[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fk1Su68oI5Ke0mmYJ94p2l4LDS2YzvywsFrkSB-emqIQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-6864","cbx-5-star-rating-review-reflected-cross-site-scripting-via-page-parameter","CBX 5 Star Rating & Review \u003C= 1.0.7 - Reflected Cross-Site Scripting via 'page' Parameter","The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.","cbxscratingreview",null,"\u003C=1.0.7","1.0.8","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-21 14:51:34","2026-05-22 03:39:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9ee11e19-21a6-45df-a118-f6dec3b55bc1?source=api-prod",1,[22,23,24,25,26,27],"assets\u002Fcss\u002Fcbxscratingreview-admin.css","assets\u002Fcss\u002Fcbxscratingreview-admin.css.map","assets\u002Fcss\u002Fcbxscratingreview-branding.css","assets\u002Fcss\u002Fcbxscratingreview-branding.css.map","assets\u002Fcss\u002Fcbxscratingreview-elementor.css","assets\u002Fcss\u002Fcbxscratingreview-elementor.css.map","researched",false,3,"# Exploitation Research Plan - CVE-2026-6864\n\n## 1. Vulnerability Summary\nThe **CBX 5 Star Rating & Review** plugin for WordPress (versions up to 1.0.7) is vulnerable to **Reflected Cross-Site Scripting (XSS)** via the `page` parameter. The vulnerability occurs because the plugin insufficiently sanitizes and escapes the `page` query parameter before reflecting it back into the HTML of an administrative page. An unauthenticated attacker can craft a malicious link that, when clicked by a logged-in administrator, executes arbitrary JavaScript in the context of the victim's session.\n\n## 2. Attack Vector Analysis\n- **Target Endpoint**: `\u002Fwp-admin\u002Fadmin.php`\n- **Vulnerable Parameter**: `page`\n- **Authentication Requirement**: Unauthenticated attacker (sender), Administrator (victim\u002Fexecutor).\n- **Injection Type**: Reflected in the HTML source of the admin dashboard.\n- **Preconditions**: The plugin must be active.\n\n## 3. Code Flow (Inferred)\nBased on the plugin's purpose and the CSS files provided, the vulnerability likely follows this path:\n1. The plugin registers an administrative menu page using `add_menu_page` or `add_submenu_page`. \n2. According to `assets\u002Fcss\u002Fcbxscratingreview-branding.css`, a primary menu slug is **`cbxscratingreviewreviewlist`** (evidenced by the CSS selector `#toplevel_page_cbxscratingreviewreviewlist`).\n3. When rendering this page, the plugin logic (likely in a function handling the `admin_menu` or `admin_init` hooks) accesses the global `$_GET['page']` or `$_REQUEST['page']` variable.\n4. This value is echoed back into the page, common sinks include:\n   - A hidden `\u003Cinput>` field in a settings form: `\u003Cinput type=\"hidden\" name=\"page\" value=\"\u003C?php echo $_GET['page']; ?>\">`\n   - The `action` attribute of a `\u003Cform>`: `\u003Cform action=\"admin.php?page=\u003C?php echo $_GET['page']; ?>\" ...>`\n   - A navigation link or a \"Current Page\" breadcrumb.\n5. Because WordPress core validates the `page` slug to route requests, the payload must either start with a valid slug or be delivered in a way that bypasses core routing checks (e.g., via parameter pollution).\n\n## 4. Nonce Acquisition Strategy\nReflected XSS via a `GET` parameter typically **does not require a nonce**. The \"attack\" is the victim's navigation to the crafted URL. If the XSS payload is intended to perform a state-changing action (like CSRF to create an admin), the attacker would use the XSS to extract the necessary nonces from the DOM of the victim's browser once the script executes.\n\n## 5. Exploitation Strategy\nThe goal is to trigger a reflected script execution in the administrator's browser.\n\n### Step 1: Discover the Reflection Point\nWe will test the valid admin page slug identified from the CSS: `cbxscratingreviewreviewlist`.\n\n### Step 2: Construct the Payloads\nSince WordPress core validates the `page` slug, we will try two techniques:\n1. **Attribute Breakout**: Appending the payload to the valid slug.\n2. **Parameter Pollution**: Using the `page` parameter twice (PHP usually takes the last instance).\n\n**Payload A (Direct Breakout):**\n`cbxscratingreviewreviewlist\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>`\n\n**Payload B (Double Parameter):**\n`page=cbxscratingreviewreviewlist&page=\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>`\n\n### Step 3: Execution via `http_request`\nWe will simulate an authenticated administrator session and request the malicious URL.\n\n**Request Details:**\n- **Method**: `GET`\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=cbxscratingreviewreviewlist%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n- **Headers**: \n  - `Cookie`: (Valid administrator session cookies)\n\n## 6. Test Data Setup\n1. **Install Plugin**: `wp plugin install cbxscratingreview --version=1.0.7 --activate`\n2. **Identify Admin User**: Ensure an administrator user exists (default `admin`).\n3. **Login Session**: Use the automated agent's capability to maintain a logged-in session for the administrator.\n\n## 7. Expected Results\n- The response from the server should return a `200 OK`.\n- The response body will contain the literal string: `value=\"cbxscratingreviewreviewlist\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"` or similar, confirming the lack of escaping.\n- If using a browser-based tool, a JS alert showing the site's domain will appear.\n\n## 8. Verification Steps\n1. **Verify via HTTP Response**: \n   Inspect the output of `http_request` to find the injected payload in the raw HTML.\n   ```bash\n   # Search for the payload in the response\n   grep -a \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" response_body.html\n   ```\n2. **Context Check**: \n   Verify if the injection is inside an attribute. If it's inside `value=\"...\"`, check if the double quote was escaped. If not, the vulnerability is confirmed.\n\n## 9. Alternative Approaches\nIf the `page` parameter in `admin.php` is strictly validated by WordPress core before the plugin runs, try the following:\n- **AJAX Reflection**: Check if the `page` parameter is reflected in any `wp_ajax_` handlers.\n- **Frontend Pagination**: Search for frontend pages where the plugin displays reviews (e.g., using a shortcode like `[cbxscratingreview]`). Reflected XSS often occurs in pagination links (e.g., `?page=2\u003Cscript>...`).\n  - Create a test post: `wp post create --post_type=post --post_title=\"Review Test\" --post_content=\"[cbxscratingreview_reviews]\"` (slug inferred).\n  - Test the URL: `http:\u002F\u002Flocalhost:8080\u002Freview-test\u002F?page=%3Cscript%3Ealert(1)%3C\u002Fscript%3E`.","gemini-3-flash-preview","2026-06-04 22:11:21","2026-06-04 22:13:07",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.0.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcbxscratingreview\u002Ftags\u002F1.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcbxscratingreview.1.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcbxscratingreview\u002Ftags\u002F1.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcbxscratingreview.1.0.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcbxscratingreview\u002Ftags"]