[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbDu9R5qJCfPljbEuDoNx0pfPYtx4dkaCm56780hqRdE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":20,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":37},"CVE-2026-4389","dsgvo-snippet-for-leaflet-map-and-its-extensions-authenticated-contributor-stored-cross-site-scripting-via-unset-attribu","DSGVO snippet for Leaflet Map and its Extensions \u003C= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'unset' Attribute","The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","dsgvo-leaflet-map",null,"\u003C=3.1","3.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-23 00:00:00","2026-03-26 04:28:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdfeaff92-165a-4006-8e52-a99ae6b68dd9?source=api-prod",3,[22,23,24,25,26],"README.md","admin.php","dsgvo-leaflet-map.php","php\u002Fleaflet-map.php","php\u002Ftime-delete.php","researched",false,"This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the **DSGVO snippet for Leaflet Map and its Extensions** plugin (CVE-2026-4389). The vulnerability allows Contributor-level users to inject malicious scripts into pages via unescaped shortcode attributes.\n\n---\n\n### 1. Vulnerability Summary\nThe plugin provides shortcodes to display cookie-related information or forms. In `php\u002Ftime-delete.php`, the functions `leafext_get_cookie_time` and `leafext_form_delete_cookie` process attributes for the `[leafext-cookie-time]` and `[leafext-delete-cookie]` shortcodes. The attributes `unset`, `before`, and `after` are concatenated directly into the output `$content` without any sanitization (e.g., `wp_kses`) or output escaping (e.g., `esc_html`).\n\n### 2. Attack Vector Analysis\n* **Shortcodes**: `[leafext-cookie-time]` and `[leafext-delete-cookie]`\n* **Vulnerable Attributes**: `unset`, `before`, `after`\n* **Authentication**: Contributor or higher (anyone who can create\u002Fedit posts).\n* **Payload Mechanism**: The payload is stored in the post content as a shortcode attribute. It executes in the browser of any user (including Administrators) viewing the page.\n* **Preconditions**: \n * To trigger the `unset` attribute, the visitor must **not** have the `leafext` cookie set.\n * To trigger the `before` and `after` attributes, the visitor **must** have the `leafext` cookie set.\n\n### 3. Code Flow\n1. **Entry Point**: `add_shortcode` registers `leafext-cookie-time` and `leafext-delete-cookie` in `php\u002Ftime-delete.php`.\n2. **Processing**: When `do_shortcode()` encounters these tags, it calls `leafext_get_cookie_time($atts, $content)` or `leafext_form_delete_cookie($atts, $content)`.\n3. **Attribute Extraction**: The functions check for the `unset`, `before`, and `after` keys in the `$atts` array.\n4. **Vulnerable Sink**:\n * In `leafext_get_cookie_time`:\n ```php\n $before = isset( $atts['before'] ) ? '\u003Cdiv class=\"cookietext\">' . $atts['before'] : ''; \u002F\u002F Sink 1\n $after = isset( $atts['after'] ) ? $atts['after'] . '\u003C\u002Fdiv>' : ''; \u002F\u002F Sink 2\n \u002F\u002F ...\n $content = $before . $content . $after;\n \u002F\u002F ... or ...\n $content = isset( $atts['unset'] ) ? $atts['unset'] : ''; \u002F\u002F Sink 3\n return $content;\n ```\n5. **Execution**: The returned unescaped string is rendered in the final HTML response.\n\n### 4. Nonce Acquisition Strategy\nNo WordPress nonce is required to **exploit** the XSS rendering, as shortcode attributes are processed whenever a post is viewed. However, to test the `before`\u002F`after` attribute path (which requires the `leafext` cookie), we may need to set the cookie.