CVE-2026-10553

jQuery Hover Footnotes <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function. This makes it possible for unauthenticated attackers to update the plugin's settings with arbitrary values that, because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, can be chained into persistent Cross-Site Scripting affecting all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation of the CSRF vulnerability can be chained into stored Cross-Site Scripting, as the overwritten option values are persisted via update_option() without sanitization and rendered unescaped on the frontend.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4
PublishedJune 8, 2026
Last updatedJune 9, 2026
Affected pluginjquery-hover-footnotes
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-10553 (jQuery Hover Footnotes) ## 1. Vulnerability Summary The **jQuery Hover Footnotes** plugin (<= 1.4) is vulnerable to a Cross-Site Request Forgery (CSRF) vulnerability. The flaw exists in the `jqFootnotes_options_subpanel` function, which handles the savi…

Show full research plan

Exploitation Research Plan: CVE-2026-10553 (jQuery Hover Footnotes)

1. Vulnerability Summary

The jQuery Hover Footnotes plugin (<= 1.4) is vulnerable to a Cross-Site Request Forgery (CSRF) vulnerability. The flaw exists in the jqFootnotes_options_subpanel function, which handles the saving of plugin settings. Because the function lacks a nonce check (e.g., check_admin_referer), an attacker can trick an authenticated administrator into submitting a forged request to update plugin options.

Crucially, this CSRF vulnerability can be chained into Stored Cross-Site Scripting (XSS). Several settings—specifically jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title—are saved without sanitization and subsequently rendered on the frontend without escaping. This allows an attacker to inject malicious JavaScript that executes in the context of every site visitor.

2. Attack Vector Analysis

  • Vulnerable Endpoint: wp-admin/options-general.php?page=jquery-hover-footnotes (inferred from common plugin patterns) or wp-admin/admin.php?page=jquery-hover-footnotes.
  • Vulnerable Action: The form submission handled by the jqFootnotes_options_subpanel function.
  • Payload Parameters:
    • jqfoot_anchor_open
    • jqfoot_anchor_close
    • jqfoot_title (Primary XSS vector)
  • Authentication Requirement: The request must be made by a user with the manage_options capability (typically an Administrator).
  • Preconditions: The plugin must be active, and a victim administrator must be tricked into clicking a link or visiting a malicious page while logged in.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an admin menu page (likely via add_options_page or add_submenu_page in an admin_menu hook).
  2. Callback: The function jqFootnotes_options_subpanel is called to render the settings page.
  3. Vulnerable Logic: Inside jqFootnotes_options_subpanel, the code likely checks if $_POST data exists (e.g., isset($_POST['info_update'])).
  4. Missing Check: The code proceeds to update settings using update_option() without calling check_admin_referer() or verifying a nonce.
  5. Sink: The options are saved to the wp_options table.
  6. XSS Execution: On the frontend, a function (likely hooked to the_content or wp_head) retrieves these options using get_option() and echoes them directly into the HTML.

4. Nonce Acquisition Strategy

According to the vulnerability description, the flaw is precisely that nonce validation is missing.

  • Strategy: No nonce is required for exploitation. The exploit should attempt a POST request omitting any _wpnonce or security parameters to confirm the lack of protection.

5. Exploitation Strategy

The goal is to perform a CSRF that updates the jqfoot_title option with a Stored XSS payload.

Step 1: Login and Session Initialization

The automated agent must first authenticate as an administrator to obtain the necessary session cookies.

Step 2: Perform the Forged Settings Update

Using the http_request tool, send a POST request to the settings page.

  • URL: http://localhost:8080/wp-admin/options-general.php?page=jquery-hover-footnotes (inferred)
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    jqfoot_anchor_open=[&
    jqfoot_anchor_close=]&
    jqfoot_title=Footnote"><script>alert(document.domain)</script>&
    info_update=Update Options
    
    (Note: info_update is a common submit button name in older plugins; the agent should verify the actual name via browser_navigate if this fails).

Step 3: Trigger the XSS

Navigate to a public post or page that contains a footnote (or create one) to trigger the rendering of the malicious jqfoot_title.

