[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxSD1BoD71J2b_amEqHEUMowWzEWuJuYdvOwsQSFUCec":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-15396","library-viewer-reflected-cross-site-scripting","Library Viewer \u003C 3.2.0 - Reflected Cross-Site Scripting","The Library Viewer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","library-viewer",null,"\u003C3.2.0","3.2.0","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-06 00:00:00","2026-02-09 20:55:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd3d8164c-3fc0-44fe-856f-725b39c102d6?source=api-prod",4,[],"researched",false,3,"# Research Plan: CVE-2025-15396 - Library Viewer Reflected XSS\n\n## 1. Vulnerability Summary\nThe **Library Viewer** plugin for WordPress is vulnerable to **Reflected Cross-Site Scripting (XSS)** in versions prior to 3.2.0. The vulnerability exists because the plugin fails to sufficiently sanitize and escape user-supplied input before echoing it back into the page. An unauthenticated attacker can execute arbitrary JavaScript in the context of a user's browser by tricking them into clicking a crafted link.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** Any frontend page where the Library Viewer plugin is active (typically via a shortcode) or a specific plugin-generated view.\n* **Vulnerable Parameter:** Likely a query parameter used for filtering, pagination, or specifying a document\u002Flibrary ID (e.g., `lib_id`, `category`, `search`, or `paged`). (Inferred: In reflected XSS for this type of plugin, the parameter is often reflected in a hidden input or as part of a message).\n* **Authentication:** None (Unauthenticated).\n* **Preconditions:** The plugin must be installed and active. A page containing the plugin's shortcode (`[library-viewer]`) or the main library interface must be accessible.\n\n## 3. Code Flow\n1. **Entry Point:** The user requests a URL with a malicious query parameter: `example.com\u002Flibrary\u002F?lib_search=\u003Cscript>alert(1)\u003C\u002Fscript>`.\n2. **Processing:** The plugin's frontend handler (often in `public\u002Fclass-library-viewer-public.php` or a shortcode callback) retrieves the parameter using `$_GET` or `$_REQUEST`.\n3. **Reflection:** The plugin uses the raw value of the parameter in an `echo` or `printf` statement within the HTML output, likely to re-populate a search field or display \"Results for: [input]\".\n4. **Sink:** The unsanitized input is rendered in the DOM, triggering the JavaScript execution.\n\n## 4. Nonce Acquisition Strategy\nReflected XSS typically occurs during a `GET` request to render a page and often does not require a nonce. However, if the reflection occurs via an AJAX-driven search or filter:\n\n1. **Identify Shortcode:** The plugin likely uses `[library-viewer]`.\n2. **Create Test Page:**\n ```bash\n wp post create --post_type=page --post_title=\"Library\" --post_status=publish --post_content='[library-viewer]'\n ```\n3. **Identify JS Variable:** Look for `wp_localize_script` in the source. Common names for this plugin might be `library_viewer_params` or `lv_ajax_obj`.\n4. **Extract Nonce:**\n If an AJAX nonce is required for the reflected endpoint, use `browser_eval`:\n ```javascript\n \u002F\u002F Example (inferred identifiers)\n browser_eval(\"window.library_viewer_params?.nonce\")\n ```\n5. **Bypass Check:** If the code uses `wp_verify_nonce($nonce, -1)` or fails to check the return value of `check_ajax_referer`, the nonce may be unnecessary or easily satisfied.\n\n## 5. Exploitation Strategy\n1. **Discovery:** Navigate to the page with the shortcode and identify query parameters used in the UI (Search bars, category filters).\n2. **Payload Crafting:**\n * Simple reflection: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n * Attribute breakout: `\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n * Event handler (if reflected in an attribute): `' onmouseover='alert(1)`\n3. **Request Execution:**\n Use `http_request` to simulate a victim clicking the link.\n ```json\n {\n \"method\": \"GET\",\n \"url\": \"http:\u002F\u002Flocalhost:8888\u002Flibrary\u002F?search_term=%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E\"\n }\n ```\n4. **Verification:** Check the response body for the unescaped payload.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `library-viewer` version \u003C 3.2.0 is active.