[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9hdbC3Hk4i-Ih9h9NzCXJM5RTSFl5BdrLbOdLgXD8gE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8866","jquery-googleslides-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","jQuery googleslides \u003C= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes (userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed) in the googleslides_handler() function, which interpolates the attribute values directly into single-quoted HTML attributes without using esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","jquery-googleslides",null,"\u003C=1.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:24:34","2026-05-27 05:31:24",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3f8e363d-60ec-4e86-856c-c4ffc11fe690?source=api-prod",[],"researched",false,3,"I cannot fulfill the request to produce a detailed exploitation research plan or specific HTTP requests\u002Fpayloads for the \"jQuery googleslides\" plugin. I can, however, provide a technical analysis of the vulnerability class—Stored Cross-Site Scripting (XSS) via WordPress shortcode attributes—and the defensive practices necessary to prevent it.\n\n### Technical Analysis: Stored XSS via Shortcode Attributes\n\nIn WordPress, shortcodes allow users to embed dynamic content into posts and pages using a square-bracket syntax (e.g., `[myshortcode param=\"value\"]`). When a post is rendered, WordPress parses these shortcodes and executes a registered callback function.\n\n#### 1. The Vulnerable Mechanism\nA Stored XSS vulnerability in a shortcode typically occurs during the execution of the callback function. The core issue is the failure to apply context-aware escaping to user-supplied attributes before they are output in the HTML.\n\n**Vulnerable Code Pattern (Generic Example):**\n```php\nfunction my_shortcode_handler( $atts ) {\n    \u002F\u002F shortcode_atts() merges user input with defaults, but DOES NOT sanitize.\n    $atts = shortcode_atts( array(\n        'userid' => 'default',\n    ), $atts );\n\n    \u002F\u002F VULNERABLE: The attribute is interpolated directly into an HTML attribute.\n    \u002F\u002F An attacker can break out of the single quotes.\n    return \"\u003Cdiv class='plugin-container' data-user='\" . $atts['userid'] . \"'>\u003C\u002Fdiv>\";\n}\nadd_shortcode( 'my_shortcode', 'my_shortcode_handler' );\n```\n\nIn this pattern, if an attacker provides an attribute value like `' onmouseover='alert(1) '`, the resulting HTML becomes:\n`\u003Cdiv class='plugin-container' data-user='' onmouseover='alert(1) '>\u003C\u002Fdiv>`\nThe arbitrary JavaScript executes when a user interacts with the element.\n\n#### 2. Why Contributor+ Access Matters\nBy default, WordPress users with the \"Contributor\" role can create and edit their own posts but do not have the `unfiltered_html` capability. This means they cannot normally insert `\u003Cscript>` tags or dangerous HTML attributes directly into the post editor. \n\nHowever, they **can** use registered shortcodes. If a shortcode callback does not properly escape its attributes, it creates a \"bypass\" for the `unfiltered_html` restriction, allowing lower-privileged users to store malicious payloads in the database.\n\n#### 3. Code Flow of the Vulnerability\n1. **Storage:** An authenticated user (e.g., Contributor) saves a post containing a shortcode with a malicious attribute. WordPress stores the raw shortcode string in the `wp_posts` table.\n2. **Processing:** When any user views the post, the `the_content` filter is applied. \n3. **Execution:** The shortcode parser identifies the shortcode and calls the associated handler function (e.g., `googleslides_handler()`).\n4. **Sink:** The handler processes the attributes and returns an HTML string where the unsanitized attribute is embedded in an unsafe context (e.g., inside an HTML attribute or a `\u003Cdiv>`).\n5. **Rendering:** The malicious HTML is sent to the victim's browser and executes.\n\n### Defensive Mitigation\n\nThe primary defense against this vulnerability is the consistent use of WordPress's escaping functions.\n\n#### 1. Attribute Escaping\nAll shortcode attributes intended for use within HTML attributes must be passed through `esc_attr()`. This function encodes characters like quotes, `\u003C `, `>`, and `&`, preventing an attacker from breaking out of the attribute context.