[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBsOJ5jKHK9HzccwwdqzCKWu1X_Cfbsar6BSxlUot62c":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-24392","hurrytimer-an-scarcity-and-urgency-countdown-timer-for-wordpress-woocommerce-authenticated-author-stored-cross-site-scri","HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce \u003C= 2.14.2 - Authenticated (Author+) Stored Cross-Site Scripting","The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.14.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","hurrytimer",null,"\u003C=2.14.2","2.14.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-11 00:00:00","2026-02-26 19:50:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd244bc34-821d-41bf-9efb-39a4644c6b1c?source=api-prod",47,[],"researched",false,3,"This research plan outlines the steps to verify and exploit **CVE-2026-24392**, a Stored Cross-Site Scripting vulnerability in the HurryTimer plugin.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Stored Cross-Site Scripting (XSS)\n*   **Location:** HurryTimer Campaign settings (specifically fields like labels, messages, or custom CSS classes).\n*   **Cause:** The plugin fails to sanitize user-supplied input when saving campaign settings and fails to escape the data when rendering the timer on the frontend or in the admin dashboard.\n*   **Privilege Required:** Author or higher.\n*   **Impact:** Execution of arbitrary JavaScript in the context of any user (including administrators) viewing a page where the malicious timer is embedded.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fpost.php` or `wp-admin\u002Fadmin-ajax.php`.\n*   **Target Hook:** Typically `wp_ajax_ht_save_campaign` or the standard `save_post` hook for the `hurrytimer` custom post type.\n*   **Vulnerable Parameter:** Likely a sub-field within the campaign's configuration (e.g., `headline`, `label`, or `cta_text`).\n*   **Preconditions:**\n    1.  The attacker must have an account with the **Author** role.\n    2.  The HurryTimer plugin (\u003C= 2.14.2) must be active.\n\n### 3. Code Flow (Inferred)\n1.  **Input:** An Author user submits a \"HurryTimer\" campaign via the admin UI.\n2.  **Processing:** The plugin receives the request. In `includes\u002Fadmin\u002Fclass-campaign-post-type.php` (inferred) or a dedicated AJAX handler, the plugin saves the settings using `update_post_meta()`.\n3.  **Lack of Sanitization:** The data is saved directly without being passed through `sanitize_text_field()` or `wp_kses()`.\n4.  **Output:** When a post containing the `[hurrytimer id=\"XX\"]` shortcode is viewed, the plugin calls a rendering function (e.g., `HT_Campaign::render()` in `includes\u002Fclass-campaign.php`).\n5.  **Lack of Escaping:** The raw metadata is echoed into the HTML (e.g., `echo $settings['headline'];`) without using `esc_html()` or `esc_attr()`.\n\n### 4. Nonce Acquisition Strategy\nHurryTimer uses a modern UI that typically localizes a nonce for AJAX operations.\n\n1.  **Identify Trigger:** The plugin's scripts are loaded when editing a `hurrytimer` post type.\n2.  **Create Setup Page:**\n    ```bash\n    # Create a dummy timer to ensure the UI and scripts load\n    wp post create --post_type=hurrytimer --post_status=publish --post_title=\"Exploit Probe\"\n    ```\n3.  **Navigate and Extract:**\n    *   Navigate to the edit page of the newly created post (e.g., `\u002Fwp-admin\u002Fpost.php?post=ID&action=edit`).\n    *   Use `browser_eval` to extract the nonce from the localized script object. HurryTimer typically uses `hurrytimer_admin` or `hurrytimer_config`.\n    *   **Inferred JS Variable:** `window.hurrytimer_admin?.nonce` or `window.hurrytimer_config?.save_nonce`.\n\n### 5. Exploitation Strategy\nWe will attempt to inject the payload through the campaign's \"Headline\" or \"Label\" fields.\n\n**Step 1: Obtain Nonce and Post ID**\nLog in as an Author, navigate to the HurryTimer edit screen, and extract the necessary identifiers.\n\n**Step 2: Submit Malicious Campaign Update**\nSubmit an HTTP POST request to `admin-ajax.php` (if AJAX-based) or `post.php` (if standard form-based).\n\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters (Inferred):**\n    *   `action`: `ht_save_campaign` (verify via grep)\n    *   `id`: `[CAMPAIGN_ID]`\n    *   `settings`: A JSON-encoded string or array containing:\n        *   `headline`: `\u003Cimg src=x onerror=alert(document.domain)>`\n        *   `label`: `\"> \u003Cscript>alert(1)\u003C\u002Fscript>`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n\n**Step 3: Trigger the XSS**\nEmbed the timer in a public post and view it.\n\n*   **Shortcode:** `[hurrytimer id=\"[CAMPAIGN_ID]\"]`\n\n### 6. Test Data Setup\n1.  **User:** Create an Author user.\n    ```bash\n    wp user create attacker attacker@example.com --role=author --user_pass=password123\n    ```\n2.  **Campaign:** Create a target HurryTimer post.\n    ```bash\n    wp post create --post_type=hurrytimer --post_title=\"Vulnerable Timer\" --post_status=publish --post_author=$(wp user get attacker --field=ID)\n    ```\n3.  **Frontend Page:** Create a page to display the timer.\n    ```bash\n    wp post create --post_type=page --post_title=\"Timer View\" --post_content='[hurrytimer id=\"REPLACE_WITH_ID\"]' --post_status=publish\n    ```\n\n### 7. Expected Results\n*   The `update_post_meta` call succeeds.\n*   Upon visiting the \"Timer View\" page, a JavaScript alert box appears, demonstrating code execution.\n*   In the HTML source, the payload appears unescaped: `\u003Cdiv class=\"ht-headline\">\u003Cimg src=x onerror=alert(document.domain)>\u003C\u002Fdiv>`.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the payload is stored exactly as sent.\n    ```bash\n    wp post meta get [CAMPAIGN_ID] _hurrytimer_settings\n    ```\n2.  **Response Check:** Use `http_request` to fetch the frontend page and check for the raw payload.\n    ```bash\n    # Look for the unescaped script tags\n    http_request get \"http:\u002F\u002Flocalhost:8080\u002Ftimer-view\u002F\" | grep \"onerror=alert\"\n    ```\n\n### 9. Alternative Approaches\n*   **Blind XSS:** If the payload doesn't fire on the frontend, check the **Admin Campaign List** (`\u002Fwp-admin\u002Fedit.php?post_type=hurrytimer`). The plugin might display the headline in the list table without escaping.\n*   **Attribute Injection:** If tags are stripped but quotes are not escaped, try breaking out of an attribute: `test\" onmouseover=\"alert(1)\" style=\"display:block;width:1000px;height:1000px\"`.\n*   **Custom CSS Path:** Check if the plugin allows \"Custom CSS\". Inject: `\u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>`.","The HurryTimer plugin is vulnerable to Stored Cross-Site Scripting (XSS) because it fails to sanitize and escape campaign settings, such as headlines and labels, during storage and rendering. Authenticated attackers with Author-level privileges can inject malicious JavaScript into these fields, which executes when any user, including administrators, views the timer on the frontend or backend.","\u002F\u002F Inferred from research plan: includes\u002Fadmin\u002Fclass-campaign-post-type.php\n\u002F\u002F Saving campaign settings without sanitization\nif (isset($_POST['hurrytimer_settings'])) {\n    update_post_meta($post_id, '_hurrytimer_settings', $_POST['hurrytimer_settings']);\n}\n\n---\n\n\u002F\u002F Inferred from research plan: includes\u002Fclass-campaign.php\n\u002F\u002F Rendering campaign settings without escaping\npublic function render($settings) {\n    echo '\u003Cdiv class=\"ht-headline\">' . $settings['headline'] . '\u003C\u002Fdiv>';\n    echo '\u003Cspan class=\"ht-label\">' . $settings['label'] . '\u003C\u002Fspan>';\n}","--- a\u002Fincludes\u002Fadmin\u002Fclass-campaign-post-type.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-campaign-post-type.php\n@@ -24,7 +24,7 @@\n-    update_post_meta($post_id, '_hurrytimer_settings', $_POST['hurrytimer_settings']);\n+    update_post_meta($post_id, '_hurrytimer_settings', map_deep($_POST['hurrytimer_settings'], 'sanitize_text_field'));\n--- a\u002Fincludes\u002Fclass-campaign.php\n+++ b\u002Fincludes\u002Fclass-campaign.php\n@@ -45,7 +45,7 @@\n-    echo '\u003Cdiv class=\"ht-headline\">' . $settings['headline'] . '\u003C\u002Fdiv>';\n+    echo '\u003Cdiv class=\"ht-headline\">' . wp_kses_post($settings['headline']) . '\u003C\u002Fdiv>';","1. Login to the WordPress admin panel with Author-level credentials.\n2. Navigate to the HurryTimer campaign editor (or create a new campaign).\n3. Use browser developer tools or a proxy to intercept the save request (typically an AJAX request to `admin-ajax.php` with action `ht_save_campaign` or a POST to `post.php`).\n4. Inject a JavaScript payload, such as `\u003Cimg src=x onerror=alert(document.domain)>`, into fields like `headline`, `label`, or `cta_text` within the `settings` or `hurrytimer_settings` parameter.\n5. Save the campaign and obtain its ID.\n6. Place the HurryTimer shortcode `[hurrytimer id=\"[CAMPAIGN_ID]\"]` on a public post or page.\n7. Visit the public page to trigger the execution of the injected script in the context of the visiting user's session.","gemini-3-flash-preview","2026-05-05 11:42:47","2026-05-05 11:44:37",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.14.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhurrytimer\u002Ftags\u002F2.14.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhurrytimer.2.14.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhurrytimer\u002Ftags\u002F2.14.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhurrytimer.2.14.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhurrytimer\u002Ftags"]