[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fR9u61ogQPOKDy_xU4L1rBZDaCqwmYUHw3Jg8HYTQMSk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-56014","master-slider-responsive-touch-slider-unauthenticated-stored-cross-site-scripting","Master Slider – Responsive Touch Slider \u003C= 3.11.2 - Unauthenticated Stored Cross-Site Scripting","The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.11.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","master-slider",null,"\u003C=3.11.2","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-19 00:00:00","2026-06-23 15:48:38",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F76e468fe-437e-4ca7-9485-b97990af2d01?source=api-prod",[],"researched",false,3,"I cannot fulfill the request to produce a detailed exploitation research plan for CVE-2026-56014. My instructions prohibit generating actionable exploitation guides or payloads for specific vulnerabilities. I can, however, provide a theoretical analysis of the underlying vulnerability class—unauthenticated stored cross-site scripting (XSS)—within the context of WordPress plugin architecture and the defensive measures required to prevent such issues.\n\n### Theoretical Vulnerability Analysis: Unauthenticated Stored XSS\n\nIn the context of WordPress plugins, unauthenticated stored XSS typically occurs when a plugin exposes an AJAX or REST API endpoint that allows the modification of database content without proper authentication, authorization, or input sanitization.\n\n#### 1. The Vulnerable Mechanism\nThe primary entry point for unauthenticated actions in WordPress is the `wp_ajax_nopriv_{action}` hook. While `wp_ajax_{action}` is reserved for logged-in users, the `nopriv` variant is explicitly designed to handle requests from visitors who are not logged in.\n\nA vulnerability manifests when a handler function attached to this hook performs the following sequence:\n1.  **Accepts Input:** Reads data directly from `$_POST`, `$_GET`, or `$_REQUEST`.\n2.  **Lacks Authorization:** Fails to verify if the requester has the necessary permissions (e.g., missing `current_user_can()`).\n3.  **Lacks CSRF Protection:** Fails to verify a WordPress nonce (e.g., missing `check_ajax_referer()` or `wp_verify_nonce()`), which is particularly critical for authenticated actions but often neglected in unauthenticated contexts where \"anyone\" is allowed to perform the action.\n4.  **Insecure Persistence:** Saves the unsanitized input into the database using functions like `update_option()`, `update_post_meta()`, or direct `$wpdb` queries.\n5.  **Insecure Output:** Renders the stored data on a public or administrative page without context-aware escaping (e.g., using `echo` instead of `esc_html()` or `esc_attr()`).\n\n#### 2. Theoretical Code Flow\n1.  **Entry Point:** An unauthenticated HTTP POST request is sent to `\u002Fwp-admin\u002Fadmin-ajax.php` with an `action` parameter matching a `wp_ajax_nopriv_` hook registration.\n2.  **Processing:** The plugin's callback function retrieves a payload (e.g., `\u003Cscript>alert(1)\u003C\u002Fscript>`) from a parameter such as `slider_data`.\n3.  **Storage:** Because the handler lacks sanitization (like `wp_kses()`), the script tag is stored verbatim in the `wp_options` or `wp_postmeta` table.\n4.  **Execution:** When an administrator or a visitor loads a page containing the affected slider, the WordPress template retrieves the data and echoes it directly into the HTML, causing the browser to execute the injected script.\n\n### Defensive Remediation and Best Practices\n\nTo prevent Stored XSS vulnerabilities, developers must implement security controls at both the entry (input) and exit (output) points.\n\n#### 1. Input Validation and Sanitization\nAll user-supplied data must be treated as untrusted.\n*   **Sanitization:** Use functions like `sanitize_text_field()` for plain text, or `wp_kses()` for data intended to contain HTML. `wp_kses()` allows developers to define a whitelist of permitted tags and attributes.\n*   **Type Casting:** For numeric data, use `intval()` or `absint()`.\n\n#### 2. Authorization and Authentication\n*   **Capability Checks:** Always verify that the user has the appropriate permissions for the action using `current_user_can( 'manage_options' )` or similar, even if the endpoint is intended to be public. If an action is truly meant for unauthenticated users, ensure the impact is strictly limited.\n*   **Nonce Verification:** Use `check_ajax_referer( 'action_string', 'nonce_name' )` to ensure the request originated from a legitimate site context and to protect against Cross-Site Request Forgery (CSRF).\n\n#### 3. Context-Aware Output Escaping\nEscaping is the most critical defense against XSS. Data must be escaped at the moment of output, based on the HTML context:\n*   **HTML Body:** Use `esc_html()`.\n*   **HTML Attributes:** Use `esc_attr()`.\n*   **URLs:** Use `esc_url()`.\n*   **JavaScript Variables:** Use `wp_json_encode()` to safely pass data from PHP to JavaScript.\n\nFor further information on securing WordPress plugins, the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP XSS Prevention Cheat Sheet](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FCross_Site_Scripting_Prevention_Cheat_Sheet.html) provide comprehensive guidance.","The Master Slider plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) up to version 3.11.2. This vulnerability allows unauthenticated users to inject and store malicious scripts on the site due to insufficient input sanitization and output escaping on public-facing endpoints.","An unauthenticated attacker targets the WordPress AJAX entry point at \u002Fwp-admin\u002Fadmin-ajax.php. By identifying a specific action hook registered via wp_ajax_nopriv_, the attacker sends a POST request containing a malicious JavaScript payload in a parameter meant for slider data. Because the plugin handler fails to verify nonces, check user capabilities, or sanitize the incoming data (e.g., using sanitize_text_field or wp_kses), the script is stored in the database. The payload subsequently executes in the browser of any user, including administrators, who visits a page where the affected slider is rendered.","gemini-3-flash-preview","2026-06-25 20:10:14","2026-06-25 20:11:00",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmaster-slider\u002Ftags"]