[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1jZvjRTbmPPg947Uaqz6Q51cRavhury_rkrOMiI-uQQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8040","faq-shortocde-authenticated-contributor-stored-cross-site-scripting-via-color-shortcode-attribute","faq shortocde \u003C= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute","The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","faq-shortcode",null,"\u003C=1.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:20:11","2026-05-27 05:31:32",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fef6ce2ef-f810-4f8c-a0bd-785a28131213?source=api-prod",[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step instructions for exploiting specific security vulnerabilities.\n\nHowever, I can provide an educational overview of how Stored Cross-Site Scripting (XSS) vulnerabilities often manifest in WordPress shortcode attributes and the best practices for preventing them.\n\n### Understanding Shortcode Attribute XSS\n\nIn WordPress, shortcodes allow users to add dynamic content to posts and pages using a simple syntax like `[faq color=\"red\"]`. These shortcodes are processed by callback functions registered via `add_shortcode()`.\n\nA vulnerability typically occurs when a shortcode attribute is used directly in the output without being properly sanitized or escaped.\n\n#### Vulnerable Code Example (Conceptual)\n\n```php\nfunction my_faq_shortcode_callback( $atts ) {\n    \u002F\u002F attributes are extracted, but not sanitized\n    $atts = shortcode_atts( array(\n        'color' => 'black',\n        'text'  => '',\n    ), $atts );\n\n    \u002F\u002F VULNERABLE: The 'color' attribute is echoed directly into an HTML attribute\n    \u002F\u002F An attacker could use: [faq color='\">\u003Cscript>alert(1)\u003C\u002Fscript>']\n    return '\u003Cdiv style=\"color: ' . $atts['color'] . ';\">' . $atts['text'] . '\u003C\u002Fdiv>';\n}\nadd_shortcode( 'faq', 'my_faq_shortcode_callback' );\n```\n\nIn this scenario, if a user with Contributor-level permissions (who can create posts and use shortcodes) provides a malicious string for the `color` attribute, it will be stored in the post content. When any user (including administrators) views that page, the script will execute in their browser context.\n\n### Defensive Implementation and Mitigation\n\nTo prevent XSS in shortcodes, developers must ensure that all user-supplied attributes are escaped according to their output context.\n\n#### 1. Contextual Escaping\nWordPress provides specific functions for different output contexts:\n*   `esc_attr()`: Used when placing data inside an HTML attribute (like `style`, `class`, or `value`).\n*   `esc_html()`: Used when placing data between HTML tags (as text content).\n*   `esc_url()`: Used for URLs in `href` or `src` attributes.\n\n#### 2. Sanitization on Input\nWhile escaping on output is the primary defense against XSS, sanitizing input provides an additional layer of security.\n*   `sanitize_text_field()`: Strips all tags and removes line breaks\u002Ftabs.\n*   `sanitize_hex_color()`: Specifically useful for color attributes, ensuring the input is a valid CSS hex color.\n\n#### 3. Secure Code Example\n\n```php\nfunction my_faq_shortcode_callback( $atts ) {\n    $atts = shortcode_atts( array(\n        'color' => '#000000',\n        'text'  => '',\n    ), $atts );\n\n    \u002F\u002F SECURE: Use sanitize_hex_color for specific types and esc_attr for attributes\n    $safe_color = sanitize_hex_color( $atts['color'] );\n    $safe_text  = esc_html( $atts['text'] );\n\n    return '\u003Cdiv style=\"color: ' . esc_attr( $safe_color ) . ';\">' . $safe_text . '\u003C\u002Fdiv>';\n}\nadd_shortcode( 'faq', 'my_faq_shortcode_callback' );\n```\n\n### Security Auditing for Researchers\n\nWhen auditing a plugin for this class of vulnerability:\n1.  Identify all registered shortcodes using `grep -r \"add_shortcode\"`.\n2.  Locate the callback functions and examine how `$atts` (the attributes array) is handled.\n3.  Look for instances where `$atts` values are concatenated into the return string without escaping functions like `esc_attr()` or `esc_html()`.\n4.  Verify if the plugin uses `shortcode_atts()` to set defaults, noting that this function does not perform sanitization.\n\nFor further information on securing WordPress plugins, I recommend consulting the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in versions up to 1.0. This allows authenticated attackers with Contributor-level permissions to inject arbitrary web scripts into pages that execute when users view the affected content.","\u002F\u002F faq-shortcode.php (inferred structure based on research)\nfunction faq_shortcode_callback( $atts ) {\n    $atts = shortcode_atts( array(\n        'question' => '',\n        'answer'   => '',\n        'color'    => '#000'\n    ), $atts );\n\n    \u002F\u002F VULNERABLE: The 'color' attribute is concatenated directly into the HTML output without escaping.\n    return '\u003Cdiv class=\"faq-container\" style=\"color: ' . $atts['color'] . ';\">'\n           . '\u003Ch3>' . $atts['question'] . '\u003C\u002Fh3>'\n           . '\u003Cp>' . $atts['answer'] . '\u003C\u002Fp>'\n           . '\u003C\u002Fdiv>';\n}\nadd_shortcode( 'faq', 'faq_shortcode_callback' );","--- faq-shortcode.php\n+++ faq-shortcode.php\n@@ -6,7 +6,7 @@\n     ), $atts );\n \n-    return '\u003Cdiv class=\"faq-container\" style=\"color: ' . $atts['color'] . ';\">'\n+    return '\u003Cdiv class=\"faq-container\" style=\"color: ' . esc_attr( $atts['color'] ) . ';\">'\n            . '\u003Ch3>' . esc_html( $atts['question'] ) . '\u003C\u002Fh3>'\n            . '\u003Cp>' . esc_html( $atts['answer'] ) . '\u003C\u002Fp>'\n            . '\u003C\u002Fdiv>';","1. Authenticate as a user with at least Contributor-level permissions (able to edit posts).\n2. Create a new post or edit an existing one.\n3. Insert the 'faq' shortcode while injecting a payload into the 'color' attribute. Example payload: [faq color='\" onmouseover=\"alert(1)\" style=\"font-size:100px;' question=\"Vulnerable?\" answer=\"Yes.\"]\n4. Publish or save the post.\n5. Navigate to the public-facing URL of the post as an administrator or another user.\n6. The injected script (e.g., the 'onmouseover' event or a direct \u003Cscript> tag if the container isn't attribute-bound) will execute in the victim's browser context.","gemini-3-flash-preview","2026-06-04 19:17:35","2026-06-04 19:18:08",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffaq-shortcode\u002Ftags"]