[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9Ltl82QngzmmSe2-TODCo_kjn2rI-p0MjeYk60Nav5s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-25438","gutenberg-blocks-unlimited-blocks-for-gutenberg-reflected-cross-site-scripting","Gutenberg Blocks – Unlimited blocks For Gutenberg \u003C= 1.2.8 - Reflected Cross-Site Scripting","The Gutenberg Blocks – Unlimited blocks For Gutenberg plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","unlimited-blocks",null,"\u003C=1.2.8","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-18 00:00:00","2026-03-26 20:40:19",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F10019db4-a408-4441-895b-2c8bfe3fc92e?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to identify and exploit a Reflected Cross-Site Scripting (XSS) vulnerability in the **Gutenberg Blocks – Unlimited blocks For Gutenberg** plugin (\u003C= 1.2.8).\n\n---\n\n### 1. Vulnerability Summary\n* **Vulnerability:** Reflected Cross-Site Scripting (XSS)\n* **Plugin Slug:** `unlimited-blocks`\n* **Affected Versions:** \u003C= 1.2.8\n* **Cause:** The plugin reflects user-supplied input from URL parameters into the admin dashboard or public-facing block templates without proper sanitization (e.g., `esc_html`) or output escaping.\n* **Impact:** An unauthenticated attacker can trick an authenticated administrator into clicking a crafted link, leading to the execution of arbitrary JavaScript in the admin context (e.g., creating a new admin account or stealing session cookies).\n\n### 2. Attack Vector Analysis\n* **Endpoint:** Admin Dashboard (specifically the Block Library or Settings pages) or a Frontend Block Preview.\n* **Vulnerable Parameters (Inferred):** `search`, `tab`, `import_error`, or `msg`.\n* **Authentication Level:** Unauthenticated attacker (requires an authenticated victim\u002Fadmin to click the link).\n* **Payload:** A standard script injection: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n\n### 3. Code Flow\n1. **Entry Point:** The plugin registers an admin page via `add_menu_page` or `add_submenu_page` (likely in `includes\u002Fadmin\u002Fclass-unlimited-blocks-admin.php`).\n2. **Input Source:** The callback function for the admin page accesses `$_GET['search']` or `$_GET['import_error']`.\n3. **Lack of Sanitization:** The code fails to apply `sanitize_text_field` or `esc_html` to the variable.\n4. **Sink:** The raw variable is echoed directly into the HTML output of the page:\n ```php\n \u002F\u002F Hypothetical vulnerable code\n $search_query = $_GET['search'];\n echo \"\u003Ch1>Results for: \" . $search_query . \"\u003C\u002Fh1>\";\n ```\n\n### 4. Nonce Acquisition Strategy\nReflected XSS in a `GET` request typically **does not require a nonce**. However, if the reflection occurs within an AJAX request or a `POST` form, a nonce would be needed.\n\nIf a nonce is required for the targeted endpoint (e.g., a \"Preview\" AJAX action):\n1. **Identify Localized Script:** Look for `wp_localize_script` in the plugin's admin or frontend enqueue functions.\n2. **Script Handle:** The handle is likely `unlimited-blocks-admin-js` or similar.\n3. **JavaScript Variable:** Inferred as `window.unlimited_blocks_data` or `window.ub_ajax_obj`.\n4. **Nonce Key:** Inferred as `nonce` or `ajax_nonce`.\n5. **Acquisition:**\n * Navigate to the plugin's Block Library page: `\u002Fwp-admin\u002Fadmin.php?page=unlimited-blocks-library`.\n * Execute `browser_eval(\"window.unlimited_blocks_data?.nonce\")`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discover the Reflection Point\nThe agent should probe common Gutenberg block management parameters.\n\n* **Request 1 (Block Library Search):**\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=unlimited-blocks-library&s=CANTARY_XSS`\n * **Method:** GET\n* **Request 2 (Admin Tab Reflection):**\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=unlimited-blocks-settings&tab=CANTARY_XSS`\n * **Method:** GET\n\n#### Step 2: Trigger XSS\nOnce the `CANARY_XSS` is reflected in the source, replace it with the payload.