[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcZtxkZgv1iM9JXuR0AOxSSSGgTLezadmMMiJKCMKZbQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8701","gntt-post-title-ticker-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","GNTT Post Title Ticker \u003C= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the `title-ticker-slide`, `title-ticker-fade`, and `title-ticker-typing` shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes (notably `border`, `width`, `height`, `header_background`, `header_text_color`, and `id`) within the `gntt_title_ticker_slide()`, `gntt_title_ticker_fade()`, and `gntt_title_ticker_typing()` functions. None of these attribute values are passed through `esc_attr()` or any other escaping function before being concatenated into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","gntt-post-title-ticker",null,"\u003C=1.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:21:21","2026-05-27 05:31:23",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F37f8eced-905c-4623-b382-055561fd25a0?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to demonstrate the Stored Cross-Site Scripting (XSS) vulnerability in the **GNTT Post Title Ticker** plugin.\n\n### 1. Vulnerability Summary\n*   **ID:** CVE-2026-8701\n*   **Vulnerability Type:** Stored Cross-Site Scripting (XSS)\n*   **Component:** GNTT Post Title Ticker (\u003C= 1.0)\n*   **Vulnerable Functions:** `gntt_title_ticker_slide()`, `gntt_title_ticker_fade()`, and `gntt_title_ticker_typing()`.\n*   **Vulnerable Attributes:** `border`, `width`, `height`, `header_background`, `header_text_color`, and `id`.\n*   **Cause:** Shortcode attributes are concatenated directly into HTML output without being passed through escaping functions like `esc_attr()` or `esc_html()`. This allows a user with Contributor-level privileges (who can use shortcodes) to inject malicious scripts into pages.\n\n### 2. Attack Vector Analysis\n*   **Entry Point:** Shortcode injection within a Post or Page content.\n*   **Shortcodes:** `[title-ticker-slide]`, `[title-ticker-fade]`, or `[title-ticker-typing]`.\n*   **Vulnerable Parameter:** Attributes within the shortcode (e.g., `id`, `width`).\n*   **Authentication:** Requires a user with at least `Contributor` privileges (capability `edit_posts`).\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Inferred from Description)\n1.  **Registration:** The plugin registers shortcodes via `add_shortcode()` (likely in the main plugin file or an `init` hook).\n2.  **Trigger:** A user with `edit_posts` capability creates a post containing a shortcode like `[title-ticker-slide width='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`.\n3.  **Parsing:** When the post is viewed, WordPress calls the associated callback function, e.g., `gntt_title_ticker_slide($atts)`.\n4.  **Processing:** Inside the callback, the plugin extracts attributes. It likely uses `shortcode_atts()` to merge user input with defaults.\n5.  **Sink:** The code constructs an HTML string for output. Because it omits `esc_attr()`, it produces:\n    `\u003Cdiv width=\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\" ... >`\n6.  **Execution:** The unescaped payload is rendered in the frontend, executing the script in the context of any user viewing the page.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability does not occur via an AJAX or REST endpoint that requires a custom plugin nonce. Instead, it is exploited through the standard WordPress post-saving mechanism.\n*   **Injection Phase:** To inject the shortcode via the API or automated requests, the agent will need a standard WordPress REST API or `admin-ajax.php` nonce for post creation\u002Fediting.\n*   **Extraction:** If the agent performs the injection via the browser (Playwright), the browser session handles the `_wpnonce` automatically.\n*   **Verification:** If there is a need to check for localized scripts that might contain nonces (though not required for this specific XSS), use:\n    `browser_eval(\"window.gntt_vars?.nonce\")` (inferred)\n\n### 5. Exploitation Strategy\nThe goal is to inject a stored XSS payload as a Contributor and trigger it as an Administrator.\n\n1.  **Step 1: Authenticate as Contributor:** Log into the WordPress dashboard using Contributor credentials.\n2.  **Step 2: Create Malicious Post:** Use the `http_request` tool to create a new post containing the payload.\n    *   **URL:** `http:\u002F\u002F[target]\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` (or via `admin-ajax.php` autosave).\n    *   **Method:** `POST`\n    *   **Body:**\n        ```json\n        {\n          \"title\": \"XSS Test\",\n          \"content\": \"[title-ticker-slide id='\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']\",\n          \"status\": \"publish\"\n        }\n        ```\n    *   *Note:* Contributors' posts usually go to \"Pending Review\" unless they have `publish_posts`. However, the XSS will still fire for the Administrator who previews or reviews the post.\n3.  **Step 3: Trigger XSS:** Log in as an Administrator and navigate to the newly created post's URL.\n4.  **Step 4: Confirm Execution:** Use `browser_eval` to check if a specific global variable (set by the payload) exists or if an alert was triggered.