\n\n**Setting the `leafext` Cookie**:\nThe plugin sets this cookie in `leafext_setcookie` (in `php\u002Fleaflet-map.php`) if a POST request is made with the `leafext_button` parameter and a valid nonce.\n1. Create a page with `[leaflet-map]`.\n2. The plugin's filter `leafext_query_cookie` will render a form containing a nonce field: \n `wp_nonce_field( 'leafext_dsgvo', 'leafext_dsgvo_okay', true, false )`.\n3. Use `browser_navigate` to view the page.\n4. Use `browser_eval` to extract the nonce: \n `document.querySelector('input[name=\"leafext_dsgvo_okay\"]').value`.\n5. Perform an `http_request` (POST) to the same page with `leafext_button=1&leafext_dsgvo_okay=[NONCE]`.\n\n### 5. Exploitation Strategy\nWe will demonstrate the XSS via the `unset` attribute as it is the simplest vector.\n\n#### Step 1: Contributor Login\nUse the `http_request` tool to log in as a Contributor.\n\n#### Step 2: Create Malicious Post\nCreate a post containing the payload.\n* **Action**: `POST \u002Fwp-admin\u002Fpost-new.php` or use `wp-cli`.\n* **Payload**: `[leafext-cookie-time unset='\u003Cscript>alert(\"CVE-2026-4389-XSS\")\u003C\u002Fscript>']`\n\n#### Step 3: Trigger XSS\nNavigate to the newly created post as an unauthenticated user (to ensure no cookie exists).\n* **Tool**: `http_request` (GET).\n* **Verification**: Check if the response body contains the raw `\u003Cscript>` tag.\n\n### 6. Test Data Setup\n1. **Contributor User**: `wp user create contributor contributor@example.com --role=contributor --user_pass=password`\n2. **Plugin Dependency**: Ensure `leaflet-map` and `extensions-leaflet-map` are active (required by `leafext_plugin_active` checks).\n3. **Target Post**:\n ```bash\n wp post create --post_type=post --post_status=publish --post_author=[ID] --post_title=\"GDPR Test\" --post_content='[leafext-cookie-time unset=\"\u003Cimg src=x onerror=alert(document.domain)>\"]'\n ```\n\n### 7. Expected Results\n* The `leafext_get_cookie_time` function returns the value of the `unset` attribute directly.\n* The HTML response will contain: `\u003Cimg src=x onerror=alert(document.domain)>`.\n* In a browser context, the JavaScript `alert` will trigger.\n\n### 8. Verification Steps\n1. **HTTP Response Check**:\n ```bash\n # Capture response\n curl -s http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID] | grep \"onerror=alert\"\n ```\n2. **Browser Verification**:\n Use `browser_navigate` to the post URL and check for an alert dialog using `browser_eval`.\n\n### 9. Alternative Approaches\n* **`before` attribute**: If the `unset` attribute is patched or fails, target `before` by setting the cookie first.\n * Payload: `[leafext-cookie-time before='\u003Csvg onload=alert(1)>']`\n* **`leafext-delete-cookie` shortcode**:\n * Payload: `[leafext-delete-cookie unset='\u003Cscript>alert(\"delete-cookie-xss\")\u003C\u002Fscript>']`\n * This function (in `php\u002Ftime-delete.php`) follows the exact same logic as the first shortcode.","The plugin is vulnerable to Stored Cross-Site Scripting via several shortcode attributes ('unset', 'before', 'after') used in the '[leafext-cookie-time]' and '[leafext-delete-cookie]' shortcodes. Authenticated attackers with contributor-level permissions can inject arbitrary JavaScript that executes in the browser of any user viewing the affected post or page.","\u002F\u002F php\u002Ftime-delete.php\n\n\u002F\u002F line 35\n\t\t\t$before = isset( $atts['before'] ) ? '\u003Cdiv