[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fggHhWLSNesgQnlpDBIc0zLKLPA9gBvrKs-eVvK7NeSE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-56009","bricksable-for-bricks-builder-authenticated-author-stored-cross-site-scripting","Bricksable for Bricks Builder \u003C= 1.6.83 - Authenticated (Author+) Stored Cross-Site Scripting","The Bricksable for Bricks Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.83 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","bricksable",null,"\u003C=1.6.83","1.6.84","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-18 00:00:00","2026-06-23 15:37:15",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9de3dd8e-8529-496c-99ff-aa13d484135c?source=api-prod",6,[22,23,24,25,26,27,28,29],"bricksable.php","includes\u002Felements\u002Fback-to-top\u002Felement-back-to-top.php","includes\u002Felements\u002Fcard\u002Felement-card.php","includes\u002Felements\u002Fcontent-toggle\u002Felement-content-toggle.php","includes\u002Felements\u002Fflip-box\u002Felement-flip-box.php","includes\u002Felements\u002Ficon-list\u002Felement-icon-list.php","includes\u002Felements\u002Fimage-hotspots\u002Felement-image-hotspots.php","includes\u002Felements\u002Fmulti-heading\u002Felement-multi-heading.php","researched",false,3,"# Research Plan: CVE-2026-56009 - Bricksable for Bricks Builder Stored XSS\n\n## 1. Vulnerability Summary\nThe **Bricksable for Bricks Builder** plugin (\u003C= 1.6.83) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The plugin registers several custom elements for the Bricks Page Builder. These elements (e.g., `Multi Heading`, `Icon List`, `Card`, `Back To Top`) define various input controls (text, textarea, etc.) in their `set_controls()` methods.\n\nThe vulnerability exists because the plugin fails to sanitize these inputs when they are saved via the Bricks Builder and, more importantly, fails to escape the values when they are rendered in the `render()` method of the element classes. An attacker with **Author** level access or higher can use the Bricks Builder to insert a Bricksable element and inject malicious JavaScript into one of the element's settings. This script is then stored in the post's metadata and executes in the context of any user (including Administrators) who views the affected page or opens it in the builder.\n\n## 2. Attack Vector Analysis\n- **Target Endpoint**: WordPress AJAX handler `admin-ajax.php`.\n- **Action**: `bricks_save_post` (The standard Bricks Builder save action).\n- **Vulnerable Parameters**: The `elements` JSON object within the POST body, specifically within the `settings` of Bricksable elements.\n- **Authentication**: Required. Role: **Author** or higher (any role capable of using the Bricks Builder to edit a post).\n- **Preconditions**:\n    - Bricks Builder plugin must be active.\n    - Bricksable for Bricks Builder plugin must be active.\n    - The attacker must have permissions to edit a post\u002Fpage using the Bricks Builder.\n\n## 3. Code Flow\n1. **Definition**: Elements like `Bricksable_Multi_Heading` (in `includes\u002Felements\u002Fmulti-heading\u002Felement-multi-heading.php`) register controls. For example, the `multi_heading_item` repeater contains a `text` field:\n   ```php\n   'text' => array(\n       'type'           => 'text',\n       'hasDynamicData' => 'text',\n   ),\n   ```\n2. **Storage**: When a user saves a page in Bricks, the element's settings (including the `text` field) are sent via the `bricks_save_post` AJAX action and stored as JSON in the `_bricks_page_content` post meta.\n3. **Rendering (The Sink)**: When the page is viewed, Bricks calls the `render()` method of the element class. Although the `render()` methods are truncated in the provided source, the vulnerability description confirms that these settings are output without proper escaping (e.g., using `esc_html()` or `wp_kses()`).\n4. **Execution**: The stored script is rendered directly into the HTML of the page and executed by the victim's browser.