record |
Discovery of the Vulnerability
The vulnerable surface is the Easy Updates Manager admin page at wp-admin/index.php?page=mpsum-update-options&tab=plugins when action=eum_ajax is present. The issue appears in the pagination output used by the plugin list view. The current page value can be influenced through the paged request parameter and then rendered into an input attribute without context correct escaping.
sanitize_text_field() is useful for text cleanup, but it is not a substitute for esc_attr() when a value is printed inside an HTML attribute. In vulnerable versions, a crafted value can break out of the intended value attribute and add a browser event attribute to the pagination input. The sink is easier to interact with when the plugin list has more than one pagination page, such as a site with more than 100 plugins or a lower per page setting.
Understanding of Reflected XSS attacks
Reflected XSS in a WordPress admin page usually depends on getting a logged in user to open a crafted dashboard URL. The payload is not stored on the server. It is reflected from the request into the page response and runs only in the browser that opens the link.
The role requirement narrows the exposed victim set, but the affected users are highly privileged. A script running in the dashboard origin can interact with the current admin page and send same origin requests available to that user. For this reason, output escaping bugs in admin screens should still be treated seriously even when the vulnerable page is not public.
Exploiting the Reflected XSS Vulnerability
To demonstrate CVE-2026-7660, open the Easy Updates Manager plugins tab as an administrator and load the crafted dashboard URL:
POC:
http://138.124.55.33/wp-admin/index.php?page=mpsum-update-options&tab=plugins&action=eum_ajax&paged=1%27+onmouseover%3Dalert%281%29%2F%2F____
The proof of concept uses an alert handler to show that attacker controlled content can reach an attribute context on the admin page. The payload is non-destructive and is only meant to confirm browser side execution in the affected pagination control.
Recommendations for Improved Security
Site owners should update Easy Updates Manager to version 9.0.21 or a newer patched version. Administrators should also avoid opening dashboard links from untrusted sources while logged in, especially links that include unusual query parameters.
Developers should validate pagination values as integers before using them and escape every value for its final output context. For this case, paged should be normalized with integer validation and then escaped with esc_attr() before it is printed in an input value. Regression tests should cover attribute contexts because sanitization alone does not guarantee safe HTML output.
By taking proactive measures to address Reflected XSS like CVE-2026-7660, WordPress website owners can reduce risk in privileged admin workflows and keep update management safe. Stay vigilant, stay secure.
#WordPressSecurity #ReflectedXSS #WebsiteSafety #StayProtected #MediumVulnerability
Use CleanTalk solutions to improve the security of your website