CVE-2026-0681 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Extended Random Number Generator plugin for WordPress, affecting all versions up to and including 1.1. The flaw arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping in the plugin's settings interface. This vulnerability is exploitable only in multi-site WordPress installations where the unfiltered_html capability is disabled, and requires an attacker to have authenticated administrator-level privileges. An attacker with such access can inject arbitrary JavaScript code into plugin settings, which is then stored and executed whenever any user visits the affected pages. This can lead to session hijacking, theft of sensitive information, or further privilege escalation within the WordPress environment. The vulnerability has a CVSS 3.1 base score of 4.4 (medium severity), reflecting that exploitation requires high privileges (PR:H), no user interaction (UI:N), network attack vector (AV:N), and impacts confidentiality and integrity with limited scope. No known public exploits or patches are currently available, increasing the importance of proactive mitigation. The vulnerability specifically targets the Extended Random Number Generator plugin, which is a niche plugin but may be used in specialized WordPress multi-site deployments.

For European organizations, this vulnerability poses a moderate risk primarily to multi-site WordPress deployments using the Extended Random Number Generator plugin. The requirement for administrator-level access limits the attack surface to insiders or compromised admin accounts, but successful exploitation can lead to unauthorized disclosure of sensitive data and potential further compromise of the WordPress environment. Confidentiality and integrity of user sessions and data can be impacted, potentially exposing personal data protected under GDPR. Although availability is not affected, the reputational damage and compliance risks from data leakage could be significant. Organizations running multi-site WordPress installations with this plugin, especially those hosting multiple client sites or internal portals, are at higher risk. The lack of patches means that mitigation must rely on access control and monitoring until a fix is released.

1. Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of credential compromise. 2. Audit all multi-site WordPress installations to identify usage of the Extended Random Number Generator plugin and assess whether unfiltered_html is disabled. 3. Temporarily disable or remove the plugin in multi-site environments if feasible until a patch is available. 4. Implement manual input validation and output escaping for plugin settings if plugin code can be safely modified by qualified developers. 5. Monitor WordPress logs and plugin settings for suspicious changes or injected scripts. 6. Educate administrators about the risks of injecting arbitrary content and the importance of secure plugin management. 7. Keep WordPress core and all plugins updated and subscribe to vendor advisories for timely patch releases. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting plugin settings pages.