[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fh8oqapZ-YbXkSo_5Sy8ENnvcndA4wYiOrT3EtjZSA9A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1396","magic-conversation-for-gravity-forms-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Magic Conversation For Gravity Forms \u003C= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","magic-conversation-for-gravity-forms",null,"\u003C=3.0.97","3.0.98","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 19:53:11","2026-04-08 08:23:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbc425c4a-cb4e-4f50-b85b-8c4c7778c073?source=api-prod",1,[],"researched",false,3,"This research plan focuses on exploiting CVE-2026-1396, a Stored Cross-Site Scripting (XSS) vulnerability in the \"Magic Conversation For Gravity Forms\" plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the handling of the `[magic-conversation]` shortcode. The plugin fails to sanitize or escape user-supplied attributes before outputting them into the HTML of a page. An authenticated user with at least **Contributor-level** permissions can embed a malicious shortcode into a post or page. When any user (including an Administrator) views that post, the injected script executes in their browser context.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[magic-conversation]`\n*   **Vulnerable Attribute:** Likely candidates include `id`, `title`, `name`, `header`, or `form_id` (inferred).\n*   **Authentication:** Authenticated (Contributor+).\n*   **Payload Location:** The attribute value is reflected inside an HTML tag (e.g., `\u003Cdiv data-id=\"[PAYLOAD]\">`).\n*   **Endpoint:** The standard WordPress post saving mechanism (Gutenberg REST API or `wp-admin\u002Fpost.php`).\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode during the `init` hook using `add_shortcode( 'magic-conversation', [ $this, 'render_shortcode' ] )`.\n2.  **Processing:** When a post is viewed, WordPress calls the handler function. This function uses `shortcode_atts()` to merge user input with defaults.\n3.  **Sink:** The handler function constructs an HTML string (often for a container div or to pass data to a JS frontend). It concatenates the attribute values directly into the string without using `esc_attr()` or `esc_html()`.\n4.  **Output:** The unescaped HTML string is returned and rendered on the frontend.\n\n### 4. Nonce Acquisition Strategy\nTo save a post as a Contributor via the REST API (the most reliable automated method), a `_wpnonce` for the `wp_rest` action is required.\n\n1.  **Step 1:** Log in to the WordPress dashboard as a Contributor.\n2.  **Step 2:** Navigate to the \"Add New Post\" page: `\u002Fwp-admin\u002Fpost-new.php`.\n3.  **Step 3:** Use `browser_eval` to extract the REST nonce from the WordPress environment.\n    *   **Script:** `window.wpApiSettings.nonce`\n4.  **Step 4:** Extract the post ID from the URL or the `wp` object if an autosave has already occurred.\n\n### 5. Exploitation Strategy\nThe plan involves creating a post containing a malicious shortcode that breaks out of an HTML attribute.\n\n**Payload:** `[magic-conversation id='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']` (assuming `id` is a valid attribute).\n\n**Execution Steps:**\n1.  **Authenticate:** Login as a user with the `contributor` role.\n2.  **Extract Nonce:** Navigate to `\u002Fwp-admin\u002Fpost-new.php` and run `browser_eval(\"wpApiSettings.nonce\")`.\n3.  **Create Post:** Send a POST request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` with the shortcode payload.\n    *   **Method:** `POST`\n    *   **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n    *   **Headers:**\n        *   `Content-Type: application\u002Fjson`\n        *   `X-WP-Nonce: [EXTRACTED_NONCE]`\n    *   **Body:**\n        ```json\n        {\n          \"title\": \"Security Test\",\n          \"content\": \"[magic-conversation id='\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']\",\n          \"status\": \"publish\"\n        }\n        ```\n    *(Note: Contributors might only be able to set status to `pending`. If so, use `status: \"pending\"` and have the agent verify the preview URL.)*\n4.  **Trigger:** Navigate to the URL of the newly created post (or its preview) using `browser_navigate`.\n5.  **Verify:** Observe the execution of the JavaScript alert.