CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site Scripting via 'page' Parameter
Description
The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
<=1.0.7What Changed in the Fix
Changes introduced in v1.0.8
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-6864 ## 1. Vulnerability Summary The **CBX 5 Star Rating & Review** plugin for WordPress (versions up to 1.0.7) is vulnerable to **Reflected Cross-Site Scripting (XSS)** via the `page` parameter. The vulnerability occurs because the plugin insufficiently sani…
Show full research plan
Exploitation Research Plan - CVE-2026-6864
1. Vulnerability Summary
The CBX 5 Star Rating & Review plugin for WordPress (versions up to 1.0.7) is vulnerable to Reflected Cross-Site Scripting (XSS) via the page parameter. The vulnerability occurs because the plugin insufficiently sanitizes and escapes the page query parameter before reflecting it back into the HTML of an administrative page. An unauthenticated attacker can craft a malicious link that, when clicked by a logged-in administrator, executes arbitrary JavaScript in the context of the victim's session.
2. Attack Vector Analysis
- Target Endpoint:
/wp-admin/admin.php - Vulnerable Parameter:
page - Authentication Requirement: Unauthenticated attacker (sender), Administrator (victim/executor).
- Injection Type: Reflected in the HTML source of the admin dashboard.
- Preconditions: The plugin must be active.
3. Code Flow (Inferred)
Based on the plugin's purpose and the CSS files provided, the vulnerability likely follows this path:
- The plugin registers an administrative menu page using
add_menu_pageoradd_submenu_page. - According to
assets/css/cbxscratingreview-branding.css, a primary menu slug iscbxscratingreviewreviewlist(evidenced by the CSS selector#toplevel_page_cbxscratingreviewreviewlist). - When rendering this page, the plugin logic (likely in a function handling the
admin_menuoradmin_inithooks) accesses the global$_GET['page']or$_REQUEST['page']variable. - This value is echoed back into the page, common sinks include:
- A hidden
<input>field in a settings form:<input type="hidden" name="page" value="<?php echo $_GET['page']; ?>"> - The
actionattribute of a<form>:<form action="admin.php?page=<?php echo $_GET['page']; ?>" ...> - A navigation link or a "Current Page" breadcrumb.
- A hidden
- Because WordPress core validates the
pageslug to route requests, the payload must either start with a valid slug or be delivered in a way that bypasses core routing checks (e.g., via parameter pollution).
4. Nonce Acquisition Strategy
Reflected XSS via a GET parameter typically does not require a nonce. The "attack" is the victim's navigation to the crafted URL. If the XSS payload is intended to perform a state-changing action (like CSRF to create an admin), the attacker would use the XSS to extract the necessary nonces from the DOM of the victim's browser once the script executes.
5. Exploitation Strategy
The goal is to trigger a reflected script execution in the administrator's browser.
Step 1: Discover the Reflection Point
We will test the valid admin page slug identified from the CSS: cbxscratingreviewreviewlist.
Step 2: Construct the Payloads
Since WordPress core validates the page slug, we will try two techniques:
- Attribute Breakout: Appending the payload to the valid slug.
- Parameter Pollution: Using the
pageparameter twice (PHP usually takes the last instance).
Payload A (Direct Breakout):cbxscratingreviewreviewlist"><script>alert(window.origin)</script>
Payload B (Double Parameter):page=cbxscratingreviewreviewlist&page="><script>alert(window.origin)</script>
Step 3: Execution via http_request
We will simulate an authenticated administrator session and request the malicious URL.
Request Details:
- Method:
GET - URL:
http://localhost:8080/wp-admin/admin.php?page=cbxscratingreviewreviewlist%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E - Headers:
Cookie: (Valid administrator session cookies)
6. Test Data Setup
- Install Plugin:
wp plugin install cbxscratingreview --version=1.0.7 --activate - Identify Admin User: Ensure an administrator user exists (default
admin). - Login Session: Use the automated agent's capability to maintain a logged-in session for the administrator.
7. Expected Results
- The response from the server should return a
200 OK. - The response body will contain the literal string:
value="cbxscratingreviewreviewlist"><script>alert(document.domain)</script>"or similar, confirming the lack of escaping. - If using a browser-based tool, a JS alert showing the site's domain will appear.
8. Verification Steps
- Verify via HTTP Response:
Inspect the output ofhttp_requestto find the injected payload in the raw HTML.# Search for the payload in the response grep -a "<script>alert(document.domain)</script>" response_body.html - Context Check:
Verify if the injection is inside an attribute. If it's insidevalue="...", check if the double quote was escaped. If not, the vulnerability is confirmed.
9. Alternative Approaches
If the page parameter in admin.php is strictly validated by WordPress core before the plugin runs, try the following:
- AJAX Reflection: Check if the
pageparameter is reflected in anywp_ajax_handlers. - Frontend Pagination: Search for frontend pages where the plugin displays reviews (e.g., using a shortcode like
[cbxscratingreview]). Reflected XSS often occurs in pagination links (e.g.,?page=2<script>...).- Create a test post:
wp post create --post_type=post --post_title="Review Test" --post_content="[cbxscratingreview_reviews]"(slug inferred). - Test the URL:
http://localhost:8080/review-test/?page=%3Cscript%3Ealert(1)%3C/script%3E.
- Create a test post:
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.