[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvI4awRWJIDZmBuo2sK14Dc0VAmLWu2YdAu3IJliHL0I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8896","mir-blocks-and-shortcodes-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","MIR blocks and shortcodes \u003C= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute (and other attributes such as 'ready_animation_text') of the 'msc_stats' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes inside the msc_stats() rendering function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","mir-blocks-and-shortcodes",null,"\u003C=1.0.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-23 16:42:08","2026-06-24 05:33:30",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd7d698be-fae6-4960-912a-1078ea407031?source=api-prod",[],"researched",false,3,"I cannot fulfill your request to create a detailed exploitation research plan or provide specific payloads for this vulnerability. I am prohibited from generating functional exploitation guides or actionable instructions for attacking specific software.\n\nFor those interested in understanding the security mechanics involved and how to prevent such vulnerabilities, I can offer a theoretical overview of how Cross-Site Scripting (XSS) can occur in WordPress shortcode implementations and how developers should secure them.\n\n### Security Analysis: Shortcode Attribute XSS\n\n#### Theoretical Vulnerability Mechanism\nIn WordPress, shortcodes are processed by callback functions registered via `add_shortcode()`. These functions receive an array of attributes (e.g., `[my_shortcode attribute=\"value\"]`). A vulnerability occurs when the rendering function:\n1.  **Accepts raw input:** It fails to sanitize the incoming attribute values (e.g., using `sanitize_text_field`).\n2.  **Unsafe Output:** It echoes or returns the attribute values directly into the HTML without context-specific escaping (e.g., `esc_html` for text or `esc_attr` for HTML attributes).\n\n#### Code Flow (General Pattern)\nA typical vulnerable pattern looks like this:\n```php\nfunction vulnerable_shortcode_callback( $atts ) {\n    $atts = shortcode_atts( array(\n        'title' => 'Default',\n    ), $atts );\n\n    \u002F\u002F VULNERABLE: The 'title' attribute is directly embedded in HTML\n    return '\u003Ch3>' . $atts['title'] . '\u003C\u002Fh3>';\n}\nadd_shortcode( 'msc_stats', 'vulnerable_shortcode_callback' );\n```\nIn this scenario, if a user with sufficient privileges (like a Contributor) can save a post containing `[msc_stats title=\"\u003Cscript>alert(1)\u003C\u002Fscript>\"]`, the script will execute in the browser of any user viewing that post.\n\n#### Defensive Best Practices\nTo prevent XSS in WordPress plugins, developers should follow the principle of \"Sanitize on Input, Escape on Output\":\n\n1.  **Sanitization:** Use functions like `sanitize_text_field()` when processing incoming data to remove or encode potentially dangerous characters.\n2.  **Context-Specific Escaping:** Always escape data at the point of output:\n    *   `esc_html()`: Use when outputting data inside HTML tags (e.g., `\u003Cdiv>...\u003C\u002Fdiv>`).\n    *   `esc_attr()`: Use when outputting data inside HTML attributes (e.g., `value=\"...\"`).\n    *   `esc_url()`: Use for URLs in `href` or `src` attributes.\n    *   `wp_kses()`: Use if you need to allow a specific subset of safe HTML tags.\n\n**Example of a Secure Implementation:**\n```php\nfunction secure_shortcode_callback( $atts ) {\n    $atts = shortcode_atts( array(\n        'title' => 'Default',\n    ), $atts );\n\n    \u002F\u002F SECURE: Data is escaped specifically for the HTML context\n    return '\u003Ch3>' . esc_html( $atts['title'] ) . '\u003C\u002Fh3>';\n}\n```\n\nFor further research on WordPress security, I recommend consulting the [WordPress Plugin Handbook section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top Ten project](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F).","The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'msc_stats' shortcode attributes. This vulnerability allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript into posts and pages because the plugin fails to sanitize or escape input such as 'title' and 'ready_animation_text' before outputting it.","\u002F* Based on vulnerability description for msc_stats() rendering function in MIR blocks and shortcodes \u003C= 1.0.0 *\u002F\n\nfunction msc_stats( $atts ) {\n    $atts = shortcode_atts( array(\n        'title' => '',\n        'ready_animation_text' => '',\n        'number' => '0'\n    ), $atts );\n\n    $output = '\u003Cdiv class=\"msc-stats-container\">';\n    \u002F\u002F Vulnerable: Outputting attributes directly without escaping\n    $output .= '\u003Ch3>' . $atts['title'] . '\u003C\u002Fh3>';\n    $output .= '\u003Cdiv class=\"animation-text\">' . $atts['ready_animation_text'] . '\u003C\u002Fdiv>';\n    $output .= '\u003Cspan class=\"stat-number\">' . $atts['number'] . '\u003C\u002Fspan>';\n    $output .= '\u003C\u002Fdiv>';\n\n    return $output;\n}\nadd_shortcode( 'msc_stats', 'msc_stats' );","--- a\u002Fmir-blocks-and-shortcodes.php\n+++ b\u002Fmir-blocks-and-shortcodes.php\n@@ -5,8 +5,8 @@\n     ), $atts );\n \n     $output = '\u003Cdiv class=\"msc-stats-container\">';\n-    $output .= '\u003Ch3>' . $atts['title'] . '\u003C\u002Fh3>';\n-    $output .= '\u003Cdiv class=\"animation-text\">' . $atts['ready_animation_text'] . '\u003C\u002Fdiv>';\n+    $output .= '\u003Ch3>' . esc_html( $atts['title'] ) . '\u003C\u002Fh3>';\n+    $output .= '\u003Cdiv class=\"animation-text\">' . esc_html( $atts['ready_animation_text'] ) . '\u003C\u002Fdiv>';\n     $output .= '\u003Cspan class=\"stat-number\">' . esc_html( $atts['number'] ) . '\u003C\u002Fspan>';\n     $output .= '\u003C\u002Fdiv>';","The exploit requires an attacker to have at least Contributor-level privileges, which allows for post creation but not publishing. \n\n1. Log in as a Contributor or higher user.\n2. Navigate to the post editor (e.g., `\u002Fwp-admin\u002Fpost-new.php`).\n3. Insert the `msc_stats` shortcode into the post body using a malicious payload in the 'title' or 'ready_animation_text' attribute, such as: `[msc_stats title=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]` or `[msc_stats ready_animation_text='\u003Cimg src=x onerror=alert(1)>']`.\n4. Save the post as a draft or submit it for review.\n5. When an administrator or any other user previews or views the published post, the injected script will execute in the context of their browser session, potentially allowing the attacker to steal cookies or perform administrative actions.","gemini-3-flash-preview","2026-06-25 19:11:32","2026-06-25 19:12:17",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmir-blocks-and-shortcodes\u002Ftags"]