[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRhy0ssWoy1ovtzWKph7RidtDITLB-VLd-tp4er2P5sc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-1706","all-in-one-video-gallery-reflected-cross-site-scripting-via-vi-parameter","All-in-One Video Gallery \u003C= 4.7.1 - Reflected Cross-Site Scripting via 'vi' Parameter","The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","all-in-one-video-gallery",null,"\u003C=4.7.1","4.7.5","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-03 20:24:19","2026-03-04 09:24:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbcaff8ab-2db9-4d91-9b7a-f7f49f5952b9?source=api-prod",1,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fadmin.php","admin\u002Fsettings.php","admin\u002Fvideos.php","all-in-one-video-gallery.php","blocks\u002Fblocks.php","blocks\u002Fbuild\u002Fvideo\u002Findex.asset.php","blocks\u002Fbuild\u002Fvideo\u002Findex.js","researched",false,3,"This plan outlines the steps to research and exploit a Reflected Cross-Site Scripting (XSS) vulnerability in the All-in-One Video Gallery WordPress plugin (version 4.7.1).\n\n### 1. Vulnerability Summary\n* **Vulnerability:** Reflected Cross-Site Scripting (XSS)\n* **Parameter:** `vi` (GET parameter)\n* **Affected Versions:** \u003C= 4.7.1\n* **Cause:** The plugin fails to sufficiently sanitize or escape the `vi` query parameter when rendering it back onto the page, typically within a gallery or video player context.\n* **Sink:** The value is likely reflected into a JavaScript variable or a hidden input field used to track the currently active video in a gallery.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** Any public-facing page containing an All-in-One Video Gallery shortcode (e.g., `[aiovg_video]`, `[aiovg_videos]`, or `[aiovg_gallery]`) or the default video archive\u002Fsingle pages.\n* **Payload Carrier:** URL Query Parameter `vi`.\n* **Authentication:** Unauthenticated (PR:N).\n* **Preconditions:** \n 1. The plugin must be active.\n 2. At least one video (`aiovg_videos` post type) should exist to ensure gallery\u002Fplayer components render.\n 3. A page must exist that displays a gallery or player.\n\n### 3. Code Flow (Inferred)\n1. **Request Handling:** A user accesses a URL like `http:\u002F\u002Fwp-dist.dev.local\u002F?aiovg_videos=1&vi=PAYLOAD`.\n2. **Shortcode Processing:** The plugin's shortcode handler (likely in `public\u002F` files, not provided but inferred from `blocks\u002Fblocks.php` references to shortcode fields) executes.\n3. **Input Acquisition:** The code retrieves the value using `$_GET['vi']`.\n4. **Template Rendering:** The plugin generates HTML\u002FJavaScript to handle video navigation. It uses the `vi` value to identify which video to highlight or play.\n5. **Vulnerable Sink:** The value is echoed without `esc_attr()`, `esc_js()`, or `esc_html()`.\n * *Candidate Sink A (JavaScript):* `var current_video = '\u003C?php echo $_GET['vi']; ?>';`\n * *Candidate Sink B (HTML Attribute):* `\u003Cdiv class=\"aiovg\" data-vi=\"\u003C?php echo $_GET['vi']; ?>\">`\n\n### 4. Nonce Acquisition Strategy\nReflected XSS via a `GET` parameter in the public frontend typically **does not require a nonce**. Nonces in WordPress are primarily used for state-changing operations (CSRF protection). Since this is a reflection during page generation, the `vi` parameter is treated as a navigation state and is usually processed before any nonce check would occur.\n\n**Verification Step:** If the agent encounters a `403 Forbidden` or a \"nonce check failed\" message, it should search the page source for localized variables (e.g., `aiovg_ajax` or `aiovg_vars`) using `browser_eval(\"window.aiovg_ajax\")`.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate script execution by breaking out of the context where `vi` is reflected.\n\n1. **Discovery Phase:**\n * Navigate to a gallery page with a unique canary: `?vi=XSS_CANARY_123`.\n * View page source and locate `XSS_CANARY_123`.\n * Identify the surrounding context (e.g., inside `\u003Cscript>` tags, inside a `value=\"\"` attribute, or as raw text).