\n\n### 6. Test Data Setup\n1.  **Plugin Setup:** Ensure `gntt-post-title-ticker` version 1.0 is installed and activated.\n2.  **User Setup:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n3.  **Content Setup:** (Optional) A page where the shortcode will be displayed.\n\n### 7. Expected Results\n*   When the page is viewed, the HTML source should show the `id` (or `width`\u002F`height`) attribute of the ticker container being closed prematurely by the `\">` characters.\n*   The `\u003Cscript>` tag will follow immediately in the DOM.\n*   The browser will execute `alert(document.domain)`.\n\n### 8. Verification Steps\nAfter the exploitation attempt, verify the storage and lack of escaping:\n1.  **Verify DB Storage:**\n    ```bash\n    wp post list --post_type=post --field=post_content | grep \"script\"\n    ```\n2.  **Verify Frontend Output:**\n    Use `http_request` (GET) on the post's permalink and check if the response body contains the raw, unescaped payload:\n    ```bash\n    # Look for the exact unescaped string\n    grep 'id=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"'\n    ```\n\n### 9. Alternative Approaches\nIf the `id` attribute is partially sanitized, attempt exploitation through other identified vulnerable attributes:\n*   **Style Injection via `header_background`:**\n    `[title-ticker-slide header_background='\";}\u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>']`\n*   **Width\u002FHeight Breakout:**\n    `[title-ticker-fade width='100px\" onmouseover=\"alert(1)\" data-x=\"']`\n*   **Alternative Shortcodes:**\n    Repeat the process using `[title-ticker-fade]` or `[title-ticker-typing]` callbacks, as they share the same vulnerable pattern.","The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in version 1.0. This occurs because the plugin does not sanitize or escape user-provided attributes like 'id', 'width', and 'height' before rendering them in HTML. Authenticated users with contributor-level access or higher can inject malicious scripts into posts, which execute when the post is viewed by other users.","\u002F\u002F gntt-post-title-ticker.php (Inferred)\n\nfunction gntt_title_ticker_slide($atts) {\n    extract(shortcode_atts(array(\n        'id' => 'gntt-ticker',\n        'width' => '100%',\n        'height' => '50px',\n        'border' => '1px solid #ccc',\n        'header_background' => '#eee',\n        'header_text_color' => '#000'\n    ), $atts));\n\n    $output = '\u003Cdiv id=\"' . $id . '\" style=\"width:' . $width . '; height:' . $height . '; border:' . $border . ';\">';\n    \u002F\u002F ... concatenation continues using $header_background and $header_text_color\n    return $output;\n}\n\n---\n\nfunction gntt_title_ticker_fade($atts) {\n    \u002F\u002F Similar logic using unescaped attributes like 'id' and 'width'\n    extract(shortcode_atts(array('id' => 'fade-ticker', 'width' => '100%'), $atts));\n    return '\u003Cdiv id=\"' . $id . '\" style=\"width:' . $width . ';\">...';\n}\n\n---\n\nfunction gntt_title_ticker_typing($atts) {\n    \u002F\u002F Similar logic using unescaped attributes like 'id' and 'width'\n    extract(shortcode_atts(array('id' => 'typing-ticker', 'width' => '100%'), $atts));\n    return '\u003Cdiv id=\"' . $id . '\" style=\"width:' . $width . ';\">...';\n}","--- gntt-post-title-ticker.php\n+++ gntt-post-title-ticker.php\n@@ -10,7 +10,12 @@\n-    $output = '\u003Cdiv id=\"' . $id . '\" style=\"width:' . $width . '; height:' . $height . '; border:' . $border . ';\">';\n+    $output = '\u003Cdiv id=\"' . esc_attr($id) . '\" style=\"width:' . esc_attr($width) . '; height:' . esc_attr($height) . '; border:' . esc_attr($border) . ';\">';\n@@ -25,1 +30,1 @@\n-    return '\u003Cdiv id=\"' . $id . '\" style=\"width:' . $width . ';\">...';\n+    return '\u003Cdiv id=\"' . esc_attr($id) . '\" style=\"width:' . esc_attr($width) . ';\">...';\n@@ -40,1 +45,1 @@\n-    return '\u003Cdiv id=\"' . $id . '\" style=\"width:' . $width . ';\">...';\n+    return '\u003Cdiv id=\"' . esc_attr($id) . '\" style=\"width:' . esc_attr($width) . ';\">...';","The exploit is performed by an authenticated attacker with Contributor-level privileges or higher who has the ability to create or edit posts. \n\n1. The attacker logs into the WordPress dashboard and creates a new post or page.\n2. In the post editor, the attacker inserts one of the vulnerable shortcodes (e.g., [title-ticker-slide]) and provides a malicious payload for an attribute that will be rendered within an HTML tag. \n3. A payload such as [title-ticker-slide id='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'] is used to break out of the HTML attribute context and inject a script tag.\n4. The attacker saves the post (or submits it for review).\n5. When an administrator or any other user views the post on the frontend or via the 'Preview' function, the unescaped shortcode attribute is rendered directly into the page source, causing the browser to execute the injected JavaScript.","gemini-3-flash-preview","2026-06-04 19:10:55","2026-06-04 19:11:34",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgntt-post-title-ticker\u002Ftags"]