[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftlEXfC2P2tihM_bSsquObIUnZ7kzAhX7-6FdJqlX84w":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-3722","auto-image-attributes-from-filename-with-bulk-updater-add-alt-text-image-title-for-image-seo-authenticated-author-stored","Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) \u003C= 4.9 - Authenticated (Author+) Stored Cross-Site Scripting via Image Attribute","The Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment metadata in all versions up to, and including, 4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","auto-image-attributes-from-filename-with-bulk-updater",null,"\u003C=4.9","4.9.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-01 12:44:43","2026-06-02 01:28:04",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9696fae6-39fe-4478-90e7-488b5b573fa8?source=api-prod",1,[22,23,24,25,26,27],"admin\u002Fadmin-ui-render.php","admin\u002Fbasic-setup.php","admin\u002Fcolumns-media-library.php","admin\u002Fdo.php","iaff_image-attributes-from-filename.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-3722\n\n## 1. Vulnerability Summary\nThe **Auto Image Attributes From Filename With Bulk Updater** plugin for WordPress (versions \u003C= 4.9) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin registers custom columns in the WordPress Media Library to display image attributes (Title, Alt Text, Caption, and Description) but fails to sanitize or escape the metadata before echoing it to the screen. \n\nAn authenticated attacker with **Author** level permissions or higher can modify the metadata of an image attachment (which they have permission to do by default) to include a malicious script. When an administrator views the Media Library in \"List View,\" the script executes in their browser context.\n\n## 2. Attack Vector Analysis\n- **Entry Point**: Standard WordPress Media Metadata update (e.g., `wp_ajax_save-attachment`) or via the plugin's automatic processing of filenames.\n- **Sink**: `iaff_manage_media_custom_column_add_data()` in `admin\u002Fcolumns-media-library.php`.\n- **Vulnerable Parameters**: \n    - Attachment `post_title` (Title)\n    - Attachment `_wp_attachment_image_alt` meta (Alternative Text)\n    - Attachment `post_excerpt` (Caption)\n    - Attachment `post_content` (Description)\n- **Authentication**: Author-level access is required to upload and edit media.\n- **Preconditions**: The plugin must be active, and the victim (Admin) must view the Media Library in **List View** (`upload.php?mode=list`).\n\n## 3. Code Flow\n1. **Metadata Storage**: An Author updates an image's metadata. This is typically done via the `wp-admin\u002Fadmin-ajax.php` endpoint using the `save-attachment` action.\n2. **Column Registration**: The plugin uses `add_filter( 'manage_media_columns', 'iaff_manage_media_columns_add_columns' )` to add columns named `iaff_image_title`, `iaff_image_alt`, `iaff_image_caption`, and `iaff_image_description`.\n3. **Rendering Sink**: When the Media Library list is rendered, WordPress calls the hook `manage_media_custom_column`, which the plugin handles via `iaff_manage_media_custom_column_add_data( $column_name, $id )`.\n4. **Execution**: Inside `admin\u002Fcolumns-media-library.php`:\n   ```php\n   case 'iaff_image_alt':\n       $iaff_image_alt = get_post_meta( $id, '_wp_attachment_image_alt', true );\n       echo ( $iaff_image_alt !== false ) ? $iaff_image_alt : ''; \u002F\u002F SINK: No escaping\n       break;\n   ```\n   The raw meta value is `echo`ed without `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nWhile the primary exploit vector involves standard WordPress media editing (which uses standard WordPress nonces), if an attacker wanted to use the plugin's **Bulk Updater** feature (`iaff_rename_old_image`), they would need the `iaff_rename_old_image_nonce`.\n\n- **Access Level**: The settings page containing the nonce is restricted to users with `manage_options` (Admins).\n- **Strategy for Agent**:\n    1. Navigate to the plugin settings page: `wp-admin\u002Foptions-general.php?page=image-attributes-from-filename`.\n    2. Use `browser_eval` to extract the nonce from the localized script variable (likely found in the source as part of the AJAX configuration).\n    3. *Note*: For a standard Stored XSS PoC starting from an Author account, we do not need the plugin's specific nonce, as we can use the default WordPress AJAX hooks to set the metadata.\n\n## 5. Exploitation Strategy\n### Step 1: Upload and Malicious Metadata Injection (Author Context)\n1. Log in as an **Author**.\n2. Upload a simple image file.\n3. Capture the `attachment_id` from the upload response.\n4. Send an AJAX request to update the \"Alternative Text\" (or Title\u002FCaption) of the image with an XSS payload.