[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuGb0cOHU9aM9P5dLqVT175dvJtbbvPZnlEuxPRvDk1k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-0691","cm-e-mail-blacklist-authenticated-administrator-stored-cross-site-scripting-via-blackemail-parameter","CM E-Mail Blacklist \u003C= 1.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'black_email' Parameter","The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","cm-email-blacklist",null,"\u003C=1.6.2","1.6.3","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-16 00:00:00","2026-01-17 06:42:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F821f4ea9-bc25-4d65-9058-5b77c4f1b230?source=api-prod",1,[],"researched",false,3,"This research plan outlines the technical steps required to demonstrate the Stored Cross-Site Scripting (XSS) vulnerability in the CM E-Mail Blacklist plugin (CVE-2026-0691).\n\n### 1. Vulnerability Summary\nThe CM E-Mail Blacklist plugin (versions \u003C= 1.6.2) fails to properly sanitize the `black_email` input parameter and subsequently fails to escape this value when displaying it in the admin dashboard. While the attack requires Administrator-level privileges, it is considered a vulnerability in multi-site environments or single-site environments where `unfiltered_html` has been disabled for administrators (e.g., via `define('DISALLOW_FILE_EDIT', true);` or specific role manager plugins).\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** WordPress Admin Area (`\u002Fwp-admin\u002Fadmin.php?page=cm-email-blacklist-settings` - *inferred*)\n*   **Vulnerable Parameter:** `black_email`\n*   **Authentication Requirement:** Administrator or higher.\n*   **Action String:** Likely `update` or a plugin-specific AJAX action (e.g., `cm_email_blacklist_save_options` - *inferred*).\n*   **Precondition:** The testing environment must have `unfiltered_html` disabled for the administrator to demonstrate that the plugin's failure to sanitize\u002Fescape is the root cause.\n\n### 3. Code Flow (Inferred)\n1.  **Input:** An administrator navigates to the plugin settings page and submits a list of blacklisted emails.\n2.  **Processing:** The request is handled by an `admin_init` hook or a specific POST handler (likely in `CMEmailBlacklist.php` or an admin-specific file). The code likely retrieves `$_POST['black_email']` and saves it using `update_option()` without calling `sanitize_text_field()` or `wp_kses()`.\n3.  **Storage:** The payload is stored in the `wp_options` table (e.g., under the option name `cm_email_blacklist_data`).\n4.  **Output:** When the settings page or a logs page is reloaded, the plugin retrieves the option using `get_option()` and echoes it directly into a table cell or `\u003Ctextarea>` without using `esc_html()` or `esc_textarea()`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely uses the standard WordPress Settings API or a custom form with a nonce field for CSRF protection.\n\n1.  **Identify the Page:** Navigate to the plugin settings page.\n2.  **Locate Nonce:** Search the HTML for a hidden input field, usually named `_wpnonce` or similar.\n3.  **Extraction (PoC Agent):**\n    *   Navigate to the settings page: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=cm-email-blacklist-settings\")`\n    *   Extract the nonce: `browser_eval(\"document.querySelector('input[name=\\\"_wpnonce\\\"]')?.value\")`\n    *   Identify the option group or action: `browser_eval(\"document.querySelector('input[name=\\\"option_page\\\"]')?.value\")`\n\n### 5. Exploitation Strategy\nThe goal is to inject a JavaScript payload into the blacklist settings that will execute whenever the settings page is viewed.\n\n*   **Step 1: Authenticate.** Log in as an Administrator.\n*   **Step 2: Access Settings.** Navigate to the \"CM E-Mail Blacklist\" settings page.\n*   **Step 3: Capture Form Data.** Identify the exact POST structure. Usually, it targets `options.php` or `admin-post.php`.\n*   **Step 4: Send Payload.**\n    *   **Payload:** `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    *   **HTTP Request (via `http_request`):**\n        ```http\n        POST \u002Fwp-admin\u002Foptions.php HTTP\u002F1.1\n        Content-Type: application\u002Fx-www-form-urlencoded\n\n        option_page=cm_email_blacklist_options&\n        action=update&\n        _wpnonce=[EXTRACTED_NONCE]&\n        black_email=test@example.com%0A%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E\n        ```\n*   **Step 5: Trigger XSS.** Navigate back to the settings page to verify execution.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `cm-email-blacklist` version 1.6.2 is active.