[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fM9UCQyFvGCRRoDZ2G9k2fJF1Xs45Q9ZvXyNSbuCcE4g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-3574","experto-dashboard-for-woocommerce-authenticated-administrator-stored-cross-site-scripting-via-navigation-font-size-setti","Experto Dashboard for WooCommerce \u003C= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Navigation Font Size' Setting","The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields (including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Font Size', and 'Text Font Weight') in all versions up to and including 1.0.4. This is due to insufficient input sanitization (no sanitize callback in register_setting()) and missing output escaping (no esc_attr() in the field_callback() printf output) on user-supplied values. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever a user accesses the settings page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","experto-custom-dashboard",null,"\u003C=1.0.4","1.0.5","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-08 00:00:00","2026-04-09 02:25:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa070f19e-9f65-499d-87c0-65be12d4be84?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3574\n\n## 1. Vulnerability Summary\nThe **Experto Dashboard for WooCommerce** plugin (up to version 1.0.4) is vulnerable to **Stored Cross-Site Scripting (XSS)** via its configuration settings. Specifically, several font-related settings (e.g., 'Navigation Font Size', 'Navigation Font Weight') are registered using `register_setting()` without a `sanitize_callback`. Furthermore, when these settings are rendered on the plugin's administration page, the output is generated using a callback function (e.g., `field_callback()`) that uses `printf()` to echo the current values without context-appropriate escaping (such as `esc_attr()`).\n\nIn WordPress environments where `unfiltered_html` is disabled (like Multi-site or specific security hardened sites), an Administrator can inject malicious scripts into these fields. These scripts execute whenever an administrator visits the plugin's settings page, potentially allowing for session hijacking or unauthorized administrative actions.\n\n## 2. Attack Vector Analysis\n* **Target Endpoint:** `wp-admin\u002Foptions.php` (Standard handler for the WordPress Settings API).\n* **Vulnerable Parameters:** \n * `experto_dashboard_nav_font_size` (inferred)\n * `experto_dashboard_nav_font_weight` (inferred)\n * `experto_dashboard_heading_font_size` (inferred)\n * `experto_dashboard_heading_font_weight` (inferred)\n * `experto_dashboard_text_font_size` (inferred)\n * `experto_dashboard_text_font_weight` (inferred)\n* **Authentication Required:** Administrator level or higher.\n* **Preconditions:** The plugin must be active. The exploit is most relevant in environments where `DISALLOW_UNFILTERED_HTML` is set to `true` or in a Multi-site installation where the user is a Site Admin but not a Network Super Admin.\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin uses the `admin_init` hook to call `register_setting()`.\n2. **Missing Sanitization:** `register_setting( 'experto_dashboard_settings_group', 'experto_dashboard_nav_font_size', array() )` is called. The third parameter (args) lacks the `sanitize_callback` key.\n3. **Field Definition:** `add_settings_field()` is called to add the input to the UI, specifying a callback (e.g., `field_callback`).\n4. **Vulnerable Rendering:**\n ```php\n \u002F\u002F Example of vulnerable code in the plugin\n function field_callback($args) {\n $value = get_option('experto_dashboard_nav_font_size');\n \u002F\u002F VULNERABILITY: No esc_attr() used here\n printf('\u003Cinput type=\"text\" name=\"experto_dashboard_nav_font_size\" value=\"%s\" \u002F>', $value);\n }\n ```\n5. **Storage:** When the admin submits the form, `options.php` saves the raw input into the `wp_options` table.\n6. **Execution:** When the settings page is reloaded, the raw payload is echoed into the `value` attribute, breaking out of it to execute JavaScript.\n\n## 4. Nonce Acquisition Strategy\nTo update settings via `options.php`, two hidden fields are required: `option_page` and `_wpnonce`.\n\n1. **Navigate to Settings Page:** The settings page is likely located at `wp-admin\u002Fadmin.php?page=experto-dashboard-settings` (slug inferred from plugin name).\n2. **Identify Option Group:** Look for the hidden input `name=\"option_page\"`.\n3. **Extract Nonce:** Use `browser_eval` to extract the nonce generated for that specific option group.\n\n**Execution Command:**\n```javascript\n\u002F\u002F Within the settings page context\nconst optionPage = document.querySelector('input[name=\"option_page\"]')?.value;\nconst nonce = document.querySelector('input[name=\"_wpnonce\"]')?.value;\nconsole.log({optionPage, nonce});\n```\n\n## 5. Exploitation Strategy\n1. **Preparation:** Log in to the WordPress instance as an Administrator.\n2. **Discovery:** Navigate to the Experto Dashboard settings page. Identify the exact field names for the font size settings and the `option_page` name.\n3. **Payload Crafting:**\n * Target field: `experto_dashboard_nav_font_size`\n * Payload: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n4. **Submission:** Use the `http_request` tool to send a POST request to `wp-admin\u002Foptions.php`.