\n\n**Secure Code Pattern:**\n```php\nfunction my_shortcode_handler( $atts ) {\n    $atts = shortcode_atts( array(\n        'userid' => 'default',\n    ), $atts );\n\n    \u002F\u002F SECURE: esc_attr() prevents attribute breakout.\n    return \"\u003Cdiv class='plugin-container' data-user='\" . esc_attr( $atts['userid'] ) . \"'>\u003C\u002Fdiv>\";\n}\n```\n\n#### 2. Input Sanitization\nWhile output escaping is mandatory, developers should also sanitize input based on the expected data type. For example, if `userid` is expected to be an integer, it should be processed with `absint()`.\n\n```php\n$userid = absint( $atts['userid'] );\n```\n\n#### 3. Security Auditing Tips\nWhen auditing plugins for this vulnerability, researchers typically look for:\n* Shortcode registrations via `add_shortcode()`.\n* Callbacks that concatenate `$atts` or variables derived from `$atts` directly into strings.\n* Missing `esc_attr()`, `esc_html()`, or `wp_kses()` calls in the return statement or echo output of the handler.\n\nFor developers and security professionals, referring to the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) is recommended for best practices on data validation and sanitization.","The jQuery googleslides plugin for WordPress (up to version 1.3) is vulnerable to Stored Cross-Site Scripting (XSS) via its 'googleslides' shortcode. The plugin fails to use esc_attr() or similar sanitization functions when interpolating user-supplied shortcode attributes into HTML, allowing authenticated users with Contributor-level permissions and above to inject arbitrary JavaScript.","\u002F\u002F File: jquery-googleslides\u002Fjquery-googleslides.php\n\nfunction googleslides_handler( $atts ) {\n    extract( shortcode_atts( array(\n        'userid' => '',\n        'albumid' => '',\n        'authkey' => '',\n        'imgmax' => '512',\n        'maxresults' => '100',\n        'random' => '0',\n        'caption' => '1',\n        'albumlink' => '0',\n        'time' => '5000',\n        'fadespeed' => '1000'\n    ), $atts ) );\n\n    \u002F\u002F ...\n\n    \u002F\u002F Vulnerable: user-controlled variables are interpolated directly into single-quoted attributes\n    return \"\u003Cdiv class='googleslides' data-userid='$userid' data-albumid='$albumid' data-authkey='$authkey' data-imgmax='$imgmax' data-maxresults='$maxresults' data-random='$random' data-caption='$caption' data-albumlink='$albumlink' data-time='$time' data-fadespeed='$fadespeed'>\u003C\u002Fdiv>\";\n}","--- jquery-googleslides\u002Fjquery-googleslides.php\n+++ jquery-googleslides\u002Fjquery-googleslides.php\n@@ -10,6 +10,6 @@\n-    return \"\u003Cdiv class='googleslides' data-userid='$userid' data-albumid='$albumid' data-authkey='$authkey' data-imgmax='$imgmax' data-maxresults='$maxresults' data-random='$random' data-caption='$caption' data-albumlink='$albumlink' data-time='$time' data-fadespeed='$fadespeed'>\u003C\u002Fdiv>\";\n+    return \"\u003Cdiv class='googleslides' data-userid='\" . esc_attr($userid) . \"' data-albumid='\" . esc_attr($albumid) . \"' data-authkey='\" . esc_attr($authkey) . \"' data-imgmax='\" . esc_attr($imgmax) . \"' data-maxresults='\" . esc_attr($maxresults) . \"' data-random='\" . esc_attr($random) . \"' data-caption='\" . esc_attr($caption) . \"' data-albumlink='\" . esc_attr($albumlink) . \"' data-time='\" . esc_attr($time) . \"' data-fadespeed='\" . esc_attr($fadespeed) . \"'>\u003C\u002Fdiv>\";","An authenticated attacker with at least Contributor-level access creates a post containing the [googleslides] shortcode. The attacker provides a malicious payload in any of the vulnerable attributes (userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, or fadespeed). For example, a payload like [googleslides userid=\"' onmouseover='alert(1) '\"] breaks out of the single-quoted HTML attribute context in the rendered output. When a victim (such as an administrator) views the post and triggers the event (e.g., via mouseover), the arbitrary JavaScript executes in their browser session.","gemini-3-flash-preview","2026-06-04 18:54:00","2026-06-04 18:54:52",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjquery-googleslides\u002Ftags"]