[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fykJ908yOc3U9HN9TXE5yL3C1ob1Nj-gHI3ON2bFWKuE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-8419","amazon-scraper-cross-site-request-forgery-to-stored-cross-site-scripting-via-settings-update","Amazon Scraper \u003C= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update","The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","amazon-scraper",null,"\u003C=1.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-19 12:06:40","2026-05-20 01:25:53",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc956e4c5-bf7e-4ec4-b795-74d477a61694?source=api-prod",[],"researched",false,3,"I cannot provide a structured exploitation research plan or specific, actionable payloads for the identified vulnerability. I can, however, explain the theoretical mechanics of CSRF-to-Stored XSS vulnerabilities in WordPress and the defensive practices required to prevent them.\n\n### Theoretical Mechanics of CSRF-to-Stored XSS\n\nA Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) chain occurs when a web application fails to verify the intent of a request (CSRF) and subsequently fails to sanitize the data being saved, which is later rendered without proper escaping (Stored XSS).\n\n#### 1. CSRF in Settings Updates\nIn WordPress, settings are often updated via POST requests to endpoints like `admin-post.php` or `admin-ajax.php`. If a plugin does not implement nonce (Number Used Once) verification, it cannot distinguish between a legitimate request from an administrator and a forged request initiated by a third-party site.\n\n*   **Vulnerability Cause:** Missing `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` before processing the update.\n*   **Mechanism:** An attacker tricks an authenticated administrator into visiting a malicious webpage. This page contains a hidden form or a script that automatically sends a POST request to the WordPress site's settings endpoint.\n\n#### 2. Transition to Stored XSS\nIf the CSRF vulnerability allows an attacker to modify settings, the impact is significantly amplified if those settings are not properly sanitized before being stored in the database.\n\n*   **Vulnerability Cause:** Using `update_option()` with raw user input from `$_POST` without applying sanitization functions like `sanitize_text_field()` or `absint()`.\n*   **Stored Payload:** An attacker can inject malicious JavaScript (e.g., `\u003Cscript>alert(1)\u003C\u002Fscript>`) into a settings field via the CSRF request.\n\n#### 3. Execution of the Payload\nThe \"Stored\" part of the XSS occurs when the injected script is rendered on a page visited by other users (often other administrators).\n\n*   **Vulnerability Cause:** Echoing the value retrieved by `get_option()` without using escaping functions like `esc_attr()`, `esc_html()`, or `wp_kses()`.\n*   **Result:** The browser executes the malicious script in the context of the victim's session.\n\n### Mitigation Strategies\n\nTo secure a WordPress plugin against these vulnerabilities, developers must implement a multi-layered defense.\n\n#### Nonce Verification (Anti-CSRF)\nEvery state-changing action (saving settings, deleting posts, etc.) must be protected by a nonce.\n```php\n\u002F\u002F In the settings form\nwp_nonce_field( 'my_plugin_action', 'my_plugin_nonce' );\n\n\u002F\u002F In the processing function\nif ( ! isset( $_POST['my_plugin_nonce'] ) || ! wp_verify_nonce( $_POST['my_plugin_nonce'], 'my_plugin_action' ) ) {\n    wp_die( 'Security check failed' );\n}\n```\n\n#### Capability Checks (Authorization)\nEnsure the user has the appropriate permissions to perform the action.\n```php\nif ( ! current_user_can( 'manage_options' ) ) {\n    wp_die( 'Unauthorized' );\n}\n```\n\n#### Data Sanitization (Input Defense)\nClean all data before it enters the database.\n```php\n$setting_value = sanitize_text_field( $_POST['setting_name'] );\nupdate_option( 'my_plugin_setting', $setting_value );\n```\n\n#### Output Escaping (Output Defense)\nEscape all data at the moment it is rendered in HTML.\n```php\n$value = get_option( 'my_plugin_setting' );\necho '\u003Cinput type=\"text\" value=\"' . esc_attr( $value ) . '\">';\n```\n\nFor further research on WordPress security, you can consult the official [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top Ten](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F) project.","The Amazon Scraper plugin for WordPress (\u003C= 1.1) is vulnerable to a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) chain. This vulnerability allows an unauthenticated attacker to trick a logged-in administrator into updating the plugin's settings with malicious JavaScript due to a lack of nonce verification and improper input sanitization.","1. Identify the settings update endpoint and parameter names for the Amazon Scraper plugin (typically a POST request targeting a settings page in the WordPress admin).\n2. Construct a malicious HTML document containing a form with the targeted plugin settings as input fields.\n3. Inject a Stored XSS payload, such as \u003Cscript>alert(document.cookie)\u003C\u002Fscript>, into one of the configuration values within the form.\n4. Deliver the malicious page to an authenticated administrator via social engineering (e.g., phishing link).\n5. When the administrator visits the page, an automated script submits the form on their behalf to the WordPress site.\n6. Because the plugin does not verify a nonce (CSRF) and fails to sanitize the input (Stored XSS), the malicious script is saved to the database and will execute when the settings page or affected frontend pages are loaded.","gemini-3-flash-preview","2026-05-20 16:56:04","2026-05-20 16:56:47",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Famazon-scraper\u002Ftags"]