CVE-2026-6864

CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site Scripting via 'page' Parameter

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
1.0.8
Patched in
1d
Time to patch

Description

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.7
PublishedMay 21, 2026
Last updatedMay 22, 2026
Affected plugincbxscratingreview

What Changed in the Fix

Changes introduced in v1.0.8

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-6864 ## 1. Vulnerability Summary The **CBX 5 Star Rating & Review** plugin for WordPress (versions up to 1.0.7) is vulnerable to **Reflected Cross-Site Scripting (XSS)** via the `page` parameter. The vulnerability occurs because the plugin insufficiently sani…

Show full research plan

Exploitation Research Plan - CVE-2026-6864

1. Vulnerability Summary

The CBX 5 Star Rating & Review plugin for WordPress (versions up to 1.0.7) is vulnerable to Reflected Cross-Site Scripting (XSS) via the page parameter. The vulnerability occurs because the plugin insufficiently sanitizes and escapes the page query parameter before reflecting it back into the HTML of an administrative page. An unauthenticated attacker can craft a malicious link that, when clicked by a logged-in administrator, executes arbitrary JavaScript in the context of the victim's session.

2. Attack Vector Analysis

  • Target Endpoint: /wp-admin/admin.php
  • Vulnerable Parameter: page
  • Authentication Requirement: Unauthenticated attacker (sender), Administrator (victim/executor).
  • Injection Type: Reflected in the HTML source of the admin dashboard.
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

Based on the plugin's purpose and the CSS files provided, the vulnerability likely follows this path:

  1. The plugin registers an administrative menu page using add_menu_page or add_submenu_page.
  2. According to assets/css/cbxscratingreview-branding.css, a primary menu slug is cbxscratingreviewreviewlist (evidenced by the CSS selector #toplevel_page_cbxscratingreviewreviewlist).
  3. When rendering this page, the plugin logic (likely in a function handling the admin_menu or admin_init hooks) accesses the global $_GET['page'] or $_REQUEST['page'] variable.
  4. This value is echoed back into the page, common sinks include:
    • A hidden <input> field in a settings form: <input type="hidden" name="page" value="<?php echo $_GET['page']; ?>">
    • The action attribute of a <form>: <form action="admin.php?page=<?php echo $_GET['page']; ?>" ...>
    • A navigation link or a "Current Page" breadcrumb.
  5. Because WordPress core validates the page slug to route requests, the payload must either start with a valid slug or be delivered in a way that bypasses core routing checks (e.g., via parameter pollution).

4. Nonce Acquisition Strategy

Reflected XSS via a GET parameter typically does not require a nonce. The "attack" is the victim's navigation to the crafted URL. If the XSS payload is intended to perform a state-changing action (like CSRF to create an admin), the attacker would use the XSS to extract the necessary nonces from the DOM of the victim's browser once the script executes.

5. Exploitation Strategy

The goal is to trigger a reflected script execution in the administrator's browser.

Step 1: Discover the Reflection Point

We will test the valid admin page slug identified from the CSS: cbxscratingreviewreviewlist.

Step 2: Construct the Payloads

Since WordPress core validates the page slug, we will try two techniques:

  1. Attribute Breakout: Appending the payload to the valid slug.
  2. Parameter Pollution: Using the page parameter twice (PHP usually takes the last instance).

Payload A (Direct Breakout):
cbxscratingreviewreviewlist"><script>alert(window.origin)</script>

Payload B (Double Parameter):
page=cbxscratingreviewreviewlist&page="><script>alert(window.origin)</script>

Step 3: Execution via http_request

We will simulate an authenticated administrator session and request the malicious URL.

Request Details:

  • Method: GET
  • URL: http://localhost:8080/wp-admin/admin.php?page=cbxscratingreviewreviewlist%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
  • Headers:
    • Cookie: (Valid administrator session cookies)

6. Test Data Setup

  1. Install Plugin: wp plugin install cbxscratingreview --version=1.0.7 --activate
  2. Identify Admin User: Ensure an administrator user exists (default admin).
  3. Login Session: Use the automated agent's capability to maintain a logged-in session for the administrator.

7. Expected Results

  • The response from the server should return a 200 OK.
  • The response body will contain the literal string: value="cbxscratingreviewreviewlist"><script>alert(document.domain)</script>" or similar, confirming the lack of escaping.
  • If using a browser-based tool, a JS alert showing the site's domain will appear.

8. Verification Steps

  1. Verify via HTTP Response:
    Inspect the output of http_request to find the injected payload in the raw HTML.
    # Search for the payload in the response
    grep -a "<script>alert(document.domain)</script>" response_body.html
    
  2. Context Check:
    Verify if the injection is inside an attribute. If it's inside value="...", check if the double quote was escaped. If not, the vulnerability is confirmed.

9. Alternative Approaches

If the page parameter in admin.php is strictly validated by WordPress core before the plugin runs, try the following:

  • AJAX Reflection: Check if the page parameter is reflected in any wp_ajax_ handlers.
  • Frontend Pagination: Search for frontend pages where the plugin displays reviews (e.g., using a shortcode like [cbxscratingreview]). Reflected XSS often occurs in pagination links (e.g., ?page=2<script>...).
    • Create a test post: wp post create --post_type=post --post_title="Review Test" --post_content="[cbxscratingreview_reviews]" (slug inferred).
    • Test the URL: http://localhost:8080/review-test/?page=%3Cscript%3Ealert(1)%3C/script%3E.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.