[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCeigqXtq8sHUdhCGJ74DO1LRVN-nPhT50m_vvzr3nEY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-1986","floristpress-for-woo-reflected-cross-site-scripting-via-noresults-parameter","FloristPress for Woo \u003C= 7.8.2 - Reflected Cross-Site Scripting via 'noresults' Parameter","The FloristPress for Woo – Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user supplied 'noresults' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","bakkbone-florist-companion",null,"\u003C=7.8.2","7.8.3","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-25 14:09:09","2026-03-26 02:25:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fea3b6fa6-1b58-40c2-8ec2-8a9211069f11?source=api-prod",1,[22,23,24],"bakkbone-florist-companion.php","readme.txt","src\u002Fcore\u002Fajax.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-1986 - FloristPress for Woo Reflected XSS\n\n## 1. Vulnerability Summary\nThe **FloristPress for Woo** plugin (\u003C= 7.8.2) is vulnerable to **Reflected Cross-Site Scripting (XSS)** via the `noresults` parameter. This occurs because the plugin accepts a user-supplied string via the URL to customize \"no results\" messages (likely for suburb or delivery searches) and echoes it back into the page without proper sanitization or escaping using functions like `esc_html()`.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: Any front-end page or post containing the `[bkf_suburb_search]` shortcode.\n*   **Parameter**: `noresults` (GET parameter).\n*   **Authentication**: Unauthenticated (Public-facing).\n*   **Preconditions**: A page must exist that processes the `noresults` parameter, typically one utilizing the plugin's search shortcodes.\n*   **Vector**: `http:\u002F\u002F\u003Ctarget>\u002Fsuburb-search\u002F?noresults=\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n\n## 3. Code Flow\n1.  **Entry Point**: A user accesses a URL containing the `noresults` parameter.\n2.  **Shortcode Execution**: The WordPress engine parses the `[bkf_suburb_search]` shortcode, which is registered in `src\u002Fcore\u002Fshortcodes.php` and instantiated in the main plugin file (`new BKF_Shortcodes()`).\n3.  **Vulnerable Logic (Inferred)**: Inside the `BKF_Shortcodes` class (likely the method handling `bkf_suburb_search`), the code checks for the presence of `$_GET['noresults']`. \n4.  **Sink**: The code echoes the value of `$_GET['noresults']` directly into the HTML output to display a custom \"no results found\" message to the user, bypassing security filters.\n    *   *Hypothetical Code*:\n        ```php\n        $msg = isset($_GET['noresults']) ? $_GET['noresults'] : __('No results found', 'bakkbone-florist-companion');\n        echo '\u003Cdiv class=\"bkf-search-notice\">' . $msg . '\u003C\u002Fdiv>';\n        ```\n\n## 4. Nonce Acquisition Strategy\nThis is a **Reflected XSS** in a **GET parameter** used during page rendering.\n*   **Nonce Requirement**: None. The vulnerability is triggered during a standard page load (`GET` request). Nonces are generally not used for reflecting URL parameters in view-only logic.\n\n## 5. Exploitation Strategy\n1.  **Identify Target Page**: Create or identify a page containing the `[bkf_suburb_search]` shortcode.\n2.  **Construct Payload**: Create a URL-encoded XSS payload.\n    *   Payload: `\u003Cscript>alert('XSS_VULNERABLE')\u003C\u002Fscript>`\n    *   Encoded: `%3Cscript%3Ealert('XSS_VULNERABLE')%3C\u002Fscript%3E`\n3.  **Execute Request**: Use the `http_request` tool to request the page with the malicious parameter.\n4.  **Observe Reflection**: Inspect the HTML response to confirm the script is rendered unescaped.\n\n## 6. Test Data Setup\nTo ensure the shortcode is active and the parameter is processed:\n1.  **Create a Page**:\n    ```bash\n    wp post create --post_type=page --post_title=\"Suburb Search\" --post_status=publish --post_content='[bkf_suburb_search]'\n    ```\n2.  **Enable Plugin Features**: Ensure the main \"FloristPress\" features are active (though shortcodes are usually active by default upon plugin activation).\n\n## 7. Expected Results\n*   **Response Body**: The raw HTML response should contain the string `\u003Cscript>alert('XSS_VULNERABLE')\u003C\u002Fscript>` literally, rather than the escaped version `&lt;script&gt;...`.\n*   **Execution**: If viewed in a browser, a JavaScript alert box would appear.\n\n## 8. Verification Steps\n1.  **Automated Request**:\n    ```javascript\n    \u002F\u002F Use http_request to fetch the page\n    const response = await http_request({\n        url: \"http:\u002F\u002Flocalhost:8080\u002Fsuburb-search\u002F?noresults=\u003Cscript>alert('XSS')\u003C\u002Fscript>\",\n        method: \"GET\"\n    });\n\n    \u002F\u002F Check if the payload is reflected unescaped\n    if (response.body.includes(\"\u003Cscript>alert('XSS')\u003C\u002Fscript>\")) {\n        console.log(\"Vulnerability Confirmed: Payload reflected unescaped.\");\n    }\n    ```\n2.  **Source Code Inspection**: Use `grep` on the plugin directory to find the exact sink:\n    ```bash\n    grep -rn \"noresults\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbakkbone-florist-companion\u002Fsrc\u002Fcore\u002F\n    ```\n\n## 9. Alternative Approaches\n*   **Attribute Injection**: If the parameter is reflected inside an input value or HTML attribute, use a breakout payload:\n    *   Payload: `\" onmouseover=\"alert(1)\" type=\"text`\n    *   URL: `?noresults=%22%20onmouseover%3D%22alert(1)%22%20type%3D%22text`\n*   **AJAX Reflection**: If the parameter is reflected in the AJAX search results rather than the initial page load, test the `wp_ajax_nopriv_bkf_search_suburbs_frontend` action found in `src\u002Fcore\u002Fajax.php`.\n    *   Request: `POST \u002Fwp-admin\u002Fadmin-ajax.php`\n    *   Body: `action=bkf_search_suburbs_frontend&s=nonexistent&noresults=\u003Cscript>alert(1)\u003C\u002Fscript>`","The FloristPress for Woo plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' and 'header' parameters in the `search_suburbs_frontend` AJAX action. This occurs because the plugin echoes user-supplied input without proper sanitization or escaping, allowing unauthenticated attackers to execute arbitrary web scripts if they can trick a user into clicking a crafted link.","\u002F\u002F src\u002Fcore\u002Fajax.php (line 1571)\n\t\tif (count($result)) {\n\t\t\t$resulthtml = '\u003Ch2 class=\"bkf-suburb-search-results-header\">'.stripslashes($_REQUEST['header']).'\u003C\u002Fh2>';\n\n---\n\n\u002F\u002F src\u002Fcore\u002Fajax.php (line 1580)\n\t\t} else {\n\t\t\t$resulthtml = '\u003Cdiv class=\"bkf-suburb-search-results-noresults\">\u003Cp>'.stripslashes($_REQUEST['noresults']).'\u003C\u002Fp>\u003C\u002Fdiv>';\n\t\t}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbakkbone-florist-companion\u002F7.8.2\u002Fsrc\u002Fcore\u002Fajax.php\t2026-01-06 03:13:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbakkbone-florist-companion\u002F7.8.3\u002Fsrc\u002Fcore\u002Fajax.php\t2026-03-21 09:32:38.000000000 +0000\n@@ -1571,7 +1571,7 @@\n \t\t\t}\n \t\t}\n \t\tif (count($result)) {\n-\t\t\t$resulthtml = '\u003Ch2 class=\"bkf-suburb-search-results-header\">'.stripslashes($_REQUEST['header']).'\u003C\u002Fh2>';\n+\t\t\t$resulthtml = '\u003Ch2 class=\"bkf-suburb-search-results-header\">'.stripslashes(wp_kses($_REQUEST['header'])).'\u003C\u002Fh2>';\n \t\t\tforeach ($result as $suburb => $methods) {\n \t\t\t\t$resulthtml .= '\u003Cdiv class=\"bkf-suburb-search-results-item\">\u003Ch3>\u003Cstrong>'.$suburb.'\u003C\u002Fstrong>\u003C\u002Fh3>\u003Cul>';\n \t\t\t\tforeach ($methods as $method) {\n@@ -1580,7 +1580,7 @@\n \t\t\t\t$resulthtml .= '\u003C\u002Ful>\u003C\u002Fdiv>';\n \t\t\t}\n \t\t} else {\n-\t\t\t$resulthtml = '\u003Cdiv class=\"bkf-suburb-search-results-noresults\">\u003Cp>'.stripslashes($_REQUEST['noresults']).'\u003C\u002Fp>\u003C\u002Fdiv>';\n+\t\t\t$resulthtml = '\u003Cdiv class=\"bkf-suburb-search-results-noresults\">\u003Cp>'.stripslashes(wp_kses($_REQUEST['noresults'])).'\u003C\u002Fp>\u003C\u002Fdiv>';\n \t\t}\n \t\techo $resulthtml;\n \t\tdie();","The exploit targets the public AJAX action `bkf_search_suburbs_frontend`. An attacker can craft a URL pointing to `wp-admin\u002Fadmin-ajax.php` with the `action` parameter set to `bkf_search_suburbs_frontend`. By supplying a malicious script in the `noresults` (for failed searches) or `header` (for successful searches) parameters, the script is reflected back into the response body and executed in the victim's browser context. Authentication is not required as the action is registered for unauthenticated users via `wp_ajax_nopriv`.","gemini-3-flash-preview","2026-04-17 22:52:12","2026-04-17 22:52:34",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","7.8.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbakkbone-florist-companion\u002Ftags\u002F7.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbakkbone-florist-companion.7.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbakkbone-florist-companion\u002Ftags\u002F7.8.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbakkbone-florist-companion.7.8.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbakkbone-florist-companion\u002Ftags"]