[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fI2CSYMp8tsq4xLWnTiU39lAugu9aN0Fn_aeRAKKOKVk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"source_links":40},"CVE-2026-3498","blockart-blocks-authenticated-author-stored-cross-site-scripting-via-clientid-block-attribute","BlockArt Blocks \u003C= 2.2.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'clientId' Block Attribute","The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","blockart-blocks",null,"\u003C=2.2.15","2.3.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-10 12:03:21","2026-04-11 01:24:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7d0cb432-785a-4f38-830f-72b95e65aa5a?source=api-prod",1,[22,23,24,25,26,27,28],"assets\u002Fjson\u002Fgoogle-fonts.json","blockart.php","changelog.txt","composer.json","dist\u002F193.js","dist\u002F353.js","dist\u002F397.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-3498 (BlockArt Blocks)\n\n## 1. Vulnerability Summary\nThe **BlockArt Blocks** plugin (versions \u003C= 2.2.15) is vulnerable to Stored Cross-Site Scripting (XSS) via the `clientId` block attribute. Gutenberg blocks store configuration as JSON attributes within HTML comments in the `post_content`. When a post is rendered, the plugin extracts these attributes and uses them to generate the frontend HTML and\u002For JavaScript. The `clientId` attribute, which is typically used to uniquely identify block instances for CSS or JS targeting, is rendered on the page without sufficient sanitization or escaping (e.g., `esc_attr()` or `esc_js()`), allowing an authenticated user with Author-level privileges to inject arbitrary scripts.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress REST API `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` (or the standard Gutenberg editor save request).\n- **Vulnerable Attribute:** `clientId` within a BlockArt block's attribute JSON.\n- **Vulnerable Block:** Likely the **Counter** block (based on `changelog.txt` 2.2.15: \"Fix - Sanitization and escaping of the counter block\") or any block utilizing `clientId` for unique ID generation.\n- **Authentication:** Author-level access is required (or any role with the `edit_posts` capability).\n- **Preconditions:** The plugin must be active, and a post containing the malicious block must be published and viewed.\n\n## 3. Code Flow (Inferred)\n1. **Source:** A user saves a post containing a block like `\u003C!-- wp:blockart\u002Fcounter {\"clientId\":\"\u003CPAYLOAD>\"} \u002F-->`.\n2. **Processing:** The WordPress Gutenberg parser extracts the JSON attributes.\n3. **Rendering:** In the plugin's PHP rendering logic (likely within `includes\u002FBlocks\u002F` or a registered `render_callback` for the block), the code retrieves the `clientId`.\n4. **Sink:** The `clientId` is echoed into an HTML attribute (e.g., `\u003Cdiv id=\"blockart-counter-CLIENTID\">`) or a JavaScript initialization block (e.g., `new CountUp(\"blockart-counter-CLIENTID\", ...)`).\n5. **Vulnerability:** Lack of `esc_attr()` or `esc_js()` on the `clientId` value allows breakout from the intended context.\n\n## 4. Nonce Acquisition Strategy\nThis exploit uses the WordPress REST API, which requires a `wp_rest` nonce for authenticated requests.\n\n1. **Role Setup:** Use an Author user.\n2. **Login:** Log in to the WordPress dashboard using the Author credentials.\n3. **Acquisition:** Navigate to the `\u002Fwp-admin\u002F` dashboard.\n4. **Extraction:** Use `browser_eval` to extract the REST nonce from the global `wpApiSettings` object.\n   - **JS Command:** `window.wpApiSettings.nonce`\n\n## 5. Exploitation Strategy\n### Step 1: Authentication and Nonce Retrieval\nLog in as an Author and retrieve the `_wpnonce` for the REST API.\n\n### Step 2: Inject Payload via REST API\nCreate a new post containing a BlockArt Counter block with a malicious `clientId`.\n\n- **HTTP Request:**\n  - **Method:** `POST`\n  - **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n  - **Headers:** \n    - `Content-Type: application\u002Fjson`\n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n  - **Body (JSON):**\n    ```json\n    {\n      \"title\": \"XSS Test Post\",\n      \"status\": \"publish\",\n      \"content\": \"\u003C!-- wp:blockart\u002Fcounter {\\\"clientId\\\":\\\"\\\\\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\\\"} \u002F-->\"\n    }\n    ```\n\n### Step 3: Trigger Payload\nNavigate to the URL of the newly created post in the browser.\n\n### Alternative Payloads (Context Dependent)\n- **Attribute Breakout:** `\\\" onmouseover=\\\"alert(1)\\\" data-ignore=\\\"`\n- **Script Tag Context:** `'); alert(1); \u002F\u002F` (If `clientId` is passed directly into a JS constructor in the HTML).\n\n## 6. Test Data Setup\n1. **Plugin:** Install and activate `blockart-blocks` version 2.2.15.\n2. **User:** Create a user with the **Author** role (e.g., username: `attacker`, password: `password123`).\n3. **Target Block:** The **Counter** block is the primary suspect. If unsuccessful, repeat with the **Section** or **Column** blocks.