[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXnjX5t8A1MeWyQJRzce96XQhIw_5IGQ6T1OdTFV_9z4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-2714","institute-management-authenticated-administrator-stored-cross-site-scripting-via-enquiry-form-title-setting","Institute Management \u003C= 5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Enquiry Form Title' Setting","The Institute Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Enquiry Form Title' setting in all versions up to, and including, 5.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","institute-management",null,"\u003C=5.5","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 20:53:19","2026-04-22 07:45:32",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1fd62c3d-2c15-4d1c-9210-4c2aca379fe3?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2714 - Institute Management Stored XSS\n\n## 1. Vulnerability Summary\nThe **Institute Management** plugin (\u003C= 5.5) for WordPress contains a stored cross-site scripting (XSS) vulnerability via the 'Enquiry Form Title' setting. The plugin fails to sanitize the input when saving this setting and fails to escape the output when rendering it on the frontend or backend. While the vulnerability requires Administrator-level privileges, it is significant in Multi-site environments or hardened installations where the `unfiltered_html` capability is disabled for administrators.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress Admin Dashboard, specifically the plugin's settings page.\n- **Vulnerable Setting:** `Enquiry Form Title` (likely stored as a WordPress option).\n- **HTTP Parameter:** Likely a POST parameter named `enquiry_form_title` or similar (inferred).\n- **Authentication:** Required (Administrator+).\n- **Preconditions:**\n    - The environment must be a Multi-site installation OR have `define( 'DISALLOW_UNFILTERED_HTML', true );` in `wp-config.php` to prevent the administrator from having legitimate `unfiltered_html` rights.\n    - A page must exist that renders the Enquiry Form (often via a shortcode).\n\n## 3. Code Flow (Inferred)\n1. **Input Stage:** The administrator navigates to the \"Institute Management\" settings menu (e.g., `wp-admin\u002Fadmin.php?page=institute-management-settings`).\n2. **Persistence Stage:** Upon clicking \"Save\", a POST request is sent. A handler (likely registered via `admin_init` or `admin_menu`) receives the data and calls `update_option( 'wl_im_enquiry_form_title', $_POST['enquiry_form_title'] )` without using `sanitize_text_field`.\n3. **Rendering Stage:** A user (or admin) visits a page containing the enquiry form. The plugin calls `get_option( 'wl_im_enquiry_form_title' )` and outputs it directly using `echo` or `printf` without `esc_html()` or `wp_kses()`.\n\n## 4. Nonce Acquisition Strategy\nSince this involves an administrative settings page, a CSRF nonce is almost certainly required. \n\n1. **Identify the Settings Page:** Locate the menu slug for the plugin (e.g., `institute-management` or `wl-im-settings`).\n2. **Navigate via Browser:** Use `browser_navigate` to go to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=institute-management-settings`.\n3. **Extract Nonce:** Use `browser_eval` to extract the nonce from the settings form.\n   - **Target Variable:** Look for the hidden input field usually named `_wpnonce` or a specific action nonce (e.g., `wl_im_settings_nonce`).\n   - **Command:** `browser_eval(\"document.querySelector('input[name=\\\"_wpnonce\\\"]')?.value\")` or check for localized JS variables.\n\n## 5. Exploitation Strategy\n### Step 1: Discover the exact setting field\nNavigate to the settings page and inspect the form to identify the exact name of the input field for \"Enquiry Form Title\".\n\n### Step 2: Inject Payload\nSubmit a POST request to the settings handler (likely `options.php` if using the Settings API, or the current page if using a custom handler).\n\n**Example Request (assuming Settings API):**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions.php`\n- **Method:** POST\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  option_page=institute_management_settings_group&\n  wl_im_enquiry_form_title=\u003Cscript>alert(document.domain)\u003C\u002Fscript>&\n  action=update&\n  _wpnonce=[EXTRACTED_NONCE]\n  ```\n\n### Step 3: Trigger Execution\nIdentify the shortcode or frontend page where the enquiry form is displayed.\n1. Create a page with the enquiry shortcode: `wp post create --post_type=page --post_status=publish --post_content='[wl_im_enquiry_form]'` (shortcode inferred from plugin slug).\n2. Use `browser_navigate` to visit that page.\n3. Observe if the script `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` executes.\n\n## 6. Test Data Setup\n1. **Hardening:** Disable `unfiltered_html` in `wp-config.php` to ensure the test reflects the vulnerability context.\n   - `wp config set DISALLOW_UNFILTERED_HTML true --raw`\n2. **User:** Create an administrator user.\n3. **Shortcode Page:** \n   - `wp post create --post_title=\"Enquiry\" --post_content=\"[wl_im_enquiry_form]\" --post_status=\"publish\" --post_type=\"page\"`\n   - (Note: Search the plugin code for `add_shortcode` to find the exact tag).\n\n## 7. Expected Results\n1. The settings page accepts the payload without sanitization.\n2. When the frontend page is loaded, the HTML source contains the raw `\u003Cscript>` tag rather than the escaped `<script>`.\n3. The browser triggers an alert or executes the injected JS logic.\n\n## 8. Verification Steps\n1. **Database Check:** Use WP-CLI to verify the stored value is not sanitized.\n   - `wp option get wl_im_enquiry_form_title` (verify it returns the raw `\u003Cscript>` tag).\n2. **Response Check:** Use `http_request` to fetch the frontend page and check for the presence of the unescaped payload.\n   - `grep \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"` in the response body.\n\n## 9. Alternative Approaches\n- **Custom Post Meta:** If the title is not a global setting but a per-form setting, the exploit would involve modifying a specific post meta via the form builder interface.\n- **Admin XSS:** The title might also be reflected back on the settings page itself. If the settings page shows the \"Current Title\", the XSS would execute every time the administrator visits the settings page, creating a self-reinforcing admin-context exploit.\n- **Blind XSS:** If the enquiry is sent to an admin dashboard, the payload might execute when an admin views the submitted enquiry in the backend. Look for `wl_im_enquiries` or similar management pages.","gemini-3-flash-preview","2026-04-27 15:06:39","2026-04-27 15:06:56",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finstitute-management\u002Ftags"]