[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fN-UsdXpm4bwBeGvIFp5wifa71He7-0rWOo_DrL4RVi4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-56006","interactive-content-h5p-reflected-cross-site-scripting","Interactive Content – H5P \u003C= 1.17.6 - Reflected Cross-Site Scripting","The Interactive Content – H5P plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.17.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","h5p",null,"\u003C=1.17.6","1.17.7","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-18 00:00:00","2026-06-23 15:34:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4e7e4601-337f-4e4e-b265-63f68f8f8d73?source=api-prod",6,[22,23,24,25],"admin\u002Fclass-h5p-library-admin.php","h5p.php","public\u002Fclass-h5p-plugin.php","readme.txt","researched",false,3,"This exploitation research plan targets **CVE-2026-56006**, a reflected Cross-Site Scripting (XSS) vulnerability in the Interactive Content – H5P plugin for WordPress.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the library management interface of the H5P plugin. Specifically, the `destination` and `id` query parameters are used in the admin views (`admin\u002Fviews\u002Flibrary-delete.php` and `admin\u002Fviews\u002Flibrary-content-upgrade.php`) without sufficient output escaping. While the controller (`admin\u002Fclass-h5p-library-admin.php`) performs some sanitization on the `id` for database queries, the view files directly access `$_GET` or `$_REQUEST` parameters to render \"Cancel\" links or form actions, allowing an attacker to inject arbitrary JavaScript.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin.php`\n*   **Action\u002FPage**: `h5p_libraries`\n*   **Vulnerable Parameters**: `destination` (Primary), `id` (Secondary in views)\n*   **Authentication Required**: Unauthenticated attacker (targeting an authenticated Administrator). The CVSS vector `PR:N\u002FUI:R` indicates that an attacker can trigger this by tricking a logged-in admin into clicking a malicious link.\n*   **Preconditions**: At least one H5P library must be installed\u002Fuploaded so that the `id` parameter points to a valid database record, allowing the `get_library()` check to pass and the vulnerable view to be included.\n\n### 3. Code Flow\n1.  An administrator clicks a link: `\u002Fwp-admin\u002Fadmin.php?page=h5p_libraries&task=delete&id=1&destination=javascript:alert(1)`\n2.  ","The Interactive Content – H5P plugin for WordPress is vulnerable to reflected Cross-Site Scripting (XSS) due to improper sanitization and escaping of the 'destination' query parameter in its administrative library management pages. An attacker can exploit this by tricking an authenticated administrator into clicking a crafted link, leading to the execution of arbitrary JavaScript in the context of the user's browser session.","\u002F* File: admin\u002Fclass-h5p-library-admin.php (Line ~448 in 1.17.6) *\u002F\n'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return ? '\u003Cbr\u002F>\u003Ca href=\"' . $return . '\">' . __('Return', $this->plugin_slug) . '\u003C\u002Fa>' : ''),\n\n---\n\n\u002F* The vulnerability also affects library-delete.php and library-content-upgrade.php views where $_GET['destination'] is rendered directly into 'href' attributes or form 'action' attributes without escaping. *\u002F","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fh5p\u002F1.17.6\u002Fadmin\u002Fclass-h5p-library-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fh5p\u002F1.17.7\u002Fadmin\u002Fclass-h5p-library-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fh5p\u002F1.17.6\u002Fadmin\u002Fclass-h5p-library-admin.php\t2026-03-03 13:17:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fh5p\u002F1.17.7\u002Fadmin\u002Fclass-h5p-library-admin.php\t2026-05-07 10:45:56.000000000 +0000\n@@ -445,7 +445,7 @@\n         'errorLibrary' => __('Missing required library %lib.', $this->plugin_slug),\n         'errorTooHighVersion' => __('Parameters contain %used while only %supported or earlier are supported.', $this->plugin_slug),\n         'errorNotSupported' => __('Parameters contain %used which is not supported.', $this->plugin_slug),\n-        'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return ? '\u003Cbr\u002F>\u003Ca href=\"' . $return . '\">' . __('Return', $this->plugin_slug) . '\u003C\u002Fa>' : ''),\n+        'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return && wp_http_validate_url($return) ? '\u003Cbr\u002F>\u003Ca href=\"' . sanitize_url($return) . '\">' . __('Return', $this->plugin_slug) . '\u003C\u002Fa>' : ''),\n         'library' => array(\n           'name' => $library->name,\n           'version' => $library->major_version . '.' . $library->minor_version,","The exploit targets an authenticated Administrator interacting with the H5P library management interface. 1. The attacker identifies a valid H5P library ID. 2. The attacker crafts a URL targeting `\u002Fwp-admin\u002Fadmin.php?page=h5p_libraries&task=upgrade&id=[ID]&destination=javascript:alert(1)`. 3. When the admin visits this URL and either completes an upgrade or clicks a 'Cancel\u002FReturn' link, the malicious `destination` payload is rendered directly into an `\u003Ca>` tag's `href` attribute without sanitization. 4. If the administrator clicks the resulting link, the JavaScript payload executes in their session, potentially allowing for site takeover or data theft.","gemini-3-flash-preview","2026-06-25 21:14:08","2026-06-25 21:15:53",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.17.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fh5p\u002Ftags\u002F1.17.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fh5p.1.17.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fh5p\u002Ftags\u002F1.17.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fh5p.1.17.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fh5p\u002Ftags"]