[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRO389csDpJ_vZaQONRm8RQ8gHFv2d2zHOwYFJPgbJrA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39646","leaflet-map-authenticated-contributor-stored-cross-site-scripting","Leaflet Map \u003C= 3.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","leaflet-map",null,"\u003C=3.4.4","3.4.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-15 00:00:00","2026-05-04 14:39:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb04aaf8f-c02a-4fa9-a2fc-96c224a3c1ef?source=api-prod",79,[],"researched",false,3,"This research plan outlines the steps to verify a Stored Cross-Site Scripting (XSS) vulnerability in the Leaflet Map plugin (\u003C= 3.4.4).\n\n## 1. Vulnerability Summary\nThe Leaflet Map plugin fails to properly sanitize or escape attributes provided in its shortcodes, specifically when these attributes are rendered within map popups or titles. A user with **Contributor-level** permissions or higher can create a post containing a malicious shortcode. When any user (including an Administrator) views the post, the injected script executes in their browser context.\n\n## 2. Attack Vector Analysis\n*   **Authentication:** Authenticated (Contributor+).\n*   **Vulnerable Component:** Shortcode processing engine for `[leaflet-marker]`, `[leaflet-map]`, or `[leaflet-line]`.\n*   **Vulnerable Parameters:** Shortcode attributes such as `message`, `title`, or `address`.\n*   **Vector:** Stored XSS via post content.\n*   **Trigger:** Viewing the published post or page containing the shortcode.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** A Contributor saves a post containing a shortcode (e.g., `[leaflet-marker ... message=\"\u003Cscript>alert(1)\u003C\u002Fscript>\"]`).\n2.  **Storage:** WordPress saves the raw shortcode string in the `wp_posts` table (standard behavior).\n3.  **Rendering:** When the post is requested, WordPress triggers the `the_content` filter, which executes `do_shortcode()`.\n4.  **Plugin Processing:** The Leaflet Map plugin's shortcode handler (likely registered via `add_shortcode` in the main plugin file) parses the attributes.\n5.  **Vulnerable Sink:** The handler takes the attribute value (e.g., `message`) and includes it in a JavaScript object or an HTML string used to initialize the Leaflet map. \n6.  **Output:** The plugin fails to apply `esc_js()` or `esc_html()` to the attribute value before outputting it into the page's HTML or into a `\u003Cscript>` block.\n7.  **Execution:** The browser parses the script tag or the `onerror` attribute within the Leaflet map initialization.\n\n## 4. Nonce Acquisition Strategy\nWhile post creation is a standard WordPress action, the automated agent needs a valid nonce to submit the post via `admin-ajax.php` (autosave) or `post.php`.\n\n1.  **Login:** Authenticate as a Contributor user.\n2.  **Navigate:** Go to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the form.\n    *   `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n4.  **Alternative:** The agent can simply use the `browser_navigate` and `browser_type` tools to create the post through the UI, which avoids manual nonce management.\n\n## 5. Exploitation Strategy\nThe goal is to inject a payload into a shortcode attribute that executes when the map is rendered.\n\n**Payloads to test:**\n*   `[leaflet-marker message=\"\u003Cimg src=x onerror=alert('XSS_POPUP')>\"]`\n*   `[leaflet-marker title=\"\u003Cimg src=x onerror=alert('XSS_TITLE')>\"]`\n*   `[leaflet-map address=\"\u003Cscript>alert('XSS_ADDRESS')\u003C\u002Fscript>\"]`\n\n**Step-by-Step Plan:**\n1.  **Authenticate** as a Contributor.\n2.  **Create a New Post** using the `http_request` tool or Playwright.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php` (for POST) or use the REST API if available.\n    *   **Method:** POST\n    *   **Data:**\n        *   `post_title`: XSS Test\n        *   `content`: `[leaflet-marker lat=\"0\" lng=\"0\" message=\"\u003Cimg src=x onerror=alert(document.domain)>\"]`\n        *   `publish`: Publish\n3.  **Identify Post URL:** Get the URL of the newly created post (e.g., `http:\u002F\u002Flocalhost:8080\u002F?p=123`).\n4.  **Trigger XSS:** Use `browser_navigate` as an **Administrator** to visit the post URL.\n5.  **Confirm Execution:** Check for an alert box or specific DOM changes.\n\n## 6. Test Data Setup\n1.  **Role:** Ensure a user with the `contributor` role exists.\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2.  **Plugin State:** Ensure the `leaflet-map` plugin is active.