\n2.  **Disable `unfiltered_html`:**\n    *   Use WP-CLI: `wp config set DISALLOW_UNFILTERED_HTML true --raw`\n    *   *Alternative:* Create a site admin who does not have this capability if on Multisite.\n3.  **Initial State:** Ensure the blacklist is empty.\n\n### 7. Expected Results\n*   The `POST` request should return a `302 Found` redirecting back to the settings page.\n*   The settings page HTML will contain the raw payload: `...value=\"test@example.com \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"...`\n*   The browser will trigger an alert box showing the domain, confirming script execution in the admin context.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the payload is stored exactly as sent.\n    `wp option get cm_email_blacklist_data` (Inferred option name)\n2.  **Response Inspection:** Inspect the source of the settings page.\n    `http_request` GET to the settings page and grep for `\u003Cscript>alert`.\n\n### 9. Alternative Approaches\n*   **AJAX Handler:** If the plugin uses AJAX to save settings, look for `wp_ajax_cm_blacklist_save`. The payload remains the same, but the Content-Type may be `multipart\u002Fform-data` and the endpoint will be `\u002Fwp-admin\u002Fadmin-ajax.php`.\n*   **Import Feature:** If the plugin has an \"Import CSV\" or \"Bulk Upload\" feature, the `black_email` parameter might be processed through a file upload. A CSV containing the XSS payload can be uploaded to trigger the same vulnerability.\n*   **Bypass Attenuation:** If the plugin escapes the value inside a `\u003Ctextarea>` but not in a `\u003Ctd>` list, try a payload that breaks out of the table cell, like `\u003C\u002Ftd>\u003Ctd>\u003Cscript>alert(1)\u003C\u002Fscript>\u003C\u002Ftd>`.","The CM E-Mail Blacklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in versions up to 1.6.2. This occurs because the plugin fails to sanitize input during storage and escape output during display, allowing administrators (particularly in Multisite environments) to inject malicious scripts that execute when users view the settings page.","\u002F* Inferred from vulnerability description and research plan *\u002F\n\u002F* Likely located in the settings handling logic of the plugin *\u002F\n\n\u002F\u002F Processing input (Input is saved directly without sanitization)\nif (isset($_POST['black_email'])) {\n    update_option('cm_email_blacklist_data', $_POST['black_email']);\n}\n\n---\n\n\u002F\u002F Displaying output (Option is retrieved and echoed without escaping)\n$blacklist = get_option('cm_email_blacklist_data');\n?>\n\u003Ctextarea name=\"black_email\">\u003C?php echo $blacklist; ?>\u003C\u002Ftextarea>\n\u003C?php","--- a\u002Fcm-email-blacklist\u002Fadmin\u002Fsettings.php\n+++ b\u002Fcm-email-blacklist\u002Fadmin\u002Fsettings.php\n@@ -1,7 +1,7 @@\n if (isset($_POST['black_email'])) {\n-    update_option('cm_email_blacklist_data', $_POST['black_email']);\n+    update_option('cm_email_blacklist_data', sanitize_textarea_field($_POST['black_email']));\n }\n \n $blacklist = get_option('cm_email_blacklist_data');\n ?>\n-\u003Ctextarea name=\"black_email\">\u003C?php echo $blacklist; ?>\u003C\u002Ftextarea>\n+\u003Ctextarea name=\"black_email\">\u003C?php echo esc_textarea($blacklist); ?>\u003C\u002Ftextarea>","To exploit this vulnerability, an attacker requires Administrator-level privileges on a site where the 'unfiltered_html' capability is restricted (such as a WordPress Multisite installation or a site with DISALLOW_UNFILTERED_HTML enabled). \n\n1. Authenticate as an administrator and navigate to the plugin's settings page (typically \u002Fwp-admin\u002Fadmin.php?page=cm-email-blacklist-settings).\n2. Locate the input field for 'black_email' (usually a textarea for blacklisted email addresses).\n3. Inject an XSS payload designed to break out of the textarea tags, for example: \">\u003C\u002Ftextarea>\u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n4. Submit the form to save the settings. The payload will be stored in the database without sanitization.\n5. The script will execute immediately upon redirection to the settings page, or whenever any administrator views the plugin settings, as the stored value is echoed back into the page without escaping.","gemini-3-flash-preview","2026-05-05 08:05:45","2026-05-05 08:06:08",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.6.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcm-email-blacklist\u002Ftags\u002F1.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcm-email-blacklist.1.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcm-email-blacklist\u002Ftags"]