\n\n**HTTP Request (Author):**\n- **URL**: `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Parameters**:\n    - `action`: `save-attachment`\n    - `id`: `[ATTACHMENT_ID]`\n    - `nonce`: `[NONCE_FROM_MEDIA_PAGE]`\n    - `changes[alt]`: `\">\u003Cimg src=x onerror=alert(document.domain)>`\n\n### Step 2: Triggering the XSS (Admin Context)\n1. Log in as an **Administrator**.\n2. Navigate to the Media Library list view.\n3. Observe the payload firing.\n\n**HTTP Request (Admin):**\n- **URL**: `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Fupload.php?mode=list`\n- **Method**: `GET`\n\n## 6. Test Data Setup\n1. **Plugin**: Ensure `auto-image-attributes-from-filename-with-bulk-updater` version 4.9 is installed and activated.\n2. **User**: Create a user with the **Author** role.\n3. **Media**: Ensure at least one image is uploaded by the Author.\n4. **View State**: The exploit requires \"List View\". If the library is in \"Grid View\", the custom columns are not rendered.\n\n## 7. Expected Results\n- When the Admin visits `upload.php?mode=list`, the HTML source will contain the unescaped payload:\n  ```html\n  \u003Ctd class=\"iaff_image_alt column-iaff_image_alt\" data-colname=\"Alternative Text\">\">\u003Cimg src=x onerror=alert(document.domain)>\u003C\u002Ftd>\n  ```\n- A JavaScript alert box will appear showing the document domain.\n\n## 8. Verification Steps\nAfter performing the HTTP requests:\n1. **Verify Metadata**: Use WP-CLI to check the stored meta value.\n   ```bash\n   wp post meta get [ATTACHMENT_ID] _wp_attachment_image_alt\n   ```\n2. **Verify Admin View**: Search for the payload string in the HTML response of the Media Library page using the agent's `http_request` tool.\n\n## 9. Alternative Approaches\n- **Filename Vector**: Attempt to upload a file named `\u003Cimg src=x onerror=alert(1)>.png`. If the plugin's `iaff_auto_image_attributes` function processes this filename on upload without sanitization, it will automatically populate the attributes with the payload.\n- **Bulk Updater Vector**: If the agent can obtain the `iaff_rename_old_image_nonce`, it can trigger `wp_ajax_iaff_rename_old_image` to force the plugin to re-process existing images with malicious filenames into the vulnerable metadata fields.","The Auto Image Attributes From Filename With Bulk Updater plugin (versions \u003C= 4.9) is vulnerable to Stored Cross-Site Scripting due to insufficient output escaping in the Media Library list view. Authenticated attackers with Author-level access can inject malicious scripts into image metadata fields (Title, Alt Text, Caption, or Description), which then execute in the context of any user (such as an administrator) viewing the Media Library's list mode.","\u002F* admin\u002Fcolumns-media-library.php line 52 *\u002F\n    switch( $column_name ) {\n        case 'iaff_image_title':\n            echo $image->post_title;\n            break;\n\n        case 'iaff_image_alt':\n            $iaff_image_alt = get_post_meta( $id, '_wp_attachment_image_alt', true );\n            echo ( $iaff_image_alt !== false ) ? $iaff_image_alt : '';\n            break;\n\n        case 'iaff_image_caption':\n            echo $image->post_excerpt;\n            break;\n\n        case 'iaff_image_description':\n            echo $image->post_content;\n            break;\n    }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9\u002Fadmin\u002Fadmin-ui-render.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9.1\u002Fadmin\u002Fadmin-ui-render.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9\u002Fadmin\u002Fadmin-ui-render.php\t2025-12-17 18:52:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9.1\u002Fadmin\u002Fadmin-ui-render.php\t2026-05-19 12:25:14.000000000 +0000\n@@ -775,7 +775,7 @@\n \n \tif ( ! empty( $available_tags ) ) :\n \t\t?>\n-\t\t\u003Cp>\u003C?php _e( 'Available tags:' ); ?>\u003C\u002Fp>\n+\t\t\u003Cp>\u003C?php _e( 'Available tags:', 'auto-image-attributes-from-filename-with-bulk-updater' ); ?>\u003C\u002Fp>\n \t\t\u003Cp>\u003C?php _e( 'The following tags when used in a custom attribute will be replaced with their corresponding value.', 'auto-image-attributes-from-filename-with-bulk-updater' ); ?>\u003C\u002Fp>\n \t\t\u003Cul class=\"iaff-available-custom-attribute-tags\" role=\"list\">\n \t\t\t\u003C?php\n@@ -1169,6 +1169,6 @@\n \n \techo \n \t\t'\u003Cp class=\"iaff-description\">' . \n-\t\t\tsprintf( __( 'Note: Requires Image Attributes Pro %s or newer to manage these options. \u003Ca href=\"%s\" target=\"_blank\">Read more.\u003C\u002Fa>', 'auto-image-attributes-from-filename-with-bulk-updater' ), $version, 'https:\u002F\u002Fimageattributespro.com\u002Fbackwards-compatibility\u002F?utm_source=iaff-basic&utm_medium=bulk-updater-settings-tab' ) . \n+\t\t\tsprintf( esc_html__( 'Note: Requires Image Attributes Pro %1$1s or newer to manage these options. \u003Ca href=\"%2$2s\" target=\"_blank\">Read more.