\n\n## 4. Nonce Acquisition Strategy\nTo exploit `bricks_save_post`, a valid `bricks-nonce` is required. This nonce is tied to the Bricks Builder session.\n\n1. **Setup**: The PoC agent should create a post and ensure it is \"Bricks-enabled\".\n2. **Navigate**: Use the `browser_navigate` tool to go to the Bricks Builder interface for that post:\n   `http:\u002F\u002F\u003Cwp-url>\u002Fwp-admin\u002Fpost.php?post=\u003CPOST_ID>&bricks=run`\n3. **Extract**: Use the `browser_eval` tool to extract the nonce and current page data from the global `bricksData` object:\n   ```javascript\n   \u002F\u002F The nonce is typically stored here\n   const nonce = window.bricksData?.nonce;\n   \u002F\u002F We also need the current elements structure to ensure a valid save request\n   const pageData = window.bricksData?.pageData;\n   return { nonce, pageData };\n   ```\n\n## 5. Exploitation Strategy\nThe goal is to update a post's content with a malicious `ba-multi-heading` element.\n\n### Step-by-Step Plan:\n1. **Login**: Authenticate as an **Author** user.\n2. **Find Post**: Identify a post ID owned by the Author or create a new one.\n3. **Get Nonce**: Navigate to the Bricks Builder page for that ID and extract `bricksData.nonce`.\n4. **Construct Payload**: Create a JSON structure for a `ba-multi-heading` element where the `text` field contains the XSS payload.\n   ```json\n   [\n     {\n       \"name\": \"ba-multi-heading\",\n       \"settings\": {\n         \"multi_heading_item\": [\n           {\n             \"text\": \"Normal Title \u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n           }\n         ]\n       }\n     }\n   ]\n   ```\n5. **Execute Injection**: Send a POST request to `admin-ajax.php`.\n   - **URL**: `http:\u002F\u002F\u003Cwp-url>\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Content-Type**: `application\u002Fx-www-form-urlencoded`\n   - **Body**:\n     ```\n     action=bricks_save_post\n     postId=\u003CPOST_ID>\n     nonce=\u003CEXTRACTED_NONCE>\n     elements=\u003CURL_ENCODED_JSON_PAYLOAD>\n     ```\n6. **Verify**: Navigate to the frontend URL of the post and check if the `alert` triggers.\n\n## 6. Test Data Setup\n1. **User**: Create a user with the `author` role.\n2. **Post**: Create a post (e.g., ID 123) and set its `post_status` to `publish`.\n3. **Bricks Initialization**: Ensure the post is set to use Bricks. This can be done by editing it once in the builder or setting post meta `_bricks_editor_mode` to `true`.\n\n## 7. Expected Results\n- The `bricks_save_post` request should return a success status (usually `{\"success\": true}`).\n- When viewing the post frontend, the HTML source should contain the raw `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` tag within the `ba-multi-heading` element container.\n- The browser should execute the script.\n\n## 8. Verification Steps\n1. **HTTP Verification**: Observe the response from the frontend request to ensure the payload is present in the HTML.\n2. **Database Verification (CLI)**:\n   ```bash\n   wp post meta get \u003CPOST_ID> _bricks_page_content\n   ```\n   Check if the JSON in the metadata contains the injected script.\n\n## 9. Alternative Approaches\nIf `Multi Heading` is patched or difficult to target, try other Bricksable elements identified in the source:\n- **Icon List** (`ba-icon-list`): Inject into `items` -> `title`.\n- **Card** (`ba-card`): Inject into the `badge` control.\n- **Content Toggle** (`ba-content-toggle`): Inject into `contentToggleItem` -> `label` or `content`.\n- **Back To Top** (`ba-back-to-top`): Inject into the `text` control.\n\nThe exploitation mechanism (Bricks AJAX save) remains the same for all these elements.","The Bricksable for Bricks Builder plugin for WordPress is vulnerable to Authenticated Stored Cross-Site Scripting (XSS) due to a lack of output escaping in multiple element rendering methods. An attacker with Author-level permissions or higher can inject malicious scripts into element settings like \"Multi Heading,\" \"Card,\" or \"Icon List,\" which then execute in the context of any user viewing the page or editing it in the builder.","\u002F\u002F includes\u002Felements\u002Fback-to-top\u002Felement-back-to-top.php line 518\nif ( isset( $settings['text'] ) ) {\n    $output .