\n * **Method:** POST\n * **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n * **Body:** \n `option_page=[EXTRACTED_OPTION_PAGE]&action=update&_wpnonce=[EXTRACTED_NONCE]&experto_dashboard_nav_font_size=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n5. **Trigger:** Navigate back to the plugin's settings page.\n\n## 6. Test Data Setup\n1. Install and activate **Experto Dashboard for WooCommerce** (experto-custom-dashboard) \u003C= 1.0.4.\n2. Ensure WooCommerce is installed and active (as the plugin depends on it).\n3. Create an Administrator user.\n4. (Optional) Add `define( 'DISALLOW_UNFILTERED_HTML', true );` to `wp-config.php` to simulate the restricted environment where this vulnerability is most critical.\n\n## 7. Expected Results\n* The `options.php` request should return a `302 Found` redirect back to the settings page with a `settings-updated=true` parameter.\n* Upon navigating to the settings page, the browser should execute the `alert(document.domain)` script.\n* The HTML source of the page should show: `\u003Cinput ... value=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" \u002F>`.\n\n## 8. Verification Steps\n1. **Database Check:** Use WP-CLI to verify the payload is stored in the database.\n ```bash\n wp option get experto_dashboard_nav_font_size\n ```\n *Result should match the injected payload.*\n2. **UI Check:** Navigate to the settings page and check for the presence of the payload in the raw HTML response.\n ```bash\n # After navigating via browser_navigate\n browser_eval(\"document.body.innerHTML.includes('\u003Cscript>alert(document.domain)\u003C\u002Fscript>')\")\n ```\n\n## 9. Alternative Approaches\n* **Attribute Breakout:** If the input is placed within a different HTML tag or context (e.g., inside a `style` tag), use appropriate payloads like `12px; \u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>`.\n* **Event Handlers:** If `\u003Cscript>` tags are filtered by an intermediary WAF but the plugin remains vulnerable, try event handlers:\n `\" onmouseover=\"alert(1)` or `\" autofocus onfocus=\"alert(1)`\n* **Other Fields:** The vulnerability is reported in multiple font size and weight fields. If `nav_font_size` is sanitized, attempt the exploit on `heading_font_weight` or `text_font_size`.","The Experto Dashboard for WooCommerce plugin is vulnerable to Stored Cross-Site Scripting via several font-related configuration settings. Because the plugin fails to sanitize user input on registration and fails to escape output in the administrative UI, an authenticated attacker with administrative privileges can inject malicious scripts that execute whenever an administrator visits the settings page.","\u002F\u002F Within the plugin's administration logic (e.g., admin\u002Fclass-experto-dashboard-admin.php or similar)\n\n\u002F\u002F 1. Missing sanitization in registration\nregister_setting('experto_dashboard_settings_group', 'experto_dashboard_nav_font_size');\nregister_setting('experto_dashboard_settings_group', 'experto_dashboard_nav_font_weight');\n\n---\n\n\u002F\u002F 2. Missing output escaping in field callbacks\nfunction field_callback($args) {\n $value = get_option('experto_dashboard_nav_font_size');\n \u002F\u002F VULNERABILITY: The value is echoed directly into the attribute without esc_attr()\n printf('\u003Cinput type=\"text\" name=\"experto_dashboard_nav_font_size\" value=\"%s\" \u002F>', $value);\n}","--- a\u002Fexperto-custom-dashboard.php\n+++ b\u002Fexperto-custom-dashboard.php\n@@ -20,7 +20,7 @@\n- register_setting( 'experto_dashboard_settings_group', 'experto_dashboard_nav_font_size' );\n+ register_setting( 'experto_dashboard_settings_group', 'experto_dashboard_nav_font_size', 'sanitize_text_field' );\n@@ -45,5 +45,5 @@\n function field_callback($args) {\n $value = get_option('experto_dashboard_nav_font_size');\n- printf('\u003Cinput type=\"text\" name=\"experto_dashboard_nav_font_size\" value=\"%s\" \u002F>', $value);\n+ printf('\u003Cinput type=\"text\" name=\"experto_dashboard_nav_font_size\" value=\"%s\" \u002F>', esc_attr($value));\n }","The exploit requires an attacker with Administrator access to bypass unfiltered_html restrictions (common in multisite or hardened WordPress environments). \n\n1. The attacker navigates to the Experto Dashboard settings page within the WordPress admin dashboard.\n2. The attacker identifies one of the vulnerable font setting fields, such as 'Navigation Font Size' or 'Navigation Font Weight'.\n3. The attacker crafts a payload that breaks out of the HTML input attribute: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n4. The attacker submits the settings form. This request is sent to `wp-admin\u002Foptions.php` with the appropriate `option_page` and `_wpnonce` values.\n5. Because the plugin lacks a `sanitize_callback`, the raw script is saved to the `wp_options` table.\n6. Every time an administrator visits the plugin's settings page, the `get_option()` call retrieves the payload and `printf()` renders it directly into the HTML without escaping, triggering the execution of the script in the context of the user's browser session.","gemini-3-flash-preview","2026-04-17 20:21:58","2026-04-17 20:22:18",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fexperto-custom-dashboard\u002Ftags"]