[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-hIbU8PtwtS-gWIXWAdtOHPEQdNZfa5higqjeOA15NM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25369","flexmls-idx-plugin-reflected-cross-site-scripting-2","Flexmls® IDX Plugin \u003C= 3.15.9 - Reflected Cross-Site Scripting","The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.15.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","flexmls-idx",null,"\u003C=3.15.9","3.15.10","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-16 00:00:00","2026-03-19 14:53:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F983b0fb8-a6e6-422e-ad90-325ad7aa628b?source=api-prod",4,[],"researched",false,3,"This plan outlines the steps to identify and exploit a Reflected Cross-Site Scripting (XSS) vulnerability in the Flexmls® IDX Plugin (\u003C= 3.15.9).\n\n### 1. Vulnerability Summary\nThe Flexmls® IDX Plugin is vulnerable to Reflected Cross-Site Scripting due to the improper neutralization of user-controlled input in frontend pages. Specifically, certain URL parameters (likely related to search queries, property IDs, or legacy links) are echoed back into the page source without sufficient sanitization (e.g., `sanitize_text_field`) or context-aware output escaping (e.g., `esc_html`, `esc_attr`). An unauthenticated attacker can craft a malicious URL that, when clicked by a user, executes arbitrary JavaScript in that user's browser session.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** Any frontend page or post containing a Flexmls® shortcode (e.g., `[flexmls_idx]`, `[flexmls_link]`) or the plugin's main property display logic.\n* **Vulnerable Parameters:** Likely parameters include `idx-link`, `idx_id`, `mls`, or `search_query` (inferred).\n* **Authentication:** No authentication is required (`PR:N`).\n* **User Interaction:** A user must be tricked into clicking a link containing the payload (`UI:R`).\n* **Preconditions:** The plugin must be active, and at least one page must exist that triggers the plugin's frontend rendering logic.\n\n### 3. Code Flow\n1. A user sends a GET request to a WordPress page with a malicious payload in a specific URL parameter.\n2. WordPress initializes and loads the Flexmls® IDX Plugin.\n3. The plugin's frontend handler or shortcode callback (e.g., `flexmls_idx_shortcode_handler` or similar function registered via `add_shortcode`) is invoked.\n4. The code retrieves the malicious parameter directly from `$_GET` or `$_REQUEST`.\n5. The code echoes this value into the HTML response, likely inside a hidden input field, a JavaScript variable, or as part of a \"No results found\" message.\n6. **Sink:** An `echo`, `printf`, or similar construct without an escaping function like `esc_attr()` or `esc_html()`.\n\n### 4. Nonce Acquisition Strategy\nReflected XSS in WordPress frontend pages typically occurs during the initial `GET` request and **does not require a nonce**, as nonces are used to protect against CSRF in state-changing operations (POST\u002FAJAX).\n\nHowever, if the vulnerability exists within an unauthenticated AJAX handler (`wp_ajax_nopriv_*`), follow this strategy:\n1. **Identify Nonce Key:** Search for `check_ajax_referer` or `wp_verify_nonce` in the plugin code.\n2. **Locate Localization:** Find the `wp_localize_script` call that exposes the nonce.\n * *Search command:* `grep -rn \"wp_localize_script\" .`\n3. **Create Trigger Page:** Create a page with the plugin's primary shortcode to ensure scripts are enqueued:\n * `wp post create --post_type=page --post_status=publish --post_title=\"IDX Page\" --post_content='[flexmls_idx]'`\n4. **Extract via Browser:** Navigate to the page and use `browser_eval` to extract the variable:\n * `browser_eval(\"window.flex_idx_params?.nonce\")` (Replace `flex_idx_params` and `nonce` with actual keys found in step 2).\n\n### 5. Exploitation Strategy\n1. **Source Discovery:** Run the following command to find potential reflected parameters:\n * `grep -rnP \"echo\\s+\\\\\\$_(GET|REQUEST|POST)\" wp-content\u002Fplugins\u002Fflexmls-idx\u002F`\n2. **Target Identification:** Look for parameters used in frontend display files (e.g., in `includes\u002F` or `public\u002F`). Let's assume the parameter is `idx-link`.\n3. **Craft Payload:** Use a standard alert-based XSS canary:\n * `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n4. **HTTP Request:** Use `http_request` to verify the reflection in the response.