\n    *   `wp plugin activate leaflet-map`\n\n## 7. Expected Results\n*   The shortcode should be processed, and the Leaflet map should initialize.\n*   Inside the HTML source, the `message` attribute content should appear unescaped.\n    *   Example: `marker.bindPopup(\"\u003Cimg src=x onerror=alert(document.domain)>\")`\n*   The browser should execute the `onerror` script when the map loads (or when the marker is clicked, depending on the plugin's behavior).\n\n## 8. Verification Steps\n1.  **Manual Source Check:** After creating the post, fetch the HTML as an unauthenticated user:\n    *   `http_request(\"GET\", \"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\")`\n    *   Search for the string `\u003Cimg src=x onerror=` in the response body.\n2.  **Verify Storage:** Check the database to ensure the shortcode was saved correctly:\n    *   `wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Test'\"`\n3.  **Check for escaping:** If the output is `&lt;img src=x...`, the vulnerability is patched. If it is `\u003Cimg src=x...`, it is vulnerable.\n\n## 9. Alternative Approaches\nIf the `message` attribute in `[leaflet-marker]` is sanitized, test these variations:\n1.  **`leaflet-map` address attribute:** Some map plugins perform a geocoding lookup and then display the raw address in a popup.\n    *   `[leaflet-map address=\"\u003Cimg src=x onerror=alert(1)>\"]`\n2.  **SVG Injection:** If the plugin allows custom icons via URL:\n    *   `[leaflet-marker iconUrl=\"data:image\u002Fsvg+xml,\u003Csvg xmlns='http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg' onload='alert(1)'>\u003C\u002Fsvg>\"]` (Inferred attribute name).\n3.  **JSON Breakout:** If the plugin outputs map options in a JSON block:\n    *   `[leaflet-marker title='\"};alert(1);\u002F\u002F']` (Inferred breakout).","The Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes such as 'message' and 'title' in versions up to 3.4.4. Authenticated attackers with Contributor-level permissions can inject malicious scripts into map markers or tooltips, which execute in the browser context of any user viewing the page.","\u002F\u002F Inferred from research plan: The plugin processes shortcode attributes without sanitization\n\u002F\u002F before rendering them into the map initialization script or HTML.\n\nfunction leaflet_marker_shortcode($atts) {\n    $atts = shortcode_atts(array(\n        'lat' => 0,\n        'lng' => 0,\n        'message' => '',\n        'title' => ''\n    ), $atts);\n\n    \u002F\u002F Vulnerable output: values are used directly in JS or HTML without escaping\n    $output = \"\u003Cscript>\\n\";\n    $output .= \"var marker = L.marker([{$atts['lat']}, {$atts['lng']}]).addTo(map);\\n\";\n    if ($atts['message']) {\n        $output .= \"marker.bindPopup('{$atts['message']}');\\n\";\n    }\n    if ($atts['title']) {\n        $output .= \"marker.bindTooltip('{$atts['title']}');\\n\";\n    }\n    $output .= \"\u003C\u002Fscript>\";\n    \n    return $output;\n}","--- a\u002Fleaflet-map.php\n+++ b\u002Fleaflet-map.php\n@@ -10,8 +10,8 @@\n     $output = \"\u003Cscript>\\n\";\n     $output .= \"var marker = L.marker([\" . esc_js($atts['lat']) . \", \" . esc_js($atts['lng']) . \"]).addTo(map);\\n\";\n     if ($atts['message']) {\n-        $output .= \"marker.bindPopup('{$atts['message']}');\\n\";\n+        $output .= \"marker.bindPopup('\" . wp_kses_post($atts['message']) . \"');\\n\";\n     }\n     if ($atts['title']) {\n-        $output .= \"marker.bindTooltip('{$atts['title']}');\\n\";\n+        $output .= \"marker.bindTooltip('\" . esc_attr($atts['title']) . \"');\\n\";\n     }\n     $output .= \"\u003C\u002Fscript>\";","The exploit is achieved by an authenticated user with at least Contributor permissions performing the following steps:\n1. Log in to the WordPress dashboard as a Contributor.\n2. Create a new post or edit an existing one.\n3. Insert a Leaflet Map shortcode containing a malicious payload in an attribute that is rendered on the front end. Example: `[leaflet-marker lat=\"0\" lng=\"0\" message=\"\u003Cimg src=x onerror=alert(document.domain)>\"]`.\n4. Save or submit the post for review.\n5. When an administrator or any site visitor views the post, the script in the 'message' attribute executes in their browser context due to the lack of output escaping in the plugin's map initialization logic.","gemini-3-flash-preview","2026-04-20 22:10:24","2026-04-20 22:10:42",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fleaflet-map\u002Ftags"]