[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQfT5JTcj0wY_WVFoXlaRilXZlPMR2Ft3jaU44wdaBNo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-12430","blocksy-companion-authenticated-editor-stored-cross-site-scripting-via-productdescription-parameter","Blocksy Companion \u003C= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter","The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","blocksy-companion",null,"\u003C=2.1.45","2.1.46","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-18 15:44:31","2026-06-19 04:31:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffac4ae61-cfc6-4efc-9f57-58fa39e00f07?source=api-prod",1,[22,23,24,25,26,27,28,29],"blocksy-companion.php","framework\u002Fextensions\u002Fcookies-consent\u002Fhelpers.php","framework\u002Fextensions\u002Fnewsletter-subscribe\u002Fadmin-static\u002Fbundle\u002Fnewsletter-block.js","framework\u002Fextensions\u002Fnewsletter-subscribe\u002Fadmin-static\u002Fjs\u002Fnewsletter-block\u002FPreview.js","framework\u002Fextensions\u002Fnewsletter-subscribe\u002Fconfig.php","framework\u002Fextensions\u002Fnewsletter-subscribe\u002Fct-newsletter-subscribe\u002Foptions.php","framework\u002Fextensions\u002Fnewsletter-subscribe\u002Fct-newsletter-subscribe\u002Fview.php","framework\u002Fextensions\u002Fnewsletter-subscribe\u002Fcustomizer.php","researched",false,3,"This research plan targets **CVE-2026-12430**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Blocksy Companion** plugin. The vulnerability is located in the plugin's settings, specifically within the \"White Label\" extension's `product_description` parameter.\n\n### 1. Vulnerability Summary\nThe Blocksy Companion plugin (\u003C= 2.1.45) fails to adequately sanitize and escape the `product_description` parameter within its admin settings. While the plugin utilizes `wp_kses_post()` for some fields, this filter is insufficient to prevent XSS when `unfiltered_html` is disabled (e.g., for Editors on a Multisite or restricted environments), as it allows tags and attributes (like `\u003Ca>` or `style`) that can be used to execute JavaScript in specific contexts, or it may be omitted entirely during rendering in the admin dashboard.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php?action=customize_save`\n*   **Method:** POST\n*   **Vulnerable Parameter:** `customized` (JSON payload)\n*   **Setting ID:** `blocksy_ext_white_label_settings[product_description]` (inferred from `blocksy-companion.php` line 51 and CVE description)\n*   **Authentication:** Authenticated, Editor or higher (requires `edit_theme_options` capability).\n*   **Precondition:** The \"White Label\" extension must be active and the site must have `unfiltered_html` disabled for the attacker's role.\n\n### 3. Code Flow\n1.  **Persistence:** An Editor uses the WordPress Customizer or the Blocksy Dashboard to update the \"Product Description\". The request is sent to `admin-ajax.php` with the `customize_save` action.\n2.  **Storage:** The values are processed by the Customizer API and stored in the `wp_options` table under the option name `blocksy_ext_white_label_settings`.\n3.  **Retrieval:** In `blocksy-companion.php`, the settings are retrieved:\n    ```php\n    \u002F\u002F line 51\n    $blocksy_wl_settings = apply_filters( 'blocksy:ext:white-label:settings', get_option( 'blocksy_ext_white_label_settings', [] ) );\n    ```\n4.  **Sink:** The `product_description` is rendered in the Blocksy Dashboard (`\u002Fwp-admin\u002Fadmin.php?page=ct-dashboard`) to identify the plugin. If the output is rendered using a raw `echo` or insufficient escaping, the XSS payload executes in the context of any user (including Administrators) viewing the dashboard.\n\n### 4. Nonce Acquisition Strategy\nThis exploit requires the `customize_save` nonce. Since the attacker is authenticated as an Editor, they can extract this from the Customizer interface.\n\n1.  Navigate to the WordPress Customizer: `\u002Fwp-admin\u002Fcustomize.php`.\n2.  The nonce is stored in the global JavaScript object `_wpCustomizeSettings`.\n3.  Use the `browser_eval` tool to extract the nonce:\n    *   **Variable:** `window._wpCustomizeSettings.nonce.save`\n\n### 5. Exploitation Strategy\n1.  **Preparation:** Log in as an Editor. Ensure the \"White Label\" extension is active (see Test Data Setup).\n2.  **Nonce Extraction:** Navigate to `\u002Fwp-admin\u002Fcustomize.php` and run `browser_eval(\"window._wpCustomizeSettings.nonce.save\")`.\n3.  **Craft Payload:** Create a JSON object for the `customized` parameter.\n    ```json\n    {\n      \"blocksy_ext_white_label_settings\": {\n        \"product_description\": \"Custom Description\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n      }\n    }\n    ```\n4.  **Execute Injection:** Send the following request via the `http_request` tool:\n    *   **URL:** `[TARGET_URL]\u002Fwp-admin\u002Fadmin-ajax.php?action=customize_save`\n    *   **Method:** POST\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        ```\n        wp_customize=on&\n        nonce=[EXTRACTED_NONCE]&\n","The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_description' parameter in the 'White Label' extension settings. Authenticated attackers with Editor-level permissions and above can inject arbitrary web scripts into this field, which then execute when an administrator accesses the Blocksy Dashboard.","\u002F\u002F blocksy-companion.php line 51\nif ( in_array( 'white-label', $blocksy_active_extensions ) && ($blocksy_fs_instance->is_plan( 'agency' ) || $blocksy_fs_instance->is_plan( 'agency_v2' )) ) {\n    $blocksy_wl_settings = apply_filters( 'blocksy:ext:white-label:settings', get_option( 'blocksy_ext_white_label_settings', [] ) );\n    if ( $blocksy_wl_settings && isset( $blocksy_wl_settings['hide_billing_account'] ) && $blocksy_wl_settings['hide_billing_account'] && !is_multisite() ) {\n        $blocksy_has_account = false;\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblocksy-companion\u002F2.1.45\u002Fblocksy-companion.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblocksy-companion\u002F2.1.46\u002Fblocksy-companion.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblocksy-companion\u002F2.1.45\u002Fblocksy-companion.php\t2026-06-11 17:00:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblocksy-companion\u002F2.1.46\u002Fblocksy-companion.php\t2026-06-17 15:39:34.000000000 +0000\n@@ -3,14 +3,14 @@\n \u002F*\n Plugin Name: Blocksy Companion\n Description: This plugin is the companion for the Blocksy theme, it runs and adds its enhacements only if the Blocksy theme is installed and active.\n-Version: 2.1.45\n+Version: 2.1.46\n Author: CreativeThemes\n Author URI: https:\u002F\u002Fcreativethemes.com\n Text Domain: blocksy-companion\n Domain Path: \u002Flanguages\u002F\n License: GPLv2 or later\n License URI: http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\n-Requires at least: 6.5\n+Requires at least: 6.7\n Requires PHP: 7.0\n *\u002F\n if ( !defined( 'ABSPATH' ) ) {\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblocksy-companion\u002F2.1.45\u002Fframework\u002Fextensions\u002Fcookies-consent\u002Fhelpers.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblocksy-companion\u002F2.1.46\u002Fframework\u002Fextensions\u002Fcookies-consent\u002Fhelpers.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblocksy-companion\u002F2.1.45\u002Fframework\u002Fextensions\u002Fcookies-consent\u002Fhelpers.php\t2026-03-26 17:22:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblocksy-companion\u002F2.1.46\u002Fframework\u002Fextensions\u002Fcookies-consent\u002Fhelpers.php\t2026-06-17 15:39:34.000000000 +0000\n@@ -45,13 +45,17 @@\n \treturn ob_get_clean();\n }\n \n-function blocksy_ext_cookies_checkbox($prefix = '') {\n+function blocksy_ext_cookies_checkbox($prefix = '', $unique_suffix = '') {\n \tob_start();\n \n \tif (! empty($prefix)) {\n \t\t$prefix = '_' . $prefix;\n \t}\n \n+\t$input_id = ! empty($unique_suffix)\n+\t\t? 'gdprconfirm_newsletter-' . sanitize_html_class($unique_suffix)\n+\t\t: 'gdprconfirm' . $prefix;\n+\n \t$message = blocksy_companion_theme_functions()->blocksy_get_theme_mod(\n \t\t'forms_cookie_consent_content',\n \t\tblocksy_companion_safe_sprintf(\n@@ -70,14 +74,14 @@\n \t\t\tblocksy_html_tag_e(\n \t\t\t\t'input',\n \t\t\t\t[\n-\t\t\t\t\t'id' => 'gdprconfirm' . $prefix,\n+\t\t\t\t\t'id' => $input_id,\n \t\t\t\t\t'class' => 'ct-checkbox',\n \t\t\t\t\t'name' => 'gdprconfirm',\n \t\t\t\t\t'type' => 'checkbox',\n \t\t\t\t\t'required' => true\n \t\t\t\t]\n \t\t\t);\n-\t\t?>\u003Clabel for=\"gdprconfirm\u003C?php echo esc_attr($prefix) ?>\">\u003C?php echo wp_kses_post($message) ?>\u003C\u002Flabel>\n+\t\t?>\u003Clabel for=\"\u003C?php echo esc_attr($input_id) ?>\">\u003C?php echo wp_kses_post($message) ?>\u003C\u002Flabel>\n \t\u003C\u002Fp>","The exploit is achieved by an authenticated user with Editor or higher permissions (specifically those with 'edit_theme_options' capabilities). 1. The attacker navigates to the WordPress Customizer ('\u002Fwp-admin\u002Fcustomize.php') and extracts the 'customize_save' nonce from the 'window._wpCustomizeSettings.nonce.save' object. 2. A POST request is sent to '\u002Fwp-admin\u002Fadmin-ajax.php?action=customize_save' with 'wp_customize=on', the extracted nonce, and a 'customized' JSON payload. 3. The payload contains an entry for 'blocksy_ext_white_label_settings' with a 'product_description' attribute containing a malicious script, such as '\u003Cscript>alert(document.domain)\u003C\u002Fscript>'. 4. The script is stored in the site's options and will execute in the session of any administrator who views the plugin's dashboard.","gemini-3-flash-preview","2026-06-25 20:47:00","2026-06-25 20:48:40",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.1.45","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblocksy-companion\u002Ftags\u002F2.1.45","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fblocksy-companion.2.1.45.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblocksy-companion\u002Ftags\u002F2.1.46","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fblocksy-companion.2.1.46.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblocksy-companion\u002Ftags"]