\n\n2. **Payload Crafting:**\n * **Context: HTML Attribute** (e.g., `value=\"PAYLOAD\"`)\n * Payload: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n * **Context: JavaScript String** (e.g., `var id = 'PAYLOAD';`)\n * Payload: `';alert(document.domain);\u002F\u002F`\n\n3. **Execution Phase:**\n * Use the `http_request` tool to send a GET request to the target page with the crafted `vi` parameter.\n * Use `browser_navigate` to the URL to confirm the script executes in a real browser environment.\n\n### 6. Test Data Setup\nBefore testing, the environment must be prepared:\n\n1. **Create a Video Post:**\n ```bash\n wp post create --post_type=aiovg_videos --post_title=\"Test Video\" --post_status=publish\n ```\n2. **Create a Gallery Page:**\n ```bash\n wp post create --post_type=page --post_title=\"Gallery\" --post_content='[aiovg_videos]' --post_status=publish\n ```\n3. **Identify the URL:** The page will likely be at `http:\u002F\u002Fwp-dist.dev.local\u002Fgallery\u002F`.\n\n### 7. Expected Results\n* **Discovery:** The string `XSS_CANARY_123` is found in the response body.\n* **Exploitation:** When visiting the URL with the payload, the browser should execute the JavaScript.\n* **Response Body Snippet (Example):**\n ```html\n \u003Cdiv class=\"aiovg-player\" data-params='{\"vi\":\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\", ...}'>\n ```\n\n### 8. Verification Steps\n1. **HTTP Check:** Use `http_request` to fetch the page with the payload and verify that the payload characters (like `\u003C` and `>`) are NOT HTML-encoded in the sink.\n ```python\n # Example logic for agent\n resp = http_request(\"http:\u002F\u002Fwp-dist.dev.local\u002Fgallery\u002F?vi=\\\">\u003Cscript>alert(1)\u003C\u002Fscript>\")\n if \"\\\">\u003Cscript>alert(1)\u003C\u002Fscript>\" in resp['body']:\n print(\"Vulnerability Confirmed: Unescaped reflection found.\")\n ```\n2. **Browser Execution:** Use `browser_navigate` and check for an alert dialog or a side effect (like writing to `window.hacked = 1`).\n\n### 9. Alternative Approaches\nIf `[aiovg_videos]` does not reflect the parameter, try other shortcodes or default archive pages:\n* **Archive Page:** `http:\u002F\u002Fwp-dist.dev.local\u002Faiovg_videos\u002F?vi=PAYLOAD`\n* **Search Page:** The plugin provides a search widget\u002Fblock. Use the search form and check if `vi` is reflected in the search results URL or hidden fields.\n* **Breadcrumbs:** Check if the plugin uses `vi` to build breadcrumb links on single video pages.","The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' query parameter in versions up to 4.7.1. This is caused by insufficient input sanitization and output escaping when reflecting the parameter value into the page, allowing unauthenticated attackers to execute arbitrary JavaScript in the user's browser context.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fall-in-one-video-gallery\u002F4.7.1\u002Fadmin\u002Fadmin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fall-in-one-video-gallery\u002F4.7.5\u002Fadmin\u002Fadmin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fall-in-one-video-gallery\u002F4.7.1\u002Fadmin\u002Fadmin.php\t2026-01-17 11:23:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fall-in-one-video-gallery\u002F4.7.5\u002Fadmin\u002Fadmin.php\t2026-02-25 12:57:34.000000000 +0000\n@@ -76,6 +76,10 @@\n \t\t\t\t$new_player_settings['hide_youtube_logo'] = $defaults['aiovg_player_settings']['hide_youtube_logo'];\n \t\t\t}\n \n+\t\t\tif ( ! array_key_exists( 'statistics', $player_settings ) ) {\n+\t\t\t\t$new_player_settings['statistics'] = $defaults['aiovg_player_settings']['statistics'];\n+\t\t\t}\n+\n \t\t\tif ( count( $new_player_settings ) ) {\n \t\t\t\tupdate_option( 'aiovg_player_settings', array_merge( $player_settings, $new_player_settings ) );\n \t\t\t}\t\t\t\t\t\t\n@@ -360,6 +364,9 @@\n \n \t\t\t\u002F\u002F Remove the unfiltered_html capability from editors\n \t\t\taiovg_remove_unfiltered_html_capability_from_editors();\n+\n+\t\t\t\u002F\u002F Force rewrite rules flush on next load\n+ \tdelete_option( 'aiovg_rewrite_rules_flushed' );\n \t\t}\n \t}\t\t\n \n@@ -1063,6 +1070,100 @@\n \t}\n \n \t\u002F**\n+ * Flags rewrite rules for flushing on the next request when relevant options change.