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `magic-conversation-for-gravity-forms` version 3.0.97 is active.\n2.  **User Creation:** Create a user with the username `attacker` and role `contributor`.\n3.  **Gravity Forms:** While not strictly necessary for the XSS to trigger in the HTML output, having Gravity Forms installed might be required for the plugin to activate its shortcode logic.\n\n### 7. Expected Results\nWhen the post is rendered, the HTML source will contain something similar to:\n`\u003Cdiv class=\"magic-conversation\" data-id=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">\u003C\u002Fdiv>`\n\nThe browser will execute the `\u003Cscript>` tag, displaying an alert box with the site's domain.\n\n### 8. Verification Steps\nAfter the HTTP request, use `wp-cli` to confirm the post content:\n1.  **Check Post Content:**\n    ```bash\n    wp post list --post_type=post --author=$(wp user get attacker --format=ids) --fields=ID,post_content\n    ```\n2.  **Check Frontend Rendering:**\n    Use `http_request` to fetch the post URL and grep for the unescaped payload:\n    ```bash\n    # Look for the raw script tag in the response body\n    grep -a \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n    ```\n\n### 9. Alternative Approaches\nIf the `id` attribute is not vulnerable or recognized:\n*   **Fuzz Attributes:** Try common attributes used in the plugin: `form`, `title`, `header_text`, `theme`.\n*   **Attribute Breakout:** If the input is placed inside an existing script block instead of an HTML attribute, use a payload like: `';alert(1);\u002F\u002F`.\n*   **Classic Editor:** If the REST API is restricted, use the `http_request` tool to submit a standard `POST` to `\u002Fwp-admin\u002Fpost.php` with `action=editpost` and the `content` parameter, ensuring the `_wpnonce` is scraped from the `post-new.php` form.","The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode. Authenticated attackers with contributor-level permissions can inject malicious scripts into posts by using unescaped attributes in the shortcode, which execute in the browser of any user viewing the page.","\u002F\u002F Inferred vulnerable shortcode handler within the plugin logic\npublic function render_shortcode( $atts ) {\n    $atts = shortcode_atts( array(\n        'id'      => '',\n        'title'   => '',\n        'header'  => '',\n        'form_id' => '',\n    ), $atts );\n\n    \u002F\u002F Vulnerable Sink: attributes are concatenated directly into HTML without escaping\n    $output = '\u003Cdiv class=\"magic-conversation-container\" ' .\n              'data-id=\"' . $atts['id'] . '\" ' .\n              'data-title=\"' . $atts['title'] . '\" ' .\n              'data-header=\"' . $atts['header'] . '\">\u003C\u002Fdiv>';\n\n    return $output;\n}","--- magic-conversation-for-gravity-forms\u002Fincludes\u002Fclass-magic-conversation.php\n+++ magic-conversation-for-gravity-forms\u002Fincludes\u002Fclass-magic-conversation.php\n@@ -50,9 +50,9 @@\n \n-    $output = '\u003Cdiv class=\"magic-conversation-container\" ' .\n-              'data-id=\"' . $atts['id'] . '\" ' .\n-              'data-title=\"' . $atts['title'] . '\" ' .\n-              'data-header=\"' . $atts['header'] . '\">\u003C\u002Fdiv>';\n+    $output = '\u003Cdiv class=\"magic-conversation-container\" ' .\n+              'data-id=\"' . esc_attr( $atts['id'] ) . '\" ' .\n+              'data-title=\"' . esc_attr( $atts['title'] ) . '\" ' .\n+              'data-header=\"' . esc_attr( $atts['header'] ) . '\">\u003C\u002Fdiv>';\n \n     return $output;","1. Log in to the target WordPress site with a user account having at least Contributor permissions.\n2. Create a new post or page (or edit an existing one).\n3. Insert the [magic-conversation] shortcode into the content area using a malicious attribute value designed to break out of an HTML attribute context. Example: [magic-conversation id='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'].\n4. Save the post as a draft or submit it for review (Contributor) or publish it (Author+).\n5. Navigate to the frontend URL of the post or use the 'Preview' function.\n6. Observe that the injected JavaScript executes in the browser, demonstrating the Stored XSS.","gemini-3-flash-preview","2026-04-17 20:28:19","2026-04-17 20:28:42",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmagic-conversation-for-gravity-forms\u002Ftags"]