\n2. **Configure Library:** Use WP-CLI to ensure at least one \"Library\" or \"Document\" exists if the plugin requires data to render the UI.\n ```bash\n # Inferred: Creating a library item if the plugin uses a CPT\n wp post create --post_type=library_item --post_title=\"Test Document\" --post_status=publish\n ```\n3. **Public Page:** Create a page that renders the library:\n ```bash\n wp post create --post_type=page --post_title=\"Library View\" --post_status=publish --post_content='[library-viewer]'\n ```\n\n## 7. Expected Results\n* The HTTP response will contain the literal string `\u003Cimg src=x onerror=alert(1)>` (or the chosen payload) without being converted to HTML entities (e.g., `<img`).\n* When viewed in a browser via the `browser_navigate` tool, an alert box or the side effect of the script should be observable.\n\n## 8. Verification Steps\n1. **Inspect Response:**\n ```bash\n # Verify the payload is present and unescaped in the HTML source\n http_request GET \"http:\u002F\u002Flocalhost:8888\u002Flibrary-view\u002F?search_term=\u003Cscript>alert(1)\u003C\u002Fscript>\" | grep \"\u003Cscript>alert(1)\u003C\u002Fscript>\"\n ```\n2. **Check Source Code (Post-Exploit):** Verify the sink in the plugin files:\n ```bash\n grep -r \"echo.*\\$_GET\" wp-content\u002Fplugins\u002Flibrary-viewer\u002F\n ```\n\n## 9. Alternative Approaches\n* **POST-based Reflection:** If the search uses `POST`, send the payload in the request body with `Content-Type: application\u002Fx-www-form-urlencoded`.\n* **AJAX Reflection:** If the UI is SPA-like, check `admin-ajax.php?action=lv_search&term=\u003Cpayload>`. This will likely return JSON where the payload is reflected in a `html` key.\n* **Pagination\u002FOrdering:** Test parameters like `order`, `orderby`, or `paged` which are frequently reflected in hidden form fields for state persistence.","The Library Viewer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to 3.2.0. This occurs because the plugin fails to sanitize or escape user-supplied query parameters, such as search terms or filter IDs, before echoing them back into the HTML output.","\u002F\u002F Inferred location: public\u002Fclass-library-viewer-public.php or similar shortcode callback\n\u002F\u002F The plugin likely retrieves search or filter parameters directly from the global $_GET array.\n\n$search_value = isset($_GET['lib_search']) ? $_GET['lib_search'] : '';\n\necho '\u003Cinput type=\"text\" name=\"lib_search\" value=\"' . $search_value . '\" \u002F>';\n\n--- \n\n\u002F\u002F Another potential sink in display logic\necho '\u003Ch3>Results for: ' . $_GET['search_term'] . '\u003C\u002Fh3>';","--- a\u002Fpublic\u002Fclass-library-viewer-public.php\n+++ b\u002Fpublic\u002Fclass-library-viewer-public.php\n@@ -25,7 +25,7 @@\n- $search_value = isset($_GET['lib_search']) ? $_GET['lib_search'] : '';\n+ $search_value = isset($_GET['lib_search']) ? sanitize_text_field($_GET['lib_search']) : '';\n \n- echo '\u003Cinput type=\"text\" name=\"lib_search\" value=\"' . $search_value . '\" \u002F>';\n+ echo '\u003Cinput type=\"text\" name=\"lib_search\" value=\"' . esc_attr($search_value) . '\" \u002F>';\n \n@@ -40,5 +40,5 @@\n- if (isset($_GET['search_term'])) {\n- echo '\u003Ch3>Results for: ' . $_GET['search_term'] . '\u003C\u002Fh3>';\n+ if (isset($_GET['search_term'])) {\n+ echo '\u003Ch3>Results for: ' . esc_html($_GET['search_term']) . '\u003C\u002Fh3>';\n }","The exploit targets pages where the Library Viewer shortcode [library-viewer] is active. An unauthenticated attacker crafts a URL containing a malicious JavaScript payload in a common query parameter like 'lib_search' or 'search_term' (e.g., ?lib_search=\">\u003Cscript>alert(1)\u003C\u002Fscript>). When a victim clicks this link, the plugin reflects the payload into the page's HTML (often inside an input field's value attribute or a display header) without escaping it. This allows the script to execute in the context of the victim's session.","gemini-3-flash-preview","2026-04-21 03:33:55","2026-04-21 03:34:43",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.1.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flibrary-viewer\u002Ftags\u002F3.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flibrary-viewer.3.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flibrary-viewer\u002Ftags\u002F3.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flibrary-viewer.3.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flibrary-viewer\u002Ftags"]