CVE-2026-0681 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Extended Random Number Generator plugin developed by rtddev for WordPress. The flaw exists due to improper neutralization of input during web page generation, specifically in the plugin's settings interface. All versions up to and including 1.1 are affected. The vulnerability manifests when authenticated users with administrator-level access input data into plugin settings fields that are not properly sanitized or escaped before being rendered on web pages. This allows injection of arbitrary JavaScript code that executes in the context of any user viewing the affected pages. The vulnerability is constrained to multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting the attack surface. The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) indicates that the attack requires network access, high attack complexity, and administrator privileges, with no user interaction needed. The scope is changed because the vulnerability affects multiple components or privileges. The impact is limited to partial confidentiality and integrity loss without affecting availability. No patches or known exploits have been reported at the time of publication, but the vulnerability poses a risk of persistent script injection, which could lead to session hijacking, defacement, or further privilege escalation if chained with other vulnerabilities.

The primary impact of CVE-2026-0681 is the potential for persistent Cross-Site Scripting attacks within WordPress multi-site environments using the Extended Random Number Generator plugin. Successful exploitation could allow attackers with administrator privileges to inject malicious scripts that execute in the browsers of users visiting affected pages. This can lead to theft of session cookies, user impersonation, unauthorized actions performed on behalf of users, and potential spread of malware. Although the vulnerability requires high privileges to exploit, the persistence of injected scripts increases the risk to all users accessing the compromised pages. Organizations relying on multi-site WordPress setups with this plugin may face reputational damage, data confidentiality breaches, and increased risk of further exploitation if attackers leverage this vulnerability as part of a larger attack chain. The limited availability of exploits and the medium severity score reduce the immediate threat level, but the vulnerability remains a significant concern for affected environments.

To mitigate CVE-2026-0681, organizations should first verify if they are running multi-site WordPress installations with the Extended Random Number Generator plugin version 1.1 or earlier. Immediate steps include: 1) Restrict administrator access strictly to trusted personnel to reduce the risk of malicious input. 2) Disable or limit the use of the plugin if possible until a patch or update is available. 3) Implement Web Application Firewall (WAF) rules that detect and block suspicious script injection attempts targeting plugin settings pages. 4) Monitor logs and audit plugin settings changes for unusual or unauthorized modifications. 5) Educate administrators on safe input practices and the risks of injecting scripts. 6) Follow the plugin vendor’s updates closely and apply patches promptly once released. 7) Consider enabling content security policies (CSP) to reduce the impact of injected scripts. 8) For environments where unfiltered_html is enabled, review and adjust permissions to prevent unauthorized script insertion. These targeted actions go beyond generic advice by focusing on the specific conditions and attack vectors of this vulnerability.