[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2iYTmg2qJkRpzlvwLG9SDmQ5RoQJX3pEdv-FM2E0opk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8624","lj-comments-import-reloaded-reflected-cross-site-scripting-via-phpself-parameter","LJ comments import: reloaded \u003C= 0.97.1 - Reflected Cross-Site Scripting via PHP_SELF Parameter","The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability arises specifically because PHP_SELF includes attacker-controllable PATH_INFO appended to the script name, and there are two distinct unsanitized echo points for this value in the same function.","lj-comments-import-reloaded",null,"\u003C=0.97.1","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-19 12:08:00","2026-05-20 01:25:46",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0f09cb59-dbbb-48a3-aeac-377f6ec87b88?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8624\n\n## 1. Vulnerability Summary\n**CVE-2026-8624** is a Reflected Cross-Site Scripting (XSS) vulnerability in the **LJ comments import: reloaded** plugin (\u003C= 0.97.1) for WordPress. The vulnerability stems from the improper use of the `PHP_SELF` superglobal within an admin page callback.\n\nIn PHP, `$_SERVER['PHP_SELF']` contains the path of the current script. However, most web server configurations (including standard Apache\u002FPHP setups used by WordPress) allow appending additional path information (`PATH_INFO`) to the script name. If a plugin echoes `PHP_SELF` without sanitization (e.g., `esc_url()` or `esc_attr()`), an attacker can append a malicious script payload to the URL, which is then reflected into the HTML output. The description indicates there are **two distinct unsanitized echo points** in the same function, likely within a form's `action` attribute.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: Any WordPress admin page where the plugin's import form is rendered. This is typically found under `Tools` > `LJ Import`.\n- **Vulnerable Parameter**: The URL path itself (`PATH_INFO`), which is captured by `PHP_SELF`.\n- **Authentication Level**: **Unauthenticated (to craft the link)**, but **High Privilege (Admin)** for the victim. The attacker must trick a logged-in administrator into clicking a crafted URL.\n- **Preconditions**: The plugin must be active.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point**: The plugin registers an admin page, likely via `add_management_page()` (for the Tools menu).\n   - *Hook*: `admin_menu`\n   - *Function*: `add_management_page('LJ Import', ..., 'lj_import_page_callback')` (inferred).\n2. **Execution**: When an administrator visits the \"LJ Import\" page, the callback function (e.g., `lj_import_page_callback`) is executed.\n3. **Sink**: Inside this function, a form is rendered to handle the import process. The code likely contains:\n   ```php\n   \u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=lj-comments-import-reloaded\">\n   ```\n4. **Vulnerability**: Because `$_SERVER['PHP_SELF']` is echoed without `esc_url()`, the attacker can control the output by modifying the URL path.\n\n## 4. Nonce Acquisition Strategy\nReflected XSS in a page's initial rendering (the `GET` request to view the form) typically does **not** require a nonce, as the vulnerability exists in the generation of the page itself, not in the processing of a sensitive action.\n\nHowever, to identify the exact URL slug for the exploitation:\n1. **Identify the Slug**: The plugin slug is `lj-comments-import-reloaded`.\n2. **Determine the Parent Page**: Import tools are usually subpages of `tools.php`.\n3. **Browser Verification**:\n   - The execution agent should navigate to the WordPress dashboard as an admin.\n   - Use `browser_navigate` to `http:\u002F\u002F[target]\u002Fwp-admin\u002Ftools.php?page=lj-comments-import-reloaded`.\n   - If this page exists, the base URL for reflection is identified.\n\n## 5. Exploitation Strategy\nThe goal is to break out of the HTML attribute (likely `action`) and the tag to inject a script.\n\n### Step 1: Craft the Payload\nIf the code is `\u003Cform action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>...\">`, the URL path needs to break the `action` attribute.\n- **Breakout Payload**: `\u002F\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n- **Encoded Payload**: `\u002F%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n\n### Step 2: Construct the Request\nThe request is a standard `GET` request to the admin page with the payload appended to the script path.\n\n- **URL**: `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Ftools.php\u002F%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E?page=lj-comments-import-reloaded`\n- **Method**: `GET`\n- **Tool**: `http_request` (Playwright)\n\n### Step 3: Execution Plan\n1. Use `browser_navigate` to log in as an administrator.