[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQB20tn3dt5mRY0LFxjy0BcvkgoUSDqCOPmo-P3peS-4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-1191","javascript-notifier-authenticated-administrator-stored-cross-site-scripting-via-plugin-settings","JavaScript Notifier \u003C= 1.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings","The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","javascript-notifier",null,"\u003C=1.2.8","1.2.9","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-23 20:32:01","2026-02-03 19:49:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F97696702-4d40-41dd-a25f-f2ee7681a2c9?source=api-prod",11,[],"researched",false,3,"This research plan outlines the steps to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the **JavaScript Notifier** plugin for WordPress (versions \u003C= 1.2.8).\n\n## 1. Vulnerability Summary\nThe **JavaScript Notifier** plugin fails to properly sanitize and escape settings saved by an administrator. These settings are subsequently retrieved and rendered directly into the site's footer via the `wp_footer` action hook. An attacker with administrator-level privileges can inject arbitrary JavaScript, which will execute in the context of any user (including other administrators) who visits the site's frontend.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** WordPress Admin Settings (`\u002Fwp-admin\u002Foptions.php`).\n*   **Vulnerable Action:** `wp_footer` (frontend rendering).\n*   **Vulnerable Parameters:** The specific setting fields registered by the plugin (likely `js_notifier_text` or similar).\n*   **Preconditions:**\n    *   Authenticated user with `administrator` privileges (required to access the settings page).\n    *   Plugin version \u003C= 1.2.8 installed and active.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point (Admin):** The administrator navigates to the plugin's settings page, usually registered via `add_options_page()` in a function hooked to `admin_menu`.\n2.  **Storage:** Settings are registered via `register_setting()`. When the form is submitted to `options.php`, WordPress calls `update_option()`. The plugin fails to provide a `sanitize_callback` during registration, or the callback is insufficient.\n3.  **Sink (Frontend):** The plugin registers a function to the `wp_footer` hook:\n    ```php\n    add_action('wp_footer', 'javascript_notifier_display');\n    ```\n4.  **Rendering:** Inside `javascript_notifier_display()`, the plugin retrieves the stored option:\n    ```php\n    $options = get_option('javascript_notifier_settings');\n    echo $options['notifier_text']; \u002F\u002F VULNERABLE: No esc_html() or esc_attr()\n    ```\n\n## 4. Nonce Acquisition Strategy\nTo update the settings via `options.php`, a valid settings nonce and the `option_page` identifier are required.\n\n1.  **Identify the Page:** Navigate to the JavaScript Notifier settings page (likely `wp-admin\u002Foptions-general.php?page=javascript-notifier`).\n2.  **Identify the Option Group:** Look for the hidden input field `option_page`.\n3.  **Extract Nonce:**\n    *   Action: `browser_navigate` to the settings page.\n    *   Action: `browser_eval` to extract the nonce:\n        ```javascript\n        ({\n            nonce: document.querySelector('input[name=\"_wpnonce\"]')?.value,\n            option_page: document.querySelector('input[name=\"option_page\"]')?.value\n        })\n        ```\n\n## 5. Exploitation Strategy\n### Step 1: Discover Setting Parameters\nSince source files are not provided, we first need to identify the exact key used in the `options.php` request.\n1.  Navigate to the settings page.\n2.  Inspect the `name` attributes of the input fields (e.g., `javascript_notifier_options[message]`).\n\n### Step 2: Inject Payload\nSubmit a POST request to `options.php` as an administrator.\n\n*   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Foptions.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body (Example):**\n    ```\n    option_page=javascript_notifier_settings&\n    _wpnonce=\u003CEXTRACTED_NONCE>&\n    action=update&\n    javascript_notifier_options[message]=\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n    ```\n\n### Step 3: Trigger Execution\nNavigate to any frontend page of the WordPress site. The `wp_footer` hook executes on every frontend page load.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `javascript-notifier` version 1.2.8 is installed.\n2.  **User:** Create an administrator user.\n3.  **Plugin Config:** Navigate to the settings page once to ensure the option is initialized in the database.\n\n## 7. Expected Results\n*   The `options.php` request should return a `302 Redirect` back to the settings page with `settings-updated=true`.\n*   Viewing the frontend source code (near the closing `\u003C\u002Fbody>` tag) should show the raw payload: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n*   A JavaScript alert box should appear when visiting the site's homepage.\n\n## 8. Verification Steps\nAfter the exploit, use `wp-cli` to verify the state of the database:\n```bash\n# Check the stored option value\nwp option get javascript_notifier_options\n```\nVerify that the `message` (or relevant key) contains the unescaped `\u003Cscript>` tag.\n\n## 9. Alternative Approaches\nIf the plugin uses a custom AJAX handler instead of the Options API:\n1.  Search for `wp_ajax_` hooks in the plugin code: `grep -r \"wp_ajax_\" .`.\n2.  Locate the saving function and check for nonce verification: `check_ajax_referer('...', '...')`.\n3.  Construct an AJAX POST request to `wp-admin\u002Fadmin-ajax.php`.\n\nIf the XSS is rendered inside an existing `\u003Cscript>` block rather than directly in HTML:\n1.  Payload: `\";alert(document.domain);\u002F\u002F`\n2.  Check for `wp_add_inline_script` or `wp_localize_script` calls that might be the sink.","gemini-3-flash-preview","2026-05-05 01:17:35","2026-05-05 01:17:54",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjavascript-notifier\u002Ftags"]