Royal WordPress Backup & Restore Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Royal WordPress Backup & Restore Plugin, affecting all versions through 1.0.16. The issue arises from inadequate input validation in the 'wpr_pending_template' parameter, allowing unauthenticated attackers to inject arbitrary web scripts. These scripts could be executed if an administrator is tricked into clicking a link.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user.

Reproduction

To reproduce this vulnerability, send a request to a page that includes the 'wpr_pending_template' parameter with injected script content. If an administrator clicks the link, the script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update the plugin to version 1.0.17 or a newer patched version.