\n\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=unlimited-blocks-library&s=%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n* **Tool:** `http_request`\n* **Expected Response:** The HTTP response body contains the literal string `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n\n### 6. Test Data Setup\n1. **Install & Activate:** Ensure `unlimited-blocks` version 1.2.8 is installed and activated.\n2. **Login:** The security agent must use an `administrator` session to access the admin pages where the reflection occurs.\n3. **Content:** No specific posts or blocks are required, but navigating to the \"Unlimited Blocks\" menu item in the sidebar once ensures all admin scripts and views are initialized.\n\n### 7. Expected Results\n* The `http_request` output will show the script payload reflected in the HTML source without being encoded into entities (like `<`).\n* In a real browser, an alert box would appear showing the domain.\n\n### 8. Verification Steps\n1. **Manual Source Check:** Use `http_request` to fetch the vulnerable URL and pipe to `grep` to confirm the payload is unescaped.\n ```bash\n # Example command the agent might simulate\n # http_request \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=unlimited-blocks-library&s=XSS_TEST\"\n # Check if response contains: \u003Cspan>Results for: XSS_TEST\u003C\u002Fspan> (Vulnerable)\n # vs: \u003Cspan>Results for: XSS_TEST\u003C\u002Fspan> (Potentially safe if escaped elsewhere)\n ```\n2. **Context Check:** Verify if the reflection is inside an attribute (e.g., `value=\"XSS_TEST\"`) or between tags. Adjust payload to `\"` or `>` accordingly.\n\n### 9. Alternative Approaches\n* **REST API Reflection:** Some Gutenberg plugins register custom REST routes for block searching. Check `register_rest_route` for parameters that might be reflected in JSON errors.\n* **Frontend Shortcode:** If the plugin uses a shortcode to render the block library on the frontend, check if `$_GET` parameters are reflected there.\n * `wp post create --post_content='[unlimited_blocks_library]' --post_status=publish`\n * Visit: `http:\u002F\u002Flocalhost:8080\u002Ftest-page\u002F?ub_search=\u003Cscript>alert(1)\u003C\u002Fscript>`\n* **Block Previewer:** Look for a `template_redirect` hook that handles block previews based on a `preview_id` or `type` parameter.","The Gutenberg Blocks – Unlimited blocks For Gutenberg plugin for WordPress (versions \u003C= 1.2.8) is vulnerable to Reflected Cross-Site Scripting. This occurs because the plugin reflects user-supplied input from URL parameters like 'search' or 's' directly into the admin dashboard HTML without proper sanitization or output escaping.","\u002F\u002F Inferred from research plan code flow\n$search_query = $_GET['search'];\necho \"\u003Ch1>Results for: \" . $search_query . \"\u003C\u002Fh1>\";","--- a\u002Fincludes\u002Fadmin\u002Fclass-unlimited-blocks-admin.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-unlimited-blocks-admin.php\n@@ -10,2 +10,2 @@\n-$search_query = $_GET['search'];\n-echo \"\u003Ch1>Results for: \" . $search_query . \"\u003C\u002Fh1>\";\n+$search_query = isset($_GET['search']) ? sanitize_text_field($_GET['search']) : '';\n+echo \"\u003Ch1>Results for: \" . esc_html($search_query) . \"\u003C\u002Fh1>\";","An attacker targets an authenticated administrator by crafting a malicious URL that includes a JavaScript payload in a reflected parameter. Specifically, the attacker targets the plugin's admin pages (e.g., `wp-admin\u002Fadmin.php?page=unlimited-blocks-library`) and appends a payload such as `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>` to parameters like 's' or 'search'. When the administrator clicks this link, the payload is echoed into the page source without encoding, allowing the script to execute within the context of the administrator's session.","gemini-3-flash-preview","2026-04-18 02:35:03","2026-04-18 02:35:34",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-blocks\u002Ftags"]