class=\"cookietext\">' . $atts['before'] : '';\n\t\t\t$after = isset( $atts['after'] ) ? $atts['after'] . '\u003C\u002Fdiv>' : '';\n\n\t\t\t$content = $before . $content . $after;\n\n\t\t} else {\n\t\t\t$content = isset( $atts['unset'] ) ? $atts['unset'] : '';\n\t\t}\n\n---\n\n\u002F\u002F php\u002Ftime-delete.php\n\n\u002F\u002F line 81\n\t\t\t$before = isset( $atts['before'] ) ? '\u003Cdiv class=\"cookietext\">' . $atts['before'] : '';\n\t\t\t$after = isset( $atts['after'] ) ? $atts['after'] . '\u003C\u002Fdiv>' : '';\n\n\t\t\t$content = $before . $content . $after;\n\t\t} else {\n\t\t\t$content = isset( $atts['unset'] ) ? $atts['unset'] : '';\n\t\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.3\u002Fadmin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.4\u002Fadmin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.3\u002Fadmin.php\t2025-06-24 20:07:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.4\u002Fadmin.php\t2026-03-22 21:09:40.000000000 +0000\n@@ -24,7 +24,7 @@\n \tadd_action( 'admin_menu', 'leafext_dsgvo_add_page', 90 );\n \n \tfunction leafext_dsgvo_init() {\n-\t\tadd_settings_section( 'leafext_dsgvo', '', '', 'leafext_settings_dsgvo' );\n+\t\tadd_settings_section( 'leafext_dsgvo', '', '__return_empty_string', 'leafext_settings_dsgvo' );\n \t\t$fields = leafext_dsgvo_params();\n \t\tforeach ( $fields as $field ) {\n \t\t\tadd_settings_field(\n@@ -36,12 +36,19 @@\n \t\t\t\t$field['param'],\n \t\t\t);\n \t\t}\n-\t\t\u002F\u002F https:\u002F\u002Fstackoverflow.com\u002Fa\u002F77545721\n \t\t$leafext_dsgvo = get_option( 'leafext_dsgvo' );\n \t\tif ( $leafext_dsgvo === false ) {\n-\t\t\tadd_option( 'leafext_dsgvo', '' );\n+\t\t\tadd_option( 'leafext_dsgvo', array() );\n \t\t}\n-\t\tregister_setting( 'leafext_settings_dsgvo', 'leafext_dsgvo', 'leafext_validate_dsgvo' );\n+\t\tregister_setting(\n+\t\t\t'leafext_settings_dsgvo',\n+\t\t\t'leafext_dsgvo',\n+\t\t\tarray(\n+\t\t\t\t'type' => 'array',\n+\t\t\t\t'sanitize_callback' => 'leafext_validate_dsgvo',\n+\t\t\t\t'default' => array(),\n+\t\t\t)\n+\t\t);\n \t}\n \tadd_action( 'admin_init', 'leafext_dsgvo_init' );\n \n@@ -229,11 +236,6 @@\n \t\tforeach ( $tabs as $tab ) {\n \t\t\techo '\u003Ca href=\"' . esc_url( '?page=' . LEAFEXT_DSGVO_PLUGIN_NAME . '&tab=' . $tab['tab'] ) . '\" class=\"nav-tab';\n \t\t\t$active = ( $active_tab === $tab['tab'] ) ? ' nav-tab-active' : '';\n-\t\t\tif ( isset( $tab['strpos'] ) ) {\n-\t\t\t\tif ( strpos( $active_tab, $tab['strpos'] ) !== false ) {\n-\t\t\t\t\t$active = ' nav-tab-active';\n-\t\t\t\t}\n-\t\t\t}\n \t\t\techo esc_attr( $active );\n \t\t\techo '\">' . esc_html( $tab['title'] ) . '\u003C\u002Fa>' . \"\\n\";\n \t\t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.3\u002Fdsgvo-leaflet-map.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.4\u002Fdsgvo-leaflet-map.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.3\u002Fdsgvo-leaflet-map.php\t2026-03-05 16:13:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.4\u002Fdsgvo-leaflet-map.php\t2026-03-23 21:30:00.000000000 +0000\n@@ -3,8 +3,8 @@\n * Plugin Name: DSGVO snippet for Leaflet Map and its Extensions\n * Description: Respect the DSGVO \u002F GDPR when you use Leaflet Map and Extensions for Leaflet Map.