[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f31CBz7xWYKhlTtRrGCsY8hbQgFG5GhQGHD0Vt8aF3xY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":31},"CVE-2026-1913","gallagher-website-design-authenticated-contributor-stored-cross-site-scripting-via-prefix-shortcode-attribute","Gallagher Website Design \u003C= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'prefix' Shortcode Attribute","The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","gallagher-website-design",null,"\u003C=2.6.4","2.6.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 20:36:56","2026-04-22 09:27:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd8d013ae-a512-454a-bcfc-8725a6928fee?source=api-prod",1,[22,23],"gallagher-website-design.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-1913 (Gallagher Website Design XSS)\n\n## 1. Vulnerability Summary\nThe **Gallagher Website Design** plugin (\u003C= 2.6.4) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `prefix` attribute in the `[login_link]` shortcode. The plugin fails to sanitize or escape the `prefix` value before returning it for rendering. Authenticated users with Contributor-level access (or higher) can embed malicious scripts into posts or pages using this shortcode, which will execute in the browser of any user (including administrators) who views the content.\n\n## 2. Attack Vector Analysis\n- **Shortcode:** `[login_link]`\n- **Vulnerable Attribute:** `prefix`\n- **Authentication Level:** Contributor+ (The user must have the `edit_posts` capability to create or modify content containing shortcodes).\n- **Endpoint:** Any public-facing Page or Post where shortcodes are processed (typically via `the_content` filter).\n- **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\n1. **Shortcode Registration:** The plugin registers the shortcode (likely in `gallagher-website-design.php` or an included file) using `add_shortcode('login_link', 'CALLBACK_FUNCTION')`.\n2. **Attribute Processing:** Inside the callback function, user-supplied attributes are parsed using `shortcode_atts()`.\n3. **Data Handling (The Sink):** The value of the `prefix` attribute is extracted from the `$atts` array and concatenated directly into an HTML string (e.g., prepended to an `\u003Ca>` tag) without using escaping functions like `esc_html()` or `esc_attr()`.\n4. **Output:** The resulting unsanitized string is returned by the shortcode function. WordPress then renders this string as part of the page content, leading to script execution.\n\n## 4. Nonce Acquisition Strategy\nThe exploitation of this vulnerability occurs during the **rendering** of a shortcode within post content. \n- **Shortcode Rendering:** No nonce is required to trigger the XSS. The vulnerability is triggered simply by viewing the page where the shortcode exists.\n- **Payload Injection:** Creating\u002FUpdating a post normally requires a WordPress nonce (`_wpnonce`). However, since the research agent has `wp-cli` access, the most reliable way to inject the payload into the database is via `wp post create` or `wp post update`, bypassing the need for HTTP-based nonce extraction for the injection phase.\n\n## 5. Exploitation Strategy\n\n### Step 1: Payload Selection\nThe payload will target the `prefix` attribute. We will use a standard `\u003Cscript>` tag to demonstrate execution.\n**Payload:** `[login_link prefix='\u003Cscript>alert(window.origin)\u003C\u002Fscript>']`\n\n### Step 2: Injection (Stored Phase)\nUsing the `wp-cli` tool, we will create a published post as a contributor user containing the malicious shortcode.\n\n### Step 3: Verification (Execution Phase)\nThe execution agent will use the `http_request` tool (Playwright) to navigate to the newly created post URL. We will check if the script is present in the raw HTML response and if it executes in the browser context.\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure `gallagher-website-design` version 2.6.4 is installed and active.\n2. **User Creation:**\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n   ```\n3. **Post Creation (The Injection):**\n   ```bash\n   wp post create --post_type=post --post_status=publish --post_title=\"Login Page\" --post_author=$(wp user get attacker --field=ID) --post_content='[login_link prefix=\"\u003Cscript>console.log(\\\"XSS_TRIGGERED\\\")\u003C\u002Fscript>\"]'\n   ```\n   *Note: Using `console.log` is often more reliable for automated verification than `alert`.*\n\n## 7. Expected Results\n- When requesting the post URL via `http_request`, the response body should contain the unescaped string: `\u003Cscript>console.log(\"XSS_TRIGGERED\")\u003C\u002Fscript>`.\n- In a browser environment, the browser console should show `XSS_TRIGGERED`.\n\n## 8. Verification Steps\n1. **Confirm Post Content via CLI:**\n   ```bash\n   wp post get \u003CPOST_ID> --field=post_content\n   ```\n2. **Trigger and Capture Output via HTTP:**\n   Use the `http_request` tool to fetch the URL of the created post.\n   ```json\n   {\n     \"method\": \"GET\",\n     \"url\": \"http:\u002F\u002Flocalhost:8080\u002F?p=\u003CPOST_ID>\"\n   }\n   ```\n3. **Search for Sink Injection:**\n   Verify that the string `\u003Cscript>console.log(\"XSS_TRIGGERED\")\u003C\u002Fscript>` appears in the response body.\n\n## 9. Alternative Approaches\nIf the `prefix` attribute is not vulnerable or if `login_link` requires specific parameters:\n- **Check for `suffix`:** Check if a `suffix` attribute exists and is also unescaped: `[login_link suffix='\u003Cscript>...\u003C\u002Fscript>']`.\n- **Bypass `shortcode_atts`:** If the plugin accesses `$_GET` or `$_POST` directly within the shortcode callback (unlikely but possible), test parameters like `?prefix=\u003Cscript>`.\n- **Check other shortcodes:** The `readme.txt` mentions `password forgot link`, `Woocommerce cart total`, and `Woocommerce my account page`. If `login_link` is patched or behaves differently, audit the attribute handling in these related shortcodes.","gemini-3-flash-preview","2026-04-27 13:48:38","2026-04-27 13:49:02",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","2.6.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgallagher-website-design\u002Ftags\u002F2.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgallagher-website-design.2.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgallagher-website-design\u002Ftags\u002F2.6.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgallagher-website-design.2.6.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgallagher-website-design\u002Ftags"]