\n\n## 7. Expected Results\n- The REST API should return a `201 Created` status and a URL for the new post.\n- When navigating to the post URL, an alert box showing the document domain should appear.\n- Inspection of the HTML source should reveal the payload rendered unsanitized:\n  ```html\n  \u003Cdiv id=\"block-blockart-counter-\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">...\u003C\u002Fdiv>\n  ```\n\n## 8. Verification Steps\n1. **Check Post Content:** Use WP-CLI to verify the content was saved correctly:\n   `wp post get [POST_ID] --field=content`\n2. **Examine Rendered Output:** Use `http_request` to fetch the post's frontend HTML and search for the raw payload:\n   `grep \"\u003Cscript>alert\" response.html`\n\n## 9. Alternative Approaches\nIf the `clientId` is not directly editable via the standard block editor interface (due to JS validation), it can always be sent via a raw REST API request as shown in Step 5, because the server-side rendering logic is what lacks the sanitization, not the editor's save routine. \n\nIf the **Counter** block is not vulnerable, check these blocks (common in BlockArt):\n- `blockart\u002Fsection`\n- `blockart\u002Fcolumn`\n- `blockart\u002Fheading`\n\nCheck if the payload is rendered in the **Admin Editor** as well as the frontend, as this would allow an Author to target an Administrator (escalating the CVSS impact). To check this, navigate to the post's edit page in the dashboard: `\u002Fwp-admin\u002Fpost.php?post=[ID]&action=edit`.","The BlockArt Blocks plugin for WordPress (versions up to and including 2.2.15) is vulnerable to Stored Cross-Site Scripting (XSS) via the 'clientId' block attribute. This vulnerability allows authenticated users with Author-level access or higher to inject arbitrary web scripts into pages by providing a malicious payload for a block attribute that is rendered in the HTML or JavaScript context without sufficient sanitization or escaping.","\u002F* Inferred from changelog and research plan as specific PHP block rendering files were not provided in source *\u002F\n\u002F* Likely located in includes\u002FBlocks\u002FCounter.php or similar within the render_callback function *\u002F\n\n$client_id = isset( $attributes['clientId'] ) ? $attributes['clientId'] : '';\n\n\u002F\u002F The vulnerability exists where the $client_id is used as an HTML ID or in a script block without escaping\n$output .= '\u003Cdiv id=\"blockart-counter-' . $client_id . '\">';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblockart-blocks\u002F2.2.15\u002Fassets\u002Fjson\u002Fgoogle-fonts.json \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblockart-blocks\u002F2.3.0\u002Fassets\u002Fjson\u002Fgoogle-fonts.json\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblockart-blocks\u002F2.2.15\u002Fassets\u002Fjson\u002Fgoogle-fonts.json\t2023-11-23 11:22:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblockart-blocks\u002F2.3.0\u002Fassets\u002Fjson\u002Fgoogle-fonts.json\t2026-04-02 11:04:42.000000000 +0000\n@@ -20,16 +20,22 @@\n     \"family\": \"Roboto\",\n     \"variants\": [\n       \"100\",\n-      \"100italic\",\n+      \"200\",\n       \"300\",\n-      \"300italic\",\n       \"regular\",\n-      \"italic\",\n       \"500\",\n-      \"500italic\",\n+      \"600\",\n       \"700\",\n-      \"700italic\",\n+      \"800\",\n       \"900\",\n+      \"100italic\",\n+      \"200italic\",\n+      \"300italic\",\n+      \"italic\",\n+      \"500italic\",\n+      \"600italic\",\n+      \"700italic\",\n+      \"800italic\",\n       \"900italic\"\n     ], ... (truncated)","1. Log in to the target WordPress site with Author-level credentials.\n2. Capture the REST API nonce from the browser's global JavaScript variable `window.wpApiSettings.nonce`.\n3. Send a POST request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` with a JSON payload to create a new post.\n4. In the post content, include a BlockArt block (such as the Counter block) with a manipulated `clientId` attribute containing an XSS payload: `\u003C!-- wp:blockart\u002Fcounter {\"clientId\":\"\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"} \u002F-->`.\n5. Publish the post and obtain its public URL.\n6. When any user (including administrators) visits the published post, the payload will execute in their browser context because the plugin renders the `clientId` value unsanitized within an HTML attribute.","gemini-3-flash-preview","2026-04-16 16:06:53","2026-04-16 16:07:27",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.2.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblockart-blocks\u002Ftags\u002F2.2.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fblockart-blocks.2.2.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblockart-blocks\u002Ftags\u002F2.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fblockart-blocks.2.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblockart-blocks\u002Ftags"]