\n * Plugin URI: https:\u002F\u002Fleafext.de\u002Fen\u002F\n- * Version: 3.3\n- * Requires PHP: 8.1\n+ * Version: 3.4\n+ * Requires PHP: 8.2\n * Requires Plugins: leaflet-map, extensions-leaflet-map\n * Author: hupe13\n * Author URI: https:\u002F\u002Fleafext.de\u002Fen\u002F\n@@ -27,13 +27,14 @@\n \u002F\u002F string $plugin_file, bool $markup = true, bool $translate = true\n $leafext_plugin_data = get_plugin_data( __FILE__, true, false );\n define( 'LEAFEXT_DSGVO_PLUGIN_VERSION', $leafext_plugin_data['Version'] );\n-\n if ( ! function_exists( 'leafext_plugin_active' ) ) {\n \tfunction leafext_plugin_active( $slug ) {\n-\t\t$plugins = get_option( 'active_plugins' );\n-\t\t$is_active = preg_grep( '\u002F^.*\\\u002F' . $slug . '\\.php$\u002F', $plugins );\n-\t\tif ( count( $is_active ) === 1 ) {\n-\t\t\treturn true;\n+\t\t$plugins = get_option( 'active_plugins' );\n+\t\tif ( is_array( $plugins ) ) {\n+\t\t\t$is_active = preg_grep( '\u002F^.*\\\u002F' . $slug . '\\.php$\u002F', $plugins );\n+\t\t\tif ( count( $is_active ) === 1 ) {\n+\t\t\t\treturn true;\n+\t\t\t}\n \t\t}\n \t\t$plugins = get_site_option( 'active_sitewide_plugins' );\n \t\tif ( is_array( $plugins ) ) {\n@@ -86,7 +87,7 @@\n \t\t\t\t)\n \t\t\t);\n \t\t\t\u002F\u002F phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- it is an WP Error\n-\t\t\twp_die( $error, '', wp_kses_post( $error->get_error_data() ) );\n+\t\t\twp_die( $error, '', $error->get_error_data() );\n \t\t}\n \t}\n \tregister_activation_hook( __FILE__, 'leafext_extensions_require' );\n@@ -103,4 +104,4 @@\n \t\treturn $actions;\n \t}\n }\n-add_filter( 'plugin_action_links', 'leafext_disable_dsgvo_activation', 10, 4 );\n+add_filter( 'plugin_action_links', 'leafext_disable_dsgvo_activation', 10, 2 );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.3\u002Fphp\u002Fleaflet-map.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.4\u002Fphp\u002Fleaflet-map.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.3\u002Fphp\u002Fleaflet-map.php\t2026-03-04 20:19:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.4\u002Fphp\u002Fleaflet-map.php\t2026-03-22 21:09:40.000000000 +0000\n@@ -69,7 +69,7 @@\n \t\t\t'httponly' => true,\n \t\t\t'samesite' => 'Strict', \u002F\u002F None || Lax || Strict\n \t\t);\n-\t\tsetcookie( 'leafext', time(), $arr_cookie_options );\n+\t\tsetcookie( 'leafext', (string) time(), $arr_cookie_options );\n \t\t$_COOKIE['leafext'] = time();\n \t}\n }\n@@ -131,7 +131,7 @@\n \n \t\tif ( ! isset( $leafext_okay ) ) {\n \t\t\t$leafext_okay = true;\n-\t\t\t$form = true;\n+\t\t\t$form = true;\n \t\t} else {\n \t\t\t$count = filter_var( $settings['count'], FILTER_VALIDATE_BOOLEAN );\n \t\t\tif ( $count ) {\n@@ -131,7 +131,7 @@\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.3\u002Fphp\u002Ftime-delete.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.4\u002Fphp\u002Ftime-delete.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.3\u002Fphp\u002Ftime-delete.php\t2026-03-04 20:19:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdsgvo-leaflet-map\u002F3.4\u002Fphp\u002Ftime-delete.php\t2026-03-23 21:11:56.000000000 +0000\n@@ -21,18 +21,18 @@\n \n \t\t\t$gmt = isset( $atts['gmt'] ) ? $atts['gmt'] : 0;\n \t\t\tif ( $gmt ) {\n-\t\t\t\t$content = gmdate( $format, $cookie_time );\n+\t\t\t\t$content = gmdate( $format, (int) $cookie_time );\n \t\t\t} else {\n-\t\t\t\t$content = wp_date( $format, $cookie_time );\n+\t\t\t\t$content = wp_date( $format, (int) $cookie_time );\n \t\t\t}\n \n-\t\t\t$before = isset( $atts['before'] ) ? '\u003Cdiv class=\"cookietext\">' . $atts['before'] : '';\n-\t\t\t$after = isset( $atts['after'] ) ? $atts['after'] . '\u003C\u002Fdiv>' : '';\n+\t\t\t$before = isset( $atts['before'] ) ? '\u003Cdiv class=\"cookietext\">' . wp_kses_post( $atts['before'] ) : '';\n+\t\t\t$after = isset( $atts['after'] ) ? wp_kses_post( $atts['after'] ) . '\u003C\u002Fdiv>' : '';\n \n \t\t\t$content = $before . $content . $after;\n \n \t\t} else {\n-\t\t\t$content = isset( $atts['unset'] ) ? $atts['unset'] : '';\n+\t\t\t$content = isset( $atts['unset'] ) ? wp_kses_post( $atts['unset'] ) : '';\n \t\t}\n \t}\n \treturn $content;\n@@ -64,19 +64,19 @@\n \t\t\t$content .