[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRlb0E8u06TLF8sRiPTrTHPHlHHRtVyvAOpLkrz82oys":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-7509","kia-subtitle-improper-neutralization-of-input-during-web-page-generation-cross-site-scripting","KIA Subtitle \u003C= 4.0.1 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]","The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","kia-subtitle",null,"\u003C=4.0.1","4.0.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-21 14:37:59","2026-05-22 03:39:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa9a52097-0d85-4036-9b74-f35fea549607?source=api-prod",1,[22,23,24,25,26,27],"assets\u002Fjs\u002Fdist\u002Findex.asset.php","assets\u002Fjs\u002Fdist\u002Findex.js","assets\u002Fjs\u002Fsubtitle.min.js","kia-subtitle.php","languages\u002Fkia-subtitle.pot","readme.txt","researched",false,3,"This research plan outlines the process for analyzing and demonstrating the Stored Cross-Site Scripting (XSS) vulnerability in the **KIA Subtitle** plugin (CVE-2026-7509).\n\n### 1. Vulnerability Summary\nThe KIA Subtitle plugin is vulnerable to **Stored Cross-Site Scripting** via the `[the-subtitle]` shortcode. The vulnerability exists because the plugin's shortcode handler accepts `before` and `after` attributes from the user and outputs them to the page without proper sanitization or escaping (e.g., using `esc_html()` or `wp_kses()`). An authenticated attacker with **Contributor** permissions can create a post containing this shortcode with malicious JavaScript in the attributes, which will execute in the context of any user viewing the post.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post Editor (via `post.php` or REST API)\n*   **Vulnerable Component:** Shortcode callback function for `[the-subtitle]`\n*   **Payload Location:** Shortcode attributes `before` and\u002For `after`\n*   **Authentication Level:** Contributor or higher (any role capable of using shortcodes in post content)\n*   **Precondition:** The post must have a subtitle value set (via the `kia_subtitle` meta field) for the shortcode to generate output.\n\n### 3. Code Flow\n1.  **Registration:** In `kia-subtitle.php`, the shortcode is registered in the constructor: \n    `add_shortcode( 'the-subtitle', array( $this, 'shortcode' ) );` (Line 126).\n2.  **Attribute Handling:** The `shortcode()` method (inferred) likely uses `shortcode_atts()` to extract `before` and `after`.\n3.  **Core Function Call:** The shortcode method likely calls the helper function `the_subtitle()` (documented in `readme.txt`) or `get_the_subtitle()`. \n4.  **The Sink:** The `the_subtitle()` function (or the shortcode handler itself) concatenates the `$before` and `$after` strings with the subtitle content and returns\u002Fechoes the result. Because these strings are not passed through escaping functions before being returned to the WordPress content filter, the injected HTML\u002FJavaScript is rendered by the browser.\n\n### 4. Nonce Acquisition Strategy\nSince the vulnerability is a **Stored XSS** triggered by a Contributor-level user saving a post, we need to acquire the standard WordPress nonces required for post creation.\n\n1.  **Authentication:** Authenticate as a Contributor user using `wp-login.php`.\n2.  **Access Editor:** Navigate to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the page source or the `wp-nonce` required for the REST API if using the Block Editor.\n    *   For the Classic Editor (used by default if Gutenberg is disabled): `document.querySelector('#_wpnonce').value`.\n    *   For the REST API (Gutenberg): The nonce is typically found in `wpApiSettings.nonce`.\n\n### 5. Exploitation Strategy\nThe goal is to create a post as a Contributor that executes an `alert` when viewed by an Admin.\n\n1.  **Setup Phase:** \n    *   Use `wp-cli` to create a Contributor user and a post.\n    *   Crucially, set a value for the `kia_subtitle` meta key so the shortcode produces output.\n2.  **Execution Phase (HTTP):**\n    *   **Step 1:** Log in as the Contributor.\n    *   **Step 2:** Update a post's content to include the malicious shortcode.\n    *   **Payload:** `[the-subtitle before='\u003Cscript>alert(\"XSS_BEFORE\")\u003C\u002Fscript>' after='\u003Cscript>alert(\"XSS_AFTER\")\u003C\u002Fscript>']`\n3.  **HTTP Request Details:**\n    *   **Method:** POST\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body Parameters:**\n        *   `action`: `editpost`\n        *   `post_ID`: `[TARGET_POST_ID]`\n        *   `_wpnonce`: `[EXTRACTED_NONCE]`\n        *   `content`: `[the-subtitle before='\u003Cscript>alert(1)\u003C\u002Fscript>']`\n        *   `post_title`: `XSS Test`\n\n### 6. Test Data Setup\n1.  **Plugin:** Install and activate `kia-subtitle` version 4.0.1.\n2.  **User:** Create a user `attacker` with the `contributor` role.\n3.  **Target Post:** \n    *   `wp post create --post_author=[ATTACKER_ID] --post_title=\"XSS Test\" --post_status=\"publish\" --post_content=\"Shortcode here\"`\n    *   **Important:** `wp post meta set [POST_ID] kia_subtitle \"Valid Subtitle\"` (The shortcode only renders if a subtitle exists).\n\n### 7. Expected Results\nWhen any user (specifically an Administrator) navigates to the permalink of the created post:\n1.  The WordPress engine parses the `[the-subtitle]` shortcode.\n2.  The shortcode handler injects the raw `\u003Cscript>` tags into the page output.\n3.  The browser executes the JavaScript, resulting in an alert box showing `1`.\n\n### 8. Verification Steps\n1.  **Check Meta:** Confirm the meta is set: `wp post meta get [POST_ID] kia_subtitle`.\n2.  **Verify Rendering:** Use `http_request` (GET) on the post URL and check if the raw payload exists in the source:\n    *   `grep \"\u003Cscript>alert(1)\u003C\u002Fscript>\"`\n3.  **Confirm Sink:** Ensure the script is *not* encoded as `&lt;script&gt;`.\n\n### 9. Alternative Approaches\nIf the `before`\u002F`after` attributes are filtered by the WordPress `KSES` system during *saving* (unlikely for shortcodes), try bypassing via attribute breakout:\n*   Payload: `[the-subtitle before='\u003Cimg src=x onerror=alert(1)>']`\n*   If the site uses the Block Editor, try injecting the payload via the `kia\u002Fpost-subtitle` block's attributes if they are mirrored in the shortcode implementation. However, the CVE specifically identifies the shortcode as the primary vector.","The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'the-subtitle' shortcode's 'before' and 'after' attributes. Authenticated attackers with Contributor-level access can inject arbitrary web scripts into these attributes, which are then rendered without sanitization or escaping when the shortcode is processed.","\u002F\u002F kia-subtitle.php line 362\npublic function shortcode( $atts ) {\n\t\t$atts = shortcode_atts( array(\n\t\t\t'before'  => '\u003Ch2 class=\"subtitle\">',\n\t\t\t'after'   => '\u003C\u002Fh2>'\n\t\t), $atts, 'the-subtitle' );\n\n\t\t$atts['echo'] = false;\n\n\t\treturn $this->the_subtitle( $atts );\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fkia-subtitle\u002F4.0.1\u002Fassets\u002Fjs\u002Fdist\u002Findex.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fkia-subtitle\u002F4.0.2\u002Fassets\u002Fjs\u002Fdist\u002Findex.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fkia-subtitle\u002F4.0.1\u002Fassets\u002Fjs\u002Fdist\u002Findex.asset.php\t2024-04-24 18:57:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fkia-subtitle\u002F4.0.2\u002Fassets\u002Fjs\u002Fdist\u002Findex.asset.php\t2026-05-08 21:35:52.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('react', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-edit-post', 'wp-hooks', 'wp-i18n', 'wp-plugins', 'wp-primitives'), 'version' => '3036d9bbf621acba6ed8');\n+\u003C?php return array('dependencies' => array('react-jsx-runtime', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-edit-post', 'wp-hooks', 'wp-i18n', 'wp-plugins', 'wp-primitives'), 'version' => '93e2c7f9267828be9f4d');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fkia-subtitle\u002F4.0.1\u002Fkia-subtitle.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fkia-subtitle\u002F4.0.2\u002Fkia-subtitle.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fkia-subtitle\u002F4.0.1\u002Fkia-subtitle.php\t2024-04-24 18:57:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fkia-subtitle\u002F4.0.2\u002Fkia-subtitle.php\t2026-05-08 21:35:52.000000000 +0000\n@@ -366,6 +366,8 @@\n \t\t\t\t'after'   => '\u003C\u002Fh2>'\n \t\t\t), $atts, 'the-subtitle' );\n \n+\t\t$atts['before'] = wp_kses_post( $atts['before'] );\n+\t\t$atts['after']  = wp_kses_post( $atts['after'] );\n \t\t$atts['echo'] = false;\n \n \t\treturn $this->the_subtitle( $atts );","The exploit target is the `[the-subtitle]` shortcode handler. An attacker with Contributor-level permissions (or higher) can create a post and set a value for the `kia_subtitle` custom field. By then inserting the shortcode `[the-subtitle before='\u003Cscript>alert(1)\u003C\u002Fscript>']` into the post content, the malicious script is stored in the WordPress database. When a user with higher privileges (like an Administrator) views the post on the frontend, the plugin concatenates the raw `before` attribute with the subtitle, causing the script to execute in the user's browser context.","gemini-3-flash-preview","2026-06-04 22:13:48","2026-06-04 22:14:53",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","4.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkia-subtitle\u002Ftags\u002F4.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkia-subtitle.4.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkia-subtitle\u002Ftags\u002F4.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkia-subtitle.4.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkia-subtitle\u002Ftags"]