\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002Fidx-page\u002F?idx-link=%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n * **Method:** `GET`\n5. **Execution Verification:** Use `browser_navigate` to the URL and check for the alert dialog.\n\n### 6. Test Data Setup\n1. **Activate Plugin:** `wp plugin activate flexmls-idx`\n2. **Create Landing Page:** Create a page that includes the IDX functionality to ensure the vulnerable code path is hit.\n * `wp post create --post_type=page --post_status=publish --post_title=\"Property Search\" --post_content='[flexmls_idx]'`\n3. **Note the URL:** The page will likely be at `\u002Fproperty-search\u002F`.\n\n### 7. Expected Results\n* The HTTP response should contain the raw payload: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n* The payload should not be escaped (e.g., `<script>`).\n* When navigating to the URL in a browser, the JavaScript `alert(document.domain)` should execute.\n\n### 8. Verification Steps\n1. **Manual Check:** Inspect the page source via `http_request` and search for the script tag.\n2. **Automatic Check:** If the payload is reflected inside an attribute (e.g., `value=\"...\"`), verify it breaks out of the attribute and starts a new tag.\n3. **Code Audit:** Verify the patch (v3.15.10) by checking if `esc_attr()` or `sanitize_text_field()` was added to the identified parameter.\n\n### 9. Alternative Approaches\n* **Attribute Injection:** If `\u003C >` are filtered, try breaking out of an attribute using quotes: `\" onmouseover=\"alert(1)\" style=\"display:block;width:100%;height:100%`.\n* **JavaScript Context:** If the reflection is inside a `\u003Cscript>` block, use: `\";alert(1);\u002F\u002F`.\n* **Shortcode Attribute Reflection:** If the XSS is in a shortcode attribute, test if the plugin allows passing parameters from the URL directly into shortcode attributes (e.g., `[flexmls_idx link=\"...\"]` where `link` is populated by `$_GET['link']`).","The Flexmls® IDX Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to improper neutralization of user-controlled input in frontend property display logic. Unauthenticated attackers can execute arbitrary JavaScript in a user's browser by tricking them into clicking a malicious link containing unsanitized URL parameters.","\u002F\u002F In the frontend rendering logic, likely within a shortcode handler or search results page\n\u002F\u002F wp-content\u002Fplugins\u002Fflexmls-idx\u002Fincludes\u002Fclass-flexmls-idx-shortcodes.php (approximate)\n\nif (isset($_GET['idx-link'])) {\n $idx_link = $_GET['idx-link'];\n \u002F\u002F ... \n echo '\u003Cinput type=\"hidden\" name=\"idx-link\" id=\"idx-link\" value=\"' . $idx_link . '\">';\n}","--- a\u002Fwp-content\u002Fplugins\u002Fflexmls-idx\u002Fincludes\u002Fclass-flexmls-idx-shortcodes.php\n+++ b\u002Fwp-content\u002Fplugins\u002Fflexmls-idx\u002Fincludes\u002Fclass-flexmls-idx-shortcodes.php\n@@ -10,5 +10,5 @@\n if (isset($_GET['idx-link'])) {\n- $idx_link = $_GET['idx-link'];\n+ $idx_link = sanitize_text_field($_GET['idx-link']);\n \u002F\u002F ...\n- echo '\u003Cinput type=\"hidden\" name=\"idx-link\" id=\"idx-link\" value=\"' . $idx_link . '\">';\n+ echo '\u003Cinput type=\"hidden\" name=\"idx-link\" id=\"idx-link\" value=\"' . esc_attr($idx_link) . '\">';\n }","The exploit targets frontend pages utilizing the plugin's shortcodes. An attacker identifies a page containing Flexmls IDX components and appends a malicious payload to the 'idx-link' or similar URL parameter. The payload, such as '\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>', is designed to break out of an HTML attribute (like a hidden input's 'value' attribute) where the plugin reflects the input. Because the plugin fails to sanitize the input with functions like sanitize_text_field() or escape the output with esc_attr(), the browser executes the injected script when a victim visits the crafted URL. No authentication is required to perform this attack, but it relies on user interaction (clicking the link).","gemini-3-flash-preview","2026-04-18 03:28:43","2026-04-18 03:29:08",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","3.15.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fflexmls-idx\u002Ftags\u002F3.15.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fflexmls-idx.3.15.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fflexmls-idx\u002Ftags"]