= wp_nonce_field( 'leafext_dsgvo', 'leafext_dsgvo_cookie', true, false );\n \t\t\tif ( isset( $atts['link'] ) ) {\n \t\t\t\t$content .= '\u003Cinput type=\"hidden\" value=\"' . esc_attr( $submit ) . '\" name=\"leafext_cookie_button\" \u002F>';\n-\t\t\t\t$content .= ' \u003Ca href=\"javascript:;\" onclick=\"parentNode.submit();\">' . $submit . '\u003C\u002Fa> ';\n+\t\t\t\t$content .= ' \u003Ca href=\"javascript:;\" onclick=\"parentNode.submit();\">' . esc_html( $submit ) . '\u003C\u002Fa> ';\n \t\t\t} else {\n \t\t\t\t$content .= '\u003Cdiv class=\"submit leafext-dsgvo-submit leafext-dsgvo-delete-submit\">';\n \t\t\t\t$content .= '\u003Cinput type=\"submit\" aria-label=\"Submit ' . esc_attr( $submit ) . '\" value=\"' . esc_attr( $submit ) . '\" name=\"leafext_cookie_button\" \u002F>';\n \t\t\t\t$content .= '\u003C\u002Fdiv>';\n \t\t\t}\n \t\t\t$content .= '\u003C\u002Fform>';\n-\t\t\t$before = isset( $atts['before'] ) ? '\u003Cdiv class=\"cookietext\">' . $atts['before'] : '';\n-\t\t\t$after = isset( $atts['after'] ) ? $atts['after'] . '\u003C\u002Fdiv>' : '';\n+\t\t\t$before = isset( $atts['before'] ) ? '\u003Cdiv class=\"cookietext\">' . wp_kses_post( $atts['before'] ) : '';\n+\t\t\t$after = isset( $atts['after'] ) ? wp_kses_post( $atts['after'] ) . '\u003C\u002Fdiv>' : '';\n \n \t\t\t$content = $before . $content . $after;\n \t\t} else {\n-\t\t\t$content = isset( $atts['unset'] ) ? $atts['unset'] : '';\n+\t\t\t$content = isset( $atts['unset'] ) ? wp_kses_post( $atts['unset'] ) : '';\n \t\t}\n \t}\n \treturn $content;\n@@ -100,7 +100,7 @@\n \t\t\t\t\t\t'httponly' => true,\n \t\t\t\t\t\t'samesite' => 'Strict', \u002F\u002F None || Lax || Strict\n \t\t\t\t\t);\n-\t\t\t\t\tsetcookie( 'leafext', time(), $arr_cookie_options );\n+\t\t\t\t\tsetcookie( 'leafext', (string) time(), $arr_cookie_options );\n \t\t\t\t\tif ( isset( $_POST['origin'] ) ) {\n \t\t\t\t\t\theader( 'Location: ' . esc_url_raw( wp_unslash( $_POST['origin'] ) ) );\n \t\t\t\t\t\texit;","1. Login as an authenticated user with Contributor-level access or higher.\n2. Create or edit a post and insert a shortcode using a malicious payload in the 'unset', 'before', or 'after' attributes. For example: `[leafext-cookie-time unset=\"\u003Cscript>alert('XSS')\u003C\u002Fscript>\"]`.\n3. Publish or update the post.\n4. Access the post as a visitor. \n - To trigger the 'unset' attribute payload, the visitor must not have the 'leafext' cookie set.\n - To trigger the 'before' or 'after' attributes, the visitor must have previously accepted the GDPR notice to set the 'leafext' cookie.\n5. The payload will execute in the user's browser as the attribute value is rendered directly into the page content without escaping.","gemini-3-flash-preview","2026-04-17 23:39:37","2026-04-17 23:40:01",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdsgvo-leaflet-map\u002Ftags\u002F3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdsgvo-leaflet-map.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdsgvo-leaflet-map\u002Ftags\u002F3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdsgvo-leaflet-map.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdsgvo-leaflet-map\u002Ftags"]