[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWBlbwjhzj0LLDD9kSNQEC-8foPUVQiBsgsM-cLdTM5g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-24383","b-slider-authenticated-contributor-stored-cross-site-scripting","B Slider \u003C= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting","The B Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","b-slider",null,"\u003C=2.0.6","2.0.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-29 00:00:00","2026-02-02 16:31:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F683edf03-b3ea-4de9-91d8-c4a556739f7f?source=api-prod",5,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-24383 (B Slider \u003C= 2.0.6)\n\n## 1. Vulnerability Summary\nThe **B Slider** plugin (versions \u003C= 2.0.6) contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists because the plugin fails to properly sanitize user-supplied data when saving slider configurations and fails to escape that data when rendering the slider on the frontend. Authenticated users with **Contributor** permissions or higher can exploit this to inject malicious JavaScript into sliders, which then executes in the browser of any user (including administrators) who views the affected page.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress AJAX API (`\u002Fwp-admin\u002Fadmin-ajax.php`) or the Custom Post Type (CPT) editor.\n*   **Vulnerable Action (Inferred):** The plugin likely uses a `wp_ajax_save_bslider` or similar AJAX action to store slider settings, or relies on standard `save_post` hooks for a `bslider` CPT.\n*   **HTTP Parameter:** Likely fields such as `slide_title`, `slide_description`, `button_text`, or `custom_css`.\n*   **Authentication:** Authenticated (Contributor+).\n*   **Preconditions:** The \"B Slider\" plugin must be active. The attacker needs a valid Contributor-level account.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX handler via `add_action('wp_ajax_...', ...)` or a meta box save handler.\n2.  **Processing:** The handler receives slider data (e.g., via `$_POST['slider_data']`).\n3.  **Sink (Storage):** The code calls `update_post_meta()` or `$wpdb->insert()` without passing the input through `sanitize_text_field()` or `wp_kses()`.\n4.  **Source (Output):** When a user views a page containing the `[b-slider id=\"...\"]` shortcode, the plugin retrieves the stored data using `get_post_meta()`.\n5.  **Sink (Rendering):** The plugin echoes the raw metadata into the HTML output without using `esc_html()`, `esc_attr()`, or `wp_kses()`.\n\n## 4. Nonce Acquisition Strategy\nTo interact with the AJAX handlers or the editor, a valid WordPress nonce is typically required.\n\n1.  **Identify Shortcode:** The primary shortcode is likely `[b-slider]`.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Slider Test\" --post_content='[b-slider]'\n    ```\n3.  **Navigate and Extract:**\n    *   Navigate to the newly created page.\n    *   The plugin likely enqueues scripts using `wp_localize_script`.\n    *   **Search for Localization Key (Inferred):** Look for `bslider_vars`, `bs_ajax_obj`, or similar.\n    *   **Action:** Use `browser_eval` to find the nonce:\n        ```javascript\n        \u002F\u002F Hypothetical variable names based on common plugin patterns\n        window.bslider_admin?.nonce || window.bs_vars?.nonce\n        ```\n    *   If the exploit is via the post editor (CPT), the nonce will be in the `#_wpnonce` hidden input field on the `post-new.php?post_type=bslider` page.\n\n## 5. Exploitation Strategy\nThe goal is to store a payload that executes when the slider is viewed.\n\n### Step 1: Create a Slider (Post Meta Injection)\nIf the plugin uses a Custom Post Type `bslider`:\n1.  Log in as a **Contributor**.\n2.  Navigate to `wp-admin\u002Fpost-new.php?post_type=bslider` (inferred slug).\n3.  Inject the payload into a metadata field (e.g., Slide Title).\n\n**Payload:**\n`\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n\n### Step 2: AJAX Injection (If applicable)\nIf the plugin uses a custom AJAX saver:\n*   **Request URL:** `https:\u002F\u002Ftarget.example.com\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body (Inferred):**\n    ```text\n    action=bslider_save_settings&\n    nonce=[EXTRACTED_NONCE]&\n    slider_id=[ID]&\n    slide_content[0][title]=\u003Cimg src=x onerror=alert(1)>&\n    slide_content[0][link]=javascript:alert(2)\n    ```\n\n### Step 3: Triggering\n1.  Identify the ID of the created slider.\n2.  Add `[b-slider id=\"ID\"]` to a public post or page.\n3.  Visit that page as an Administrator.\n\n## 6. Test Data Setup\n1.  **Plugin:** Install and activate `b-slider` version 2.0.6.\n2.  **User:** Create a user `attacker` with the `contributor` role.\n3.  **Target Content:** Create a public post where the slider shortcode can be embedded.\n\n## 7. Expected Results\n*   The malicious payload should be saved to the database without being stripped.\n*   When the page with the slider is loaded, the browser should render:\n    `\u003Cdiv class=\"slide-title\">\u003Cimg src=x onerror=alert(1)>\u003C\u002Fdiv>` (or similar).\n*   An alert box should appear in the Administrator's browser context.\n\n## 8. Verification Steps\n1.  **Check Database:**\n    ```bash\n    wp db query \"SELECT meta_value FROM wp_postmeta WHERE meta_key = '_bslider_data' AND meta_value LIKE '%\u003Cscript>%';\"\n    ```\n2.  **Check Frontend Output:**\n    ```bash\n    # Navigate to the page with the slider and check for the unescaped script\n    http_request GET \"https:\u002F\u002Ftarget.example.com\u002Fslider-page\u002F\" | grep \"\u003Cscript>alert\"\n    ```\n\n## 9. Alternative Approaches\n*   **Link Injection:** If the slider allows \"Button Links,\" test `javascript:alert(1)` in the URL field. Many plugins escape HTML but forget to use `esc_url()` on links.\n*   **CSS Injection:** If there is a \"Custom CSS\" field for the slider, attempt to use `expression()` (for older IE) or `background-image: url(\"javascript:...\")` to trigger JS execution in vulnerable contexts.\n*   **Shortcode Attribute XSS:** Try `[b-slider title='\u003Cscript>alert(1)\u003C\u002Fscript>']`. If the shortcode handler echoes the `title` attribute directly, it's a Reflected\u002FStored XSS via the post content.","The B Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via slider configuration settings such as slide titles and descriptions. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript that executes in the browser of any user viewing a page where the affected slider is embedded.","\u002F\u002F Inferred saving logic in the slider CPT or AJAX handler\n\u002F\u002F File: b-slider\u002Fincludes\u002Fadmin\u002Fsave-settings.php (inferred)\nif ( isset( $_POST['bslider_meta'] ) ) {\n    update_post_meta( $post_id, '_bslider_meta', $_POST['bslider_meta'] );\n}\n\n---\n\n\u002F\u002F Inferred rendering logic in the shortcode handler\n\u002F\u002F File: b-slider\u002Fincludes\u002Ffrontend\u002Fshortcode.php (inferred)\n$meta = get_post_meta( $id, '_bslider_meta', true );\nforeach ( $meta['slides'] as $slide ) {\n    echo '\u003Cdiv class=\"bs-slide-title\">' . $slide['title'] . '\u003C\u002Fdiv>';\n    echo '\u003Cdiv class=\"bs-slide-desc\">' . $slide['description'] . '\u003C\u002Fdiv>';\n}","--- b-slider\u002Fincludes\u002Fadmin\u002Fsave-settings.php\n+++ b-slider\u002Fincludes\u002Fadmin\u002Fsave-settings.php\n@@ -1,5 +1,5 @@\n if ( isset( $_POST['bslider_meta'] ) ) {\n-    update_post_meta( $post_id, '_bslider_meta', $_POST['bslider_meta'] );\n+    $sanitized_meta = map_deep( $_POST['bslider_meta'], 'sanitize_text_field' );\n+    update_post_meta( $post_id, '_bslider_meta', $sanitized_meta );\n }\n\n--- b-slider\u002Fincludes\u002Ffrontend\u002Fshortcode.php\n+++ b-slider\u002Fincludes\u002Ffrontend\u002Fshortcode.php\n@@ -3,6 +3,6 @@\n $meta = get_post_meta( $id, '_bslider_meta', true );\n foreach ( $meta['slides'] as $slide ) {\n-    echo '\u003Cdiv class=\"bs-slide-title\">' . $slide['title'] . '\u003C\u002Fdiv>';\n-    echo '\u003Cdiv class=\"bs-slide-desc\">' . $slide['description'] . '\u003C\u002Fdiv>';\n+    echo '\u003Cdiv class=\"bs-slide-title\">' . esc_html( $slide['title'] ) . '\u003C\u002Fdiv>';\n+    echo '\u003Cdiv class=\"bs-slide-desc\">' . wp_kses_post( $slide['description'] ) . '\u003C\u002Fdiv>';\n }","1. Authenticate as a Contributor or higher user.\n2. Navigate to the 'B Slider' menu or the Custom Post Type editor for sliders (e.g., \u002Fwp-admin\u002Fpost-new.php?post_type=bslider).\n3. In one of the slider configuration fields (such as 'Slide Title' or 'Button Text'), enter a payload like: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n4. Save or update the slider.\n5. Note the slider ID (e.g., 123) and embed the shortcode [b-slider id=\"123\"] into a new post or page.\n6. Publish the post and view it (or wait for an administrator to view it).\n7. The injected script will execute in the victim's session, potentially allowing for session hijacking or administrative actions.","gemini-3-flash-preview","2026-05-04 20:47:02","2026-05-04 20:48:48",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.0.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb-slider\u002Ftags\u002F2.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fb-slider.2.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb-slider\u002Ftags\u002F2.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fb-slider.2.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb-slider\u002Ftags"]