[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEAuB66VUd3oSkK5kvUYn1AyKdHavmFT7rMABpma0RGw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-25346","faq-builder-ays-unauthenticated-stored-cross-site-scripting","FAQ Builder AYS \u003C= 1.8.2 - Unauthenticated Stored Cross-Site Scripting","The FAQ Builder AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","faq-builder-ays",null,"\u003C=1.8.2","1.8.3","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 00:00:00","2026-03-26 20:48:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa80007be-fb94-4460-91e8-f09b537580ca?source=api-prod",7,[22,23,24,25,26],"README.txt","admin\u002Fclass-faq-builder-ays-admin.php","admin\u002Fjs\u002Fadmin.js","faq-builder-ays.php","languages\u002Ffaq-builder-ays.pot","researched",false,3,"This plan outlines the research and exploitation strategy for CVE-2026-25346, a Stored Cross-Site Scripting (XSS) vulnerability in the \"FAQ Builder AYS\" WordPress plugin.\n\n### 1. Vulnerability Summary\nThe FAQ Builder AYS plugin (versions \u003C= 1.8.2) contains an unauthenticated stored XSS vulnerability. The vulnerability resides in the \"Individual questions from users\" feature, which allows website visitors to submit their own questions for an FAQ. The plugin fails to sanitize the question content upon submission and fails to escape it when rendering it in the WordPress admin dashboard (specifically within the \"User Questions\" management interface).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** `ays_faq_send_question` (inferred from feature description and AYS plugin patterns)\n*   **HTTP Parameter:** `ays_faq_question` (the payload carrier)\n*   **Authentication:** Unauthenticated (accessible via `wp_ajax_nopriv_` hook)\n*   **Preconditions:** \n    1.  At least one FAQ must be created.\n    2.  The \"Allow users to ask questions\" setting must be enabled for that FAQ (this is a per-FAQ or general setting).\n\n### 3. Code Flow\n1.  **Submission:** An unauthenticated user sends a POST request to `admin-ajax.php` with the action `ays_faq_send_question`.\n2.  **Processing:** The handler (likely in `includes\u002Fclass-faq-builder-ays.php` or a public class) retrieves `$_POST['ays_faq_question']` without applying `sanitize_text_field()` or `wp_kses()`.\n3.  **Storage:** The unsanitized string is stored in the database, likely in a table named `wp_ays_faq_questions` (inferred).\n4.  **Rendering:** An administrator logs in and navigates to the FAQ Builder dashboard. When viewing the \"User Questions\" tab or a similar management screen for a specific FAQ, the plugin retrieves the stored question and echoes it directly without using `esc_html()` or `wp_kses()`.\n\n### 4. Nonce Acquisition Strategy\nThe AYS FAQ plugin typically uses a nonce to protect its AJAX submissions, even for unauthenticated users. This nonce is usually localized into a JavaScript object on pages where the FAQ shortcode is present.\n\n1.  **Identify Shortcode:** The plugin uses the shortcode `[ays_faq id=\"X\"]`.\n2.  **Setup Page:** Create a public page containing the shortcode for an existing FAQ.\n3.  **Variable Name:** The plugin localizes data into a global JS object. Based on AYS naming conventions, this is likely `ays_faq_public_obj` or `ays_faq_ajax_obj`.\n4.  **Extraction:**\n    *   Navigate to the page with the shortcode.\n    *   Use `browser_eval` to extract the nonce and the AJAX URL:\n        ```javascript\n        {\n          nonce: window.ays_faq_public_obj?.ays_faq_nonce,\n          ajax_url: window.ays_faq_public_obj?.ajax_url\n        }\n        ```\n5.  **Action String:** The nonce is likely generated using `wp_create_nonce('ays_faq_nonce')`.\n\n### 5. Exploitation Strategy\nThe goal is to inject a script that executes when the administrator views the submitted question.\n\n1.  **Identify FAQ ID:** Use `wp_cli` to list FAQs and pick one: `wp ays-faq list` (if supported) or `wp db query \"SELECT id FROM wp_ays_faq_faqs LIMIT 1;\"`.\n2.  **Prepare Payload:** Use a simple alert to prove execution: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n3.  **Send Injection Request:**\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Body Params:**\n        *   `action`: `ays_faq_send_question`\n        *   `ays_faq_question`: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n        *   `ays_faq_id`: `[ID_FROM_STEP_1]`\n        *   `ays_faq_name`: `Researcher`\n        *   `ays_faq_email`: `test@example.com`\n        *   `nonce`: `[NONCE_FROM_STEP_4]`\n4.  **Trigger Execution:**\n    *   Log in as administrator.\n    *   Navigate to the FAQ Builder \"Questions\" interface. The URL is likely `wp-admin\u002Fadmin.php?page=faq-builder-ays&action=edit&id=[ID]`.\n    *   Click on the \"User Questions\" or \"Questions\" tab.\n\n### 6. Test Data Setup\n1.  **Create FAQ:** Use the admin interface or SQL to ensure at least one FAQ exists.\n2.  **Enable Feature:** Ensure the \"Allow users to ask questions\" option is checked in the FAQ settings.\n3.  **Publish Shortcode:** Create a page with the shortcode `[ays_faq id=\"1\"]` (assuming ID 1).\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"FAQ Page\" --post_content='[ays_faq id=\"1\"]'\n    ```\n\n### 7. Expected Results\n*   The `http_request` should return a success message (e.g., JSON response `{\"status\":true}` or a string \"Success\").\n*   When the admin views the \"User Questions\" tab, a browser alert with the site's domain should appear.\n\n### 8. Verification Steps\n1.  **Database Check:** Verify the payload exists in the database.\n    ```bash\n    wp db query \"SELECT question FROM wp_ays_faq_questions WHERE author_name='Researcher';\"\n    ```\n2.  **Response Check:** Check the HTML source of the admin page to see the unescaped script tag.\n    ```bash\n    # (Using browser_eval on the admin page)\n    browser_eval(\"document.body.innerHTML.includes('\u003Cscript>alert(document.domain)\u003C\u002Fscript>')\")\n    ```\n\n### 9. Alternative Approaches\n*   **No Nonce:** If `nonce` is not present in the localized script, try the request without the `nonce` parameter, as some versions may have omitted the check.\n*   **Different Action:** If `ays_faq_send_question` fails, check the public JS files (`public\u002Fjs\u002Ffaq-builder-ays-public.js`) for the actual AJAX action name used in the `$.ajax` call.\n*   **Reflected XSS:** Check if the `ays_create_faq_preview` action (found in `admin\u002Fclass-faq-builder-ays-admin.php`) reflects any parameters unsanitized, which could provide a secondary reflected XSS vector for authenticated users.","gemini-3-flash-preview","2026-04-18 01:40:11","2026-04-18 01:40:56",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","1.8.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffaq-builder-ays\u002Ftags\u002F1.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffaq-builder-ays.1.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffaq-builder-ays\u002Ftags\u002F1.8.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffaq-builder-ays.1.8.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffaq-builder-ays\u002Ftags"]