\n+ *\n+ * @since 4.7.3\n+ * @param string $option Option name being updated.\n+ * @param mixed $old Previous option value.\n+ * @param mixed $value Updated option value.\n+ *\u002F\n+ public function force_rewrite_rules_on_settings_update( $option, $old, $value ) {\n+ if ( in_array( $option, array( 'aiovg_page_settings', 'aiovg_permalink_settings' ), true ) ) {\n+ \u002F\u002F Force rewrite rules flush on next load\n+ delete_option( 'aiovg_rewrite_rules_flushed' );\n+ }\n+ }\n+\n+\t\u002F**\n+ * Flags rewrite rules for flushing when an assigned AIOVG page\n+ * or its translation is updated.\n+ *\n+ * @since 4.7.3\n+ * @param int $post_id Post ID.\n+ * @param WP_Post $post Post object.\n+ * @param bool $update Whether this is an existing post update.\n+ *\u002F\n+ public function force_rewrite_rules_on_page_update( $post_id, $post, $update ) {\n+ \u002F\u002F Avoid autosaves & revisions\n+ if ( wp_is_post_autosave( $post_id ) || wp_is_post_revision( $post_id ) ) {\n+ return;\n+ }\n+\n+ \u002F\u002F Only act on updates (not new pages)\n+ if ( ! $update ) {\n+ return;\n+ }\n+\n+ \u002F\u002F Defensive capability check\n+ if ( ! current_user_can( 'edit_page', $post_id ) ) {\n+ return;\n+ }\n+\n+ $page_settings = aiovg_get_option( 'aiovg_page_settings' );\n+\t\t$permalink_settings = aiovg_get_option( 'aiovg_permalink_settings' );\n+\n+\t\tif ( ! empty( $permalink_settings['video_archive_page'] ) ) {\n+\t\t\t$page_settings['video_archive_page'] = (int) $permalink_settings['video_archive_page'];\n+\t\t}\n+\n+ if ( empty( $page_settings ) ) {\n+ return;\n+ }\n+\n+ \u002F\u002F Normalize assigned page IDs\n+ $assigned_pages = array_map( 'intval', $page_settings );\n+\n+ \u002F\u002F Direct Match (Fast Path)\n+ if ( in_array( (int) $post_id, $assigned_pages, true ) ) {\n+ delete_option( 'aiovg_rewrite_rules_flushed' );\n+ return;\n+ }\n+\n+ \u002F\u002F Check for Polylang translations\n+ if ( function_exists( 'pll_get_post_translations' ) ) {\n+ foreach ( $assigned_pages as $assigned_id ) {\n+ $translations = pll_get_post_translations( $assigned_id );\n+\n+ if ( empty( $translations ) ) {\n+ continue;\n+ }\n+\n+ if ( in_array( (int) $post_id, array_map( 'intval', $translations ), true ) ) {\n+ delete_option( 'aiovg_rewrite_rules_flushed' );\n+ return;\n+ }\n+ }\n+ }\n+\n+ \u002F\u002F Check for WPML translations (TRID-based)\n+ if ( defined( 'ICL_SITEPRESS_VERSION' ) ) {\n+ $element_type = apply_filters( 'wpml_element_type', 'page' );\n+ $current_trid = apply_filters( 'wpml_element_trid', null, $post_id, $element_type );\n+\n+ if ( ! empty( $current_trid ) ) {\n+ foreach ( $assigned_pages as $assigned_id ) {\n+ $assigned_trid = apply_filters( 'wpml_element_trid', null, $assigned_id, $element_type );\n+\n+ if ( (int) $current_trid === (int) $assigned_trid ) {\n+ delete_option( 'aiovg_rewrite_rules_flushed' );\n+ return;\n+ }\n+ }\n+ }\n+ }\n+ }","The exploit targets public-facing pages containing an All-in-One Video Gallery component, such as a gallery shortcode or the video archive page. An attacker crafts a URL with a malicious payload in the 'vi' GET parameter (e.g., `?vi=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`). When a user visits this link, the plugin retrieves the 'vi' value using `$_GET['vi']` and echoes it into the HTML (likely within a data-params attribute or a JavaScript initialization block) without proper escaping via `esc_attr()` or `esc_js()`. This causes the injected script to execute in the user's browser context. The attack requires no authentication.","gemini-3-flash-preview","2026-04-18 06:36:36","2026-04-18 06:37:06",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.7.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags\u002F4.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-video-gallery.4.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags\u002F4.7.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-video-gallery.4.7.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-video-gallery\u002Ftags"]