  • URL: http://localhost:8080/?p=1 (default hello-world post)

6. Test Data Setup

  1. Install Plugin: Ensure jquery-hover-footnotes version 1.4 is installed and active.
  2. Create Content: Create a post containing a footnote marker. The plugin usually looks for specific syntax like ((This is a footnote)).
    wp post create --post_type=post --post_title="Vulnerability Test" --post_status=publish --post_content="Testing footnotes here ((Malicious Footnote Content))."
    

7. Expected Results

  • Settings Update: The HTTP 302 redirect after the POST request should lead back to the settings page, and the jqfoot_title value in the database should be updated.
  • XSS Execution: Upon navigating to the post created in Step 6, the browser should execute the <script>alert(document.domain)</script> payload, manifesting as an alert box.

8. Verification Steps

After the exploit attempt, use WP-CLI to confirm the option was changed:

wp option get jqfoot_title

Expected output: Footnote"><script>alert(document.domain)</script>

Check if the payload is rendered on the frontend:

curl -s http://localhost:8080/ | grep "alert(document.domain)"

9. Alternative Approaches

  • Endpoint Guessing: If options-general.php?page=jquery-hover-footnotes is incorrect, use WP-CLI to find the correct slug:
    wp eval "global \$menu; print_r(\$menu);"
    
  • Parameter Guessing: If info_update is not the correct trigger, navigate to the settings page using browser_navigate and use browser_eval to inspect the form's field names:
    browser_eval("Array.from(document.querySelectorAll('input')).map(i => i.name)")
    
  • Action Hook: If the plugin saves settings via admin-post.php, the payload must include an action parameter (e.g., action=jqFootnotes_save_settings). Check the source for add_action('admin_post_...').
Research Findings
Static analysis — not yet PoC-verified

Summary

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.4 because it lacks nonce validation in its settings update function. An attacker can exploit this to change plugin settings, including parameters like 'jqfoot_title' that are rendered unescaped on the frontend, resulting in Stored Cross-Site Scripting (XSS).

Vulnerable Code

function jqFootnotes_options_subpanel() {
    /* ... snippet typically found in jquery-hover-footnotes.php ... */
    if (isset($_POST['info_update'])) {
        // No check_admin_referer() or wp_verify_nonce() called here
        update_option('jqfoot_anchor_open', $_POST['jqfoot_anchor_open']);
        update_option('jqfoot_anchor_close', $_POST['jqfoot_anchor_close']);
        update_option('jqfoot_title', $_POST['jqfoot_title']);
        echo '<div class="updated"><p><strong>Options saved.</strong></p></div>';
    }
    /* ... */
}

Security Fix

--- jquery-hover-footnotes.php
+++ jquery-hover-footnotes.php
@@ -1,7 +1,8 @@
 function jqFootnotes_options_subpanel() {
-    if (isset($_POST['info_update'])) {
-        update_option('jqfoot_anchor_open', $_POST['jqfoot_anchor_open']);
-        update_option('jqfoot_anchor_close', $_POST['jqfoot_anchor_close']);
-        update_option('jqfoot_title', $_POST['jqfoot_title']);
+    if (isset($_POST['info_update']) && check_admin_referer('jqfoot_settings_save')) {
+        update_option('jqfoot_anchor_open', sanitize_text_field($_POST['jqfoot_anchor_open']));
+        update_option('jqfoot_anchor_close', sanitize_text_field($_POST['jqfoot_anchor_close']));
+        update_option('jqfoot_title', sanitize_text_field($_POST['jqfoot_title']));
         echo '<div class="updated"><p><strong>Options saved.</strong></p></div>';
     }
+    // In the HTML form render logic:
+    // wp_nonce_field('jqfoot_settings_save');

Exploit Outline

The exploit targets an authenticated administrator to perform an unauthorized configuration change. 1. The attacker crafts a malicious HTML form or auto-submitting script (CSRF) targeting 'wp-admin/options-general.php?page=jquery-hover-footnotes'. 2. The payload sets the 'jqfoot_title' parameter to a malicious script, such as '"><script>alert(document.domain)</script>'. 3. The attacker tricks a logged-in administrator into visiting a page containing the CSRF payload. 4. Because the plugin lacks nonce validation, the 'update_option' call executes, saving the malicious script into the database. 5. The script is subsequently executed in the context of every site visitor who views a page containing a footnote, as the 'jqfoot_title' value is echoed without escaping.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.