\u003C\u002Fa>', 'auto-image-attributes-from-filename-with-bulk-updater' ), esc_html( $version ), 'https:\u002F\u002Fimageattributespro.com\u002Fbackwards-compatibility\u002F?utm_source=iaff-basic&utm_medium=bulk-updater-settings-tab' ) . \n \t\t'\u003C\u002Fp>';\n }\n\\ No newline at end of file\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9\u002Fadmin\u002Fbasic-setup.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9.1\u002Fadmin\u002Fbasic-setup.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9\u002Fadmin\u002Fbasic-setup.php\t2025-12-17 18:52:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9.1\u002Fadmin\u002Fbasic-setup.php\t2026-05-19 12:25:14.000000000 +0000\n@@ -36,7 +36,7 @@\n  * @since\t1.0\n  *\u002F\n function iaff_load_plugin_textdomain() {\n-    load_plugin_textdomain( 'auto-image-attributes-from-filename-with-bulk-updater', FALSE, IAFF_IMAGE_ATTRIBUTES_FROM_FILENAME_DIR . '\u002Flanguages\u002F' );\n+    load_plugin_textdomain( 'auto-image-attributes-from-filename-with-bulk-updater', false, IAFF_IMAGE_ATTRIBUTES_FROM_FILENAME_DIR . '\u002Flanguages\u002F' );\n }\n add_action( 'plugins_loaded', 'iaff_load_plugin_textdomain' );\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9\u002Fadmin\u002Fcolumns-media-library.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9.1\u002Fadmin\u002Fcolumns-media-library.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9\u002Fadmin\u002Fcolumns-media-library.php\t2025-12-17 18:52:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9.1\u002Fadmin\u002Fcolumns-media-library.php\t2026-05-19 12:25:14.000000000 +0000\n@@ -47,20 +47,21 @@\n \n     switch( $column_name ) {\n         case 'iaff_image_title':\n-            echo $image->post_title;\n+            echo esc_html( $image->post_title );\n             break;\n \n         case 'iaff_image_alt':\n             $iaff_image_alt = get_post_meta( $id, '_wp_attachment_image_alt', true );\n-            echo ( $iaff_image_alt !== false ) ? $iaff_image_alt : '';\n+            $iaff_image_alt = ( $iaff_image_alt !== false ) ? $iaff_image_alt : '';\n+            echo esc_html( $iaff_image_alt );\n             break;\n \n         case 'iaff_image_caption':\n-            echo $image->post_excerpt;\n+            echo esc_html( $image->post_excerpt );\n             break;\n \n         case 'iaff_image_description':\n-            echo $image->post_content;\n+            echo esc_html( $image->post_content );\n             break;\n     }\n }\n\\ No newline at end of file\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9\u002Fadmin\u002Fdo.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9.1\u002Fadmin\u002Fdo.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9\u002Fadmin\u002Fdo.php\t2025-12-17 18:52:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002F4.9.1\u002Fadmin\u002Fdo.php\t2026-05-19 12:25:14.000000000 +0000\n@@ -735,6 +735,8 @@\n \t\t\t'error' \t=> __( 'Image object was not provided.', 'auto-image-attributes-from-filename-with-bulk-updater' )\n \t\t];\n \t}\n+\n+\t$text = sanitize_text_field( $text );\n \t\n \t\u002F\u002F Get Settings\n \t$settings = iaff_get_settings();","To exploit this vulnerability, an attacker with at least Author-level privileges first uploads an image to the WordPress Media Library. The attacker then updates the image's metadata (such as the 'Alternative Text' or 'Title') using the standard WordPress `wp_ajax_save-attachment` AJAX action, injecting a malicious JavaScript payload (e.g., `\u003Cimg src=x onerror=alert(1)>`). Alternatively, the attacker can upload a file with the payload in its filename, which the plugin may automatically process into metadata fields. To trigger the XSS, an administrator must navigate to the Media Library in 'List View' (`upload.php?mode=list`). In this view, the plugin renders its custom columns (Title, Alt Text, etc.) by echoing the stored metadata directly to the page without escaping, causing the payload to execute in the administrator's browser.","gemini-3-flash-preview","2026-06-04 14:45:07","2026-06-04 14:46:32",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","4.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002Ftags\u002F4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fauto-image-attributes-from-filename-with-bulk-updater.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002Ftags\u002F4.9.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fauto-image-attributes-from-filename-with-bulk-updater.4.9.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fauto-image-attributes-from-filename-with-bulk-updater\u002Ftags"]