Interactive Content – H5P <= 1.17.6 - Reflected Cross-Site Scripting
Description
The Interactive Content – H5P plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.17.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.17.7
Source Code
WordPress.org SVNThis exploitation research plan targets **CVE-2026-56006**, a reflected Cross-Site Scripting (XSS) vulnerability in the Interactive Content – H5P plugin for WordPress. ### 1. Vulnerability Summary The vulnerability exists in the library management interface of the H5P plugin. Specifically, the `des…
Show full research plan
This exploitation research plan targets CVE-2026-56006, a reflected Cross-Site Scripting (XSS) vulnerability in the Interactive Content – H5P plugin for WordPress.
1. Vulnerability Summary
The vulnerability exists in the library management interface of the H5P plugin. Specifically, the destination and id query parameters are used in the admin views (admin/views/library-delete.php and admin/views/library-content-upgrade.php) without sufficient output escaping. While the controller (admin/class-h5p-library-admin.php) performs some sanitization on the id for database queries, the view files directly access $_GET or $_REQUEST parameters to render "Cancel" links or form actions, allowing an attacker to inject arbitrary JavaScript.
2. Attack Vector Analysis
- Vulnerable Endpoint:
/wp-admin/admin.php - Action/Page:
h5p_libraries - Vulnerable Parameters:
destination(Primary),id(Secondary in views) - Authentication Required: Unauthenticated attacker (targeting an authenticated Administrator). The CVSS vector
PR:N/UI:Rindicates that an attacker can trigger this by tricking a logged-in admin into clicking a malicious link. - Preconditions: At least one H5P library must be installed/uploaded so that the
idparameter points to a valid database record, allowing theget_library()check to pass and the vulnerable view to be included.
3. Code Flow
- An administrator clicks a link:
/wp-admin/admin.php?page=h5p_libraries&task=delete&id=1&destination=javascript:alert(1)
Summary
The Interactive Content – H5P plugin for WordPress is vulnerable to reflected Cross-Site Scripting (XSS) due to improper sanitization and escaping of the 'destination' query parameter in its administrative library management pages. An attacker can exploit this by tricking an authenticated administrator into clicking a crafted link, leading to the execution of arbitrary JavaScript in the context of the user's browser session.
Vulnerable Code
/* File: admin/class-h5p-library-admin.php (Line ~448 in 1.17.6) */ 'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return ? '<br/><a href="' . $return . '">' . __('Return', $this->plugin_slug) . '</a>' : ''), --- /* The vulnerability also affects library-delete.php and library-content-upgrade.php views where $_GET['destination'] is rendered directly into 'href' attributes or form 'action' attributes without escaping. */
Security Fix
@@ -445,7 +445,7 @@ 'errorLibrary' => __('Missing required library %lib.', $this->plugin_slug), 'errorTooHighVersion' => __('Parameters contain %used while only %supported or earlier are supported.', $this->plugin_slug), 'errorNotSupported' => __('Parameters contain %used which is not supported.', $this->plugin_slug), - 'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return ? '<br/><a href="' . $return . '">' . __('Return', $this->plugin_slug) . '</a>' : ''), + 'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return && wp_http_validate_url($return) ? '<br/><a href="' . sanitize_url($return) . '">' . __('Return', $this->plugin_slug) . '</a>' : ''), 'library' => array( 'name' => $library->name, 'version' => $library->major_version . '.' . $library->minor_version,
Exploit Outline
The exploit targets an authenticated Administrator interacting with the H5P library management interface. 1. The attacker identifies a valid H5P library ID. 2. The attacker crafts a URL targeting `/wp-admin/admin.php?page=h5p_libraries&task=upgrade&id=[ID]&destination=javascript:alert(1)`. 3. When the admin visits this URL and either completes an upgrade or clicks a 'Cancel/Return' link, the malicious `destination` payload is rendered directly into an `<a>` tag's `href` attribute without sanitization. 4. If the administrator clicks the resulting link, the JavaScript payload executes in their session, potentially allowing for site takeover or data theft.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.