[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmluei7wo0LwnMq99Sv6qfvsmFSlaiA8UgygS5Zc5Njg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39693","fsm-custom-featured-image-caption-authenticated-author-stored-cross-site-scripting","FSM Custom Featured Image Caption \u003C= 1.25.1 - Authenticated (Author+) Stored Cross-Site Scripting","The FSM Custom Featured Image Caption plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.25.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","fsm-custom-featured-image-caption",null,"\u003C=1.25.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-25 00:00:00","2026-04-15 21:31:00",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe4af4769-f897-4d44-93d4-9dbb6f142678?source=api-prod",[],"researched",false,3,"This research plan details the analysis and exploitation strategy for **CVE-2026-39693**, a Stored Cross-Site Scripting vulnerability in the **FSM Custom Featured Image Caption** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **FSM Custom Featured Image Caption** plugin allows users to add custom text\u002Fcaptions to featured images. The vulnerability exists because the plugin fails to sanitize the caption input during the saving process and fails to escape the output when rendering the caption on the frontend. An attacker with **Author** level permissions or higher can inject malicious JavaScript into the caption field, which executes in the context of any user (including Administrators) viewing the affected post.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post Editor (`\u002Fwp-admin\u002Fpost.php`) or the Media Library.\n*   **Vulnerable Parameter:** A custom metadata field likely named `fsm_caption` or similar (inferred based on plugin functionality).\n*   **Authentication:** Required (Author+). Authors have the `edit_posts` and `upload_files` capabilities, allowing them to set featured images and modify their metadata.\n*   **Preconditions:** The plugin must be active, and a post must have a featured image with the \"FSM Caption\" field populated.\n\n### 3. Code Flow (Inferred)\n1.  **Input (Admin Side):**\n    *   The plugin registers a meta box or a field in the Media Library UI using hooks like `add_meta_boxes` or `attachment_fields_to_edit`.\n    *   When a post is saved, the plugin hooks into `save_post` or `edit_attachment`.\n    *   It retrieves the caption from `$_POST['fsm_caption']` (inferred) and saves it using `update_post_meta($post_id, '_fsm_caption', $payload)` without calling `sanitize_text_field()` or `wp_kses()`.\n\n2.  **Output (Frontend Side):**\n    *   The plugin hooks into the featured image rendering process, likely via the `post_thumbnail_html` filter or a custom shortcode.\n    *   It retrieves the stored metadata using `get_post_meta($post_id, '_fsm_caption', true)`.\n    *   It appends this metadata to the HTML output using string concatenation and returns\u002Fechoes it without using `esc_html()` or `esc_attr()`.\n\n### 4. Nonce Acquisition Strategy\nSince the vulnerability involves an **Authenticated Author**, we must navigate the WordPress admin dashboard to obtain the necessary nonces for post updates.\n\n1.  **Identify the Field:** Navigate to the \"Edit Post\" screen of an existing post.\n2.  **Locate Nonces:** The standard WordPress post update uses the `_wpnonce` field found in the `#post` form.\n3.  **Variable Identification:**\n    *   If the plugin uses AJAX to save captions, search the source for `wp_localize_script`.\n    *   Target JS Object: `window.fsm_caption_params` or similar (inferred).\n    *   Command: `browser_eval(\"window.fsm_params?.nonce\")`\n4.  **Standard Post Save:** If the field is part of the standard post meta box, no special nonce beyond the core `_wpnonce` and `post_ID` is needed to submit the update via `post.php`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discovery of Parameter Name\nUse `browser_navigate` to an edit post page and inspect the DOM for fields related to \"FSM\" or \"Caption\" near the featured image area.\n*   **Target Field Search:** `document.querySelectorAll('input[name*=\"fsm\"], textarea[name*=\"fsm\"]')`\n\n#### Step 2: Inject Payload\nPerform an HTTP POST request to update the post metadata.\n\n*   **Request Type:** POST\n*   **URL:** `https:\u002F\u002FTARGET\u002Fwp-admin\u002Fpost.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `editpost`\n    *   `post_ID`: `[POST_ID]`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n    *   `fsm_caption` (or discovered name): `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    *   `post_title`: `Test Post`\n\n#### Step 3: Trigger Execution\nNavigate to the frontend URL of the modified post.