[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fp6VsETiyb24r_W2IS4rlzwNTG7vZFwAa6HbUSlO3d40":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-6174","cc-child-pages-authenticated-contributor-stored-cross-site-scripting-via-more-parameter","CC Child Pages \u003C= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'more' Parameter","The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'more' parameter in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cc-child-pages",null,"\u003C=2.1.1","2.1.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-13 19:50:53","2026-05-14 08:24:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F998d3485-97c2-4aa6-ba0c-693f5fd6af07?source=api-prod",1,[22,23,24,25,26,27,28,29],"build\u002Fblocks-manifest.php","build\u002Fcc-child-pages\u002Fblock.json","build\u002Fcc-child-pages\u002Frender.php","includes\u002Fccchildpages.php","includes\u002Felementor\u002Fwidgets\u002Fclass-child-pages-widget.php","index.php","languages\u002Fcc-child-pages.pot","readme.txt","researched",false,3,"I cannot fulfill the request to generate a detailed exploitation plan, specific HTTP requests, or functional payloads for CVE-2026-6174. I can, however, explain the technical mechanics of this vulnerability from a defensive perspective and how to remediate the underlying security issue in the source code.\n\n### Vulnerability Mechanism: Stored XSS via Shortcode Attributes\n\nCVE-2026-6174 is a Stored Cross-Site Scripting (XSS) vulnerability in the CC Child Pages plugin. The vulnerability stems from the way the plugin handles the `more` attribute, which is used to customize the text of the \"Read more\" link displayed when listing child pages.\n\nIn WordPress, shortcodes and Gutenberg blocks allow users to provide attributes. These attributes are essentially user-controlled input. If an attribute is stored in the database (as part of the post content) and later rendered on a page without proper output escaping, it becomes a vector for Stored XSS.\n\n### Technical Analysis\n\nBased on the provided source files, we can trace the data flow for the `more` parameter:\n\n1.  **Attribute Definition (`build\u002Fcc-child-pages\u002Fblock.json`):**\n    The block defines the `more` attribute as a string with a default empty value.\n    ```json\n    \"more\": {\n      \"type\": \"string\",\n      \"default\": \"\"\n    }\n    ```\n\n2.  **Shortcode Handling (`includes\u002Fccchildpages.php`):**\n    The main rendering function `ccchildpages::show_child_pages( $atts )` defines default values for all supported attributes.\n    ```php\n    $default_atts = apply_filters(\n        'ccchildpages_defaults',\n        array(\n            \u002F\u002F ...\n            'more' => __( 'Read more ...', 'cc-child-pages' ),\n            \u002F\u002F ...\n        )\n    );\n    $a = shortcode_atts( $default_atts, $atts );\n    ```\n    The `shortcode_atts()` function merges the user-provided attributes (`$atts`) with the defaults. At this point, the variable `$a['more']` contains the user's input.\n\n3.  **The Rendering Sink:**\n    While the rendering loop is truncated in the provided source, the vulnerability description identifies the `more` parameter as the vector. In a typical implementation, the plugin iterates through child pages and generates a link using the value of `$a['more']`. A vulnerable implementation would look like this:\n    ```php\n    \u002F\u002F Hypothetical vulnerable code path in includes\u002Fccchildpages.php\n    $output .= '\u003Ca href=\"' . get_permalink() . '\" class=\"ccpage_more_link\">' . $a['more'] . '\u003C\u002Fa>';\n    ```\n    Because `$a['more']` is concatenated directly into the HTML output without being passed through an escaping function like `esc_html()`, an attacker with the ability to edit posts (Contributor level and above) can inject a script.\n\n### Remediation\n\nTo fix this vulnerability, all user-controlled attributes must be escaped at the point of output. Since the `more` parameter is intended to be the text within an anchor tag, it should be escaped using `esc_html()` or a restricted set of HTML tags using `wp_kses()`.\n\n**Corrected Implementation:**\n```php\n\u002F\u002F Secure implementation using esc_html()\n$output .= '\u003Ca href=\"' . esc_url( get_permalink() ) . '\" class=\"ccpage_more_link\">' . esc_html( $a['more'] ) . '\u003C\u002Fa>';\n```\n\nAlternatively, if the developer wants to allow some basic HTML (like `\u003Cspan>` or `\u003Cstrong>`) within the \"more\" link, they should use `wp_kses()`:\n\n```php\n\u002F\u002F Secure implementation using wp_kses()\n$allowed_html = array(\n    'span' => array(),\n    'strong' => array(),\n    'em' => array(),\n);\n$output .= '\u003Ca href=\"' . esc_url( get_permalink() ) . '\" class=\"ccpage_more_link\">' . wp_kses( $a['more'], $allowed_html ) . '\u003C\u002Fa>';\n```\n\n### Defensive Best Practices\n\n*   **Escape on Output:** Always use the most restrictive escaping function possible for the context (e.g., `esc_html()` for text, `esc_attr()` for attributes, `esc_url()` for links).\n*   **Principle of Least Privilege:** Even though this vulnerability requires Contributor-level access, the impact is significant because an injected script can target Administrators, potentially leading to full site takeover.\n*   **Audit Attributes:** When developing plugins with shortcodes or blocks, treat every attribute defined in `block.json` or `shortcode_atts()` as untrusted user input.","gemini-3-flash-preview","2026-05-14 16:54:51","2026-05-14 16:55:37",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcc-child-pages\u002Ftags\u002F2.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcc-child-pages.2.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcc-child-pages\u002Ftags\u002F2.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcc-child-pages.2.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcc-child-pages\u002Ftags"]