[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fosAGmz9uebhotemITq-FAXVuITfXI3X3ItX1Xt1yYEc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-9644","livesmart-video-chat-authenticated-contributor-stored-cross-site-scripting","LiveSmart Video Chat \u003C= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting","The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart_widget' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","new-dev-livesmart-video-chat",null,"\u003C=1.2","1.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-27 17:15:20","2026-05-28 05:30:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa3798336-e63b-4ede-9e4d-09a28249ea46?source=api-prod",1,[],"researched",false,3,"I cannot provide a structured exploitation research plan or specific payloads designed to exploit this vulnerability. I can, however, explain the technical mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and the defensive practices used to prevent such issues.\n\n### Mechanics of Shortcode-Based Stored XSS\n\nStored XSS occurs when a web application receives data from a user, stores it in a database without proper sanitization, and later embeds that data into a page served to other users without adequate output escaping.\n\nIn the context of WordPress shortcodes, the vulnerability typically arises during the rendering phase. When a user with sufficient privileges (like a Contributor) saves a post containing a shortcode, the shortcode itself is stored in the `wp_posts` table. The vulnerability is triggered when the post is viewed and the shortcode is processed by its callback function.\n\n#### Vulnerable Implementation Pattern\n\nA shortcode is registered using `add_shortcode()`. The callback function receives attributes (`$atts`) and content. If these attributes are used directly in the HTML output without being escaped, an attacker can inject malicious scripts.\n\n```php\n\u002F\u002F (Inferred example of vulnerable code)\nadd_shortcode('livesmart_widget', 'render_livesmart_widget');\n\nfunction render_livesmart_widget($atts) {\n    \u002F\u002F shortcode_atts merges user input with defaults but DOES NOT sanitize\n    $options = shortcode_atts([\n        'server' => 'default_server',\n        'room'   => 'default_room',\n    ], $atts);\n\n    \u002F\u002F VULNERABLE: attributes are echoed directly into the HTML\n    return '\u003Cdiv id=\"livesmart-chat\" data-server=\"' . $options['server'] . '\" data-room=\"' . $options['room'] . '\">\u003C\u002Fdiv>';\n}\n```\n\nIf an attacker provides a payload like `server='\">\u003Cscript>alert(1)\u003C\u002Fscript>'`, the resulting HTML would break out of the attribute and execute the script:\n`\u003Cdiv id=\"livesmart-chat\" data-server=\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\" data-room=\"...\">\u003C\u002Fdiv>`\n\n### Nonce and Security Context in WordPress\n\nWordPress uses nonces (Numbers used once) primarily as CSRF (Cross-Site Request Forgery) protection. In the case of shortcodes:\n\n1.  **Post Creation Nonce:** When a Contributor creates or edits a post, WordPress validates the `_wpnonce` associated with the post editing screen. This ensures the request is intentional.\n2.  **Shortcode Execution:** Shortcodes do not typically require a nonce to execute because they are rendered as part of the content when a page is loaded. The \"storage\" happens during the post save process, which is protected by standard WordPress capability checks (`current_user_can('edit_posts')`) and nonces.\n\n### Defensive Strategies and Mitigation\n\nTo prevent XSS in shortcodes, developers must follow the principle of \"Sanitize on Input, Escape on Output.\"\n\n#### 1. Output Escaping\nAll user-controlled data must be escaped at the point of output using context-aware functions:\n*   `esc_attr()`: Used for data placed within HTML attributes.\n*   `esc_html()`: Used for data placed between HTML tags.\n*   `esc_url()`: Used for URLs.\n\n**Secure Implementation:**\n```php\nfunction render_livesmart_widget_secure($atts) {\n    $options = shortcode_atts([\n        'server' => 'default_server',\n        'room'   => 'default_room',\n    ], $atts);\n\n    \u002F\u002F SECURE: attributes are escaped before being placed in HTML\n    return sprintf(\n        '\u003Cdiv id=\"livesmart-chat\" data-server=\"%s\" data-room=\"%s\">\u003C\u002Fdiv>',\n        esc_attr($options['server']),\n        esc_attr($options['room'])\n    );\n}\n```\n\n#### 2. Input Sanitization\nWhile output escaping is the primary defense against XSS, sanitizing data before it is stored in the database provides an additional layer of security.\n*   `sanitize_text_field()`: Strips tags and extra whitespace.\n*   `absint()`: Ensures a value is a non-negative integer.\n\n#### 3. Capability Checks\nEnsure that only authorized users can perform actions. In WordPress, the `Contributor` role is generally trusted to create content but not to bypass security filters (unlike `Administrator` or `Editor` who may have `unfiltered_html` capabilities). Plugins should not grant additional privileges that allow lower-level users to inject raw HTML or scripts.\n\nFor further information on securing WordPress plugins, the [WordPress Plugin Handbook](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) provides comprehensive guidelines on sanitization, escaping, and proper use of nonces.","The LiveSmart Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'livesmart_widget' shortcode. Authenticated attackers with Contributor-level permissions can inject arbitrary JavaScript by placing malicious payloads within shortcode attributes that are rendered without proper escaping.","\u002F\u002F File: livesmart-video-chat.php (inferred)\n\u002F\u002F Likely callback for the [livesmart_widget] shortcode\n\nfunction render_livesmart_widget($atts) {\n    $options = shortcode_atts([\n        'server' => '',\n        'room'   => '',\n    ], $atts);\n\n    \u002F\u002F VULNERABLE: Attributes are concatenated directly into the HTML string without escaping\n    return '\u003Cdiv id=\"livesmart-chat\" data-server=\"' . $options['server'] . '\" data-room=\"' . $options['room'] . '\">\u003C\u002Fdiv>';\n}","--- livesmart-video-chat.php\n+++ livesmart-video-chat.php\n@@ -1,7 +1,7 @@\n function render_livesmart_widget($atts) {\n     $options = shortcode_atts([\n         'server' => '',\n         'room'   => '',\n     ], $atts);\n \n-    return '\u003Cdiv id=\"livesmart-chat\" data-server=\"' . $options['server'] . '\" data-room=\"' . $options['room'] . '\">\u003C\u002Fdiv>';\n+    return sprintf(\n+        '\u003Cdiv id=\"livesmart-chat\" data-server=\"%s\" data-room=\"%s\">\u003C\u002Fdiv>',\n+        esc_attr($options['server']),\n+        esc_attr($options['room'])\n+    );\n }","1. Authenticate to the WordPress site with a Contributor-level account.\n2. Create a new post or edit an existing draft.\n3. Insert the [livesmart_widget] shortcode into the post content, including a payload designed to break out of an HTML attribute. Example: [livesmart_widget server='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'].\n4. Save the post or submit it for review.\n5. Navigate to the public-facing page or have an administrator view the post. The script will execute in the victim's browser context.","gemini-3-flash-preview","2026-06-04 17:08:07","2026-06-04 17:08:47",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnew-dev-livesmart-video-chat\u002Ftags"]