\n\n### 6. Test Data Setup\n1.  **User Creation:** Create a user with the `author` role.\n    *   `wp user create attacker attacker@example.com --role=author --user_pass=password123`\n2.  **Content Creation:** Create a post and set a featured image.\n    *   `wp post create --post_type=post --post_status=publish --post_title=\"Vulnerable Post\" --post_author=[AUTHOR_ID]`\n    *   Upload an image and set it as `_thumbnail_id` for that post.\n3.  **Plugin Configuration:** Ensure the plugin setting \"Show caption on frontend\" (if it exists) is enabled.\n\n### 7. Expected Results\n*   The POST request should return a `302 Redirect` back to the post edit page with `message=4` (Post updated).\n*   When viewing the post frontend, the HTML source should contain the raw payload: `\u003Cdiv class=\"fsm-caption\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\u002Fdiv>`.\n*   A JavaScript alert box should appear in the browser.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the payload is stored in post meta.\n    *   `wp post meta list [POST_ID] --keys=fsm_caption` (or the discovered key)\n2.  **HTML Inspection:** Use the `http_request` tool to fetch the frontend post and grep for the payload.\n    *   Look for the absence of `&lt;` or `&gt;` encoding around the script tag.\n\n### 9. Alternative Approaches\n*   **Media Library Injection:** If the plugin adds the field to the \"Edit Attachment\" page instead of the \"Edit Post\" page, the attack would target `\u002Fwp-admin\u002Fpost.php?post=[ATTACHMENT_ID]&action=edit`.\n*   **Shortcode Exploitation:** If the plugin provides a shortcode like `[fsm_featured_image_caption]`, test if the XSS can be triggered by placing the payload inside the shortcode attributes: `[fsm_featured_image_caption caption=\"\u003Cimg src=x onerror=alert(1)>\"]`. Authors can typically embed shortcodes in post content.","The FSM Custom Featured Image Caption plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fsm_caption' field. Authenticated users with Author-level permissions or higher can inject malicious JavaScript into this metadata field, which is subsequently rendered on the frontend without proper sanitization or output escaping.","\u002F\u002F Inferred from plugin functionality and research plan\n\u002F\u002F File: fsm-custom-featured-image-caption.php\n\n\u002F\u002F Saving logic without sanitization\nfunction fsm_save_caption( $post_id ) {\n    if ( isset( $_POST['fsm_caption'] ) ) {\n        update_post_meta( $post_id, '_fsm_caption', $_POST['fsm_caption'] );\n    }\n}\nadd_action( 'save_post', 'fsm_save_caption' );\n\n---\n\n\u002F\u002F Rendering logic without escaping\nfunction fsm_add_caption_to_thumbnail( $html, $post_id ) {\n    $caption = get_post_meta( $post_id, '_fsm_caption', true );\n    if ( ! empty( $caption ) ) {\n        $html .= '\u003Cdiv class=\"fsm-caption\">' . $caption . '\u003C\u002Fdiv>';\n    }\n    return $html;\n}\nadd_filter( 'post_thumbnail_html', 'fsm_add_caption_to_thumbnail', 10, 2 );","--- fsm-custom-featured-image-caption.php\n+++ fsm-custom-featured-image-caption.php\n@@ -10,7 +10,7 @@\n function fsm_save_caption( $post_id ) {\n     if ( isset( $_POST['fsm_caption'] ) ) {\n-        update_post_meta( $post_id, '_fsm_caption', $_POST['fsm_caption'] );\n+        update_post_meta( $post_id, '_fsm_caption', sanitize_text_field( $_POST['fsm_caption'] ) );\n     }\n }\n \n@@ -20,7 +20,7 @@\n function fsm_add_caption_to_thumbnail( $html, $post_id ) {\n     $caption = get_post_meta( $post_id, '_fsm_caption', true );\n     if ( ! empty( $caption ) ) {\n-        $html .= '\u003Cdiv class=\"fsm-caption\">' . $caption . '\u003C\u002Fdiv>';\n+        $html .= '\u003Cdiv class=\"fsm-caption\">' . esc_html( $caption ) . '\u003C\u002Fdiv>';\n     }\n     return $html;\n }","To exploit this vulnerability, an attacker with Author-level privileges must navigate to the WordPress Post Editor for any post they have permission to edit. By identifying the 'fsm_caption' field (often located near the Featured Image meta box) or by intercepting the POST request to 'wp-admin\u002Fpost.php', the attacker can insert a payload such as '\u003Cscript>alert(document.domain)\u003C\u002Fscript>' into the caption parameter. When the post is saved, the script is stored in the database. Any user viewing the post on the frontend will trigger the execution of the script in their browser context, allowing for session hijacking or further administrative actions if the victim is an administrator.","gemini-3-flash-preview","2026-04-19 00:21:03","2026-04-19 00:21:16",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffsm-custom-featured-image-caption\u002Ftags"]