= \"\u003Cspan {$this->render_attributes( 'text' )}>\";\n    $output .= $settings['text'];\n    $output .= '\u003C\u002Fspan>';\n}\n\n---\n\n\u002F\u002F includes\u002Felements\u002Fmulti-heading\u002Felement-multi-heading.php line 337\n\u002F\u002F Heading.\nif ( isset( $item['use_background_text_mask'] ) ) {\n    $output .= '\u003C' . $this->render_attributes( \"multi-heading-item-$index\" ) . '>\u003C' . $this->render_attributes( \"multi-heading-item-text-mask-$index\" ) . '>' . $item['text'] . '\u003C\u002Fspan>\u003C\u002Fspan>';\n} else {\n    $output .= '\u003C' . $this->render_attributes( \"multi-heading-item-$index\" ) . '>' . $item['text'] . '\u003C\u002Fspan>';\n}\n\n---\n\n\u002F\u002F includes\u002Felements\u002Ficon-list\u002Felement-icon-list.php line 1029\nif ( isset( $list_item['link'] ) ) {\n    $this->set_link_attributes( \"a-$index\", $list_item['link'] );\n    $output .= '\u003Ca ' . $this->render_attributes( \"a-$index\" ) . '>\u003C' . $this->render_attributes( \"title-$index\" ) . '>' . $list_item['title'] . '\u003C\u002F' . $title_tag . '>\u003C\u002Fa>';\n} else {\n    $output .= '\u003C' . $this->render_attributes( \"title-$index\" ) . '>' . $list_item['title'] . '\u003C\u002F' . $title_tag . '>';\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbricksable\u002F1.6.83\u002Fincludes\u002Felements\u002Fback-to-top\u002Felement-back-to-top.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbricksable\u002F1.6.84\u002Fincludes\u002Felements\u002Fback-to-top\u002Felement-back-to-top.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbricksable\u002F1.6.83\u002Fincludes\u002Felements\u002Fback-to-top\u002Felement-back-to-top.php\t2026-03-03 08:08:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbricksable\u002F1.6.84\u002Fincludes\u002Felements\u002Fback-to-top\u002Felement-back-to-top.php\t2026-06-12 12:29:04.000000000 +0000\n@@ -515,7 +515,7 @@\n \t\t\t$this->set_attribute( 'text', 'class', 'ba-back-to-top-text' );\n \t\t\tif ( isset( $settings['text'] ) ) {\n \t\t\t\t$output .= \"\u003Cspan {$this->render_attributes( 'text' )}>\";\n-\t\t\t\t$output .= $settings['text'];\n+\t\t\t\t$output .= esc_html( $settings['text'] );\n \t\t\t\t$output .= '\u003C\u002Fspan>';\n \t\t\t}\n \t\t} elseif ( method_exists( '\\Bricks\\Frontend', 'render_children' ) ) {","To exploit this vulnerability, an authenticated user with Author-level access (capable of using the Bricks Builder) needs to perform the following steps: \n1. Login and navigate to the Bricks Builder editor for a post the user is authorized to edit.\n2. Obtain the valid 'bricks-nonce' by inspecting the global 'bricksData' object in the browser console.\n3. Construct a malicious JSON payload representing a Bricksable element (e.g., 'ba-multi-heading') where a text field like 'text' contains a Cross-Site Scripting payload such as \u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n4. Send an AJAX POST request to 'wp-admin\u002Fadmin-ajax.php' with the action set to 'bricks_save_post', providing the 'postId', the 'nonce', and the 'elements' JSON payload.\n5. Once the post is saved, any user who views the post on the frontend will trigger the execution of the injected script because the plugin renders the stored setting without proper HTML escaping.","gemini-3-flash-preview","2026-06-25 21:12:24","2026-06-25 21:13:38",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.6.83","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbricksable\u002Ftags\u002F1.6.83","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbricksable.1.6.83.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbricksable\u002Ftags\u002F1.6.84","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbricksable.1.6.84.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbricksable\u002Ftags"]