\n2. Use `http_request` to send the crafted `GET` request while maintaining the admin session cookies.\n3. Analyze the response body to confirm that the `\u003Cscript>` tag is rendered verbatim and not escaped as `&lt;script&gt;`.\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Ensure `lj-comments-import-reloaded` version 0.97.1 is installed and activated.\n2. **Admin User**: Create a standard administrator user for the \"victim\" session.\n3. **No Special Content Needed**: Since this is reflected XSS in the admin UI, no specific posts or comments are required to trigger the vulnerability.\n\n## 7. Expected Results\n- **Response Code**: `200 OK`\n- **Response Body**: The HTML source should contain:\n  ```html\n  \u003Cform method=\"post\" action=\"\u002Fwp-admin\u002Ftools.php\u002F\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>?page=lj-comments-import-reloaded\">\n  ```\n- **Confirmation**: The presence of the unescaped `alert(document.domain)` script inside the form tag confirms the vulnerability.\n\n## 8. Verification Steps\n1. **Verify Reflection**: Search the `http_request` response for the string `\u003Cscript>alert`.\n2. **Verify Context**: Confirm the reflection occurs within a `\u003Cform>` or `\u003Ca>` tag, proving it broke out of the intended attribute context.\n3. **Manual Confirmation**: If using a browser-based agent, `browser_eval(\"window.confirm('XSS Triggered')\")` could be used to see if the alert fires in the context of the admin page.\n\n## 9. Alternative Approaches\nIf the payload doesn't trigger, it may be because of specific quote handling in the target environment:\n- **Single Quote Breakout**: `\u002F'>\u003Cscript>alert(1)\u003C\u002Fscript>`\n- **Event Handler Injection**: If the breakout is blocked, try injecting an attribute: `\u002F%22%20onmouseover=%22alert(1)%22%20style=%22display:block;width:100%;height:100%;position:fixed;top:0;left:0;%22`\n- **Double Echo Check**: The description mentions \"two distinct unsanitized echo points.\" If the first reflection is in a less dangerous context (like a comment or hidden field), search the entire DOM for the second reflection point.","The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) due to the use of the unsanitized $_SERVER['PHP_SELF'] superglobal. An attacker can append malicious script payloads to the URL path (PATH_INFO), which are then reflected into the HTML of the plugin's administration page, allowing for arbitrary script execution in the context of a logged-in administrator's browser.","\u002F\u002F In the function rendering the LJ Import admin page (likely in lj-comments-import-reloaded.php)\n\n\u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=lj-comments-import-reloaded\">\n\n---\n\n\u002F\u002F Second occurrence in the same function context\n\n\u003Cinput type=\"hidden\" name=\"redirect_url\" value=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>\" \u002F>","--- lj-comments-import-reloaded.php\n+++ lj-comments-import-reloaded.php\n@@ -102,7 +102,7 @@\n-    \u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=lj-comments-import-reloaded\">\n+    \u003Cform method=\"post\" action=\"\u003C?php echo esc_url($_SERVER['PHP_SELF']); ?>?page=lj-comments-import-reloaded\">\n@@ -150,7 +150,7 @@\n-    \u003Cinput type=\"hidden\" name=\"redirect_url\" value=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>\" \u002F>\n+    \u003Cinput type=\"hidden\" name=\"redirect_url\" value=\"\u003C?php echo esc_url($_SERVER['PHP_SELF']); ?>\" \u002F>","To exploit this vulnerability, an attacker needs to craft a malicious URL and trick a logged-in administrator into visiting it. \n\n1. Identify the plugin's admin page endpoint, typically `wp-admin\u002Ftools.php?page=lj-comments-import-reloaded`.\n2. Construct a payload that breaks out of an HTML attribute (like action=\"\") by appending a script tag to the script name in the URL. For example: `wp-admin\u002Ftools.php\u002F%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E?page=lj-comments-import-reloaded`.\n3. The server interprets the portion after `tools.php\u002F` as `PATH_INFO`, which is included in the `$_SERVER['PHP_SELF']` variable.\n4. When the admin page renders the form, the unsanitized `PHP_SELF` reflects the `\u003Cscript>` tag directly into the DOM, executing the payload in the administrator's session.","gemini-3-flash-preview","2026-05-20 16:51:53","2026-05-20 16:52:33",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flj-comments-import-reloaded\u002Ftags"]