[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$foH71n5jDEfWSwaB5UisebctdgmWlTC6CieqDmKm_OGE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39674","mk-google-directions-authenticated-contributor-stored-cross-site-scripting-2","MK Google Directions \u003C= 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting","The MK Google Directions plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","google-distance-calculator",null,"\u003C=3.1.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-19 00:00:00","2026-04-15 21:27:43",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fadf03af6-f454-41c6-bb65-87c7f5d7c465?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-39674\n\n## 1. Vulnerability Summary\nThe **MK Google Directions** plugin (version \u003C= 3.1.1) is vulnerable to **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize or escape user-supplied attributes within its shortcode(s) before echoing them into the page.\n\nWhile Contributors cannot use `unfiltered_html`, they can embed shortcodes. If a shortcode handler takes attributes (like `from`, `to`, or `api_key`) and outputs them directly into HTML attributes or script blocks without using functions like `esc_attr()` or `esc_html()`, an attacker can \"break out\" of the intended HTML context and execute arbitrary JavaScript.\n\n## 2. Attack Vector Analysis\n- **Shortcode Name:** `[mk-google-directions]` (inferred from plugin title) or `[google-distance-calculator]` (inferred from slug).\n- **Vulnerable Parameters:** Shortcode attributes such as `from`, `to`, `api_key`, `width`, or `height`.\n- **Authentication Level:** Contributor or higher. Contributors have the `edit_posts` capability, allowing them to create posts and use shortcodes.\n- **Preconditions:** The plugin must be active. The attacker needs to be able to create or edit a post\u002Fpage.\n\n## 3. Code Flow\n1. **Entry Point:** A user with Contributor-level access creates or edits a post containing a shortcode, e.g., `[mk-google-directions from='\u003Cpayload>']`.\n2. **Shortcode Processing:** When the post is rendered (either in preview or after publication), WordPress parses the shortcode and calls the registered callback function (likely registered via `add_shortcode` in the main plugin file).\n3. **Data Handling:** The callback function receives the `$atts` array. It likely uses `shortcode_atts()` to merge them with defaults.\n4. **Sink:** The function returns or echoes a string containing the attributes. \n   - **Vulnerable Pattern:** `return '\u003Cdiv id=\"map\" data-address=\"' . $atts['from'] . '\">\u003C\u002Fdiv>';`\n   - **Missing Escaping:** The code fails to wrap `$atts['from']` in `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is triggered through the standard WordPress post creation\u002Fediting workflow.\n- **Is a Nonce Required?** No specific plugin-defined nonce is required to *inject* the payload, as the attacker is using the native WordPress post editor.\n- **Standard WP Nonces:** The agent will use its existing authentication (Contributor session) to interact with `wp-admin\u002Fpost-new.php` and `wp-admin\u002Fpost.php`.\n\n## 5. Exploitation Strategy\nThe goal is to inject a script that executes when any user (specifically an Administrator) views the post.\n\n### Step 1: Identify the Shortcode\nSearch the plugin directory for the shortcode registration:\n```bash\ngrep -rn \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fgoogle-distance-calculator\u002F\n```\n\n### Step 2: Analyze the Callback\nLocate the function identified in Step 1 and check how it outputs attributes. Look for unescaped variables in `echo` or `return` statements.\n\n### Step 3: Craft the Payload\nIf the attribute is placed inside an HTML attribute:\n- **Payload:** `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n- **Shortcode Example:** `[mk-google-directions from='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n\nIf the attribute is placed inside a JavaScript block:\n- **Payload:** `'; alert(document.domain); \u002F\u002F`\n- **Shortcode Example:** `[mk-google-directions api_key=\"'; alert(document.domain); \u002F\u002F\"]`\n\n### Step 4: Inject and Trigger\n1. Use the `http_request` tool to create a new post as a Contributor.\n2. The request will be a `POST` to `\u002Fwp-admin\u002Fpost.php` or `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`.\n3. Include the malicious shortcode in the `content`.\n4. Navigate to the published post URL using `browser_navigate` to verify the XSS triggers.\n\n## 6. Test Data Setup\n1. **User Creation:**\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n   ```\n2. **Plugin Configuration:**\n   - Ensure the plugin is active: `wp plugin activate google-distance-calculator`\n   - (Optional) If the plugin requires a Google Maps API key to render the shortcode, set a dummy key via `wp option update`.\n\n## 7. Expected Results\n- When the post is rendered, the HTML source should show the payload breaking out of its container.\n- **Example rendered HTML (Vulnerable):**\n  `\u003Cdiv class=\"mk-map\" data-from=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">\u003C\u002Fdiv>`\n- The browser should execute the JavaScript (the alert box).\n\n## 8. Verification Steps\n1. **Source Code Check:**\n   Use `http_request` to GET the post and check if the payload is present and **unescaped**:\n   ```bash\n   # Look for the literal string \u003Cscript> in the response\n   ```\n2. **WP-CLI Verification:**\n   Confirm the post content contains the shortcode:\n   ```bash\n   wp post list --post_type=post\n   wp post get \u003CID> --field=post_content\n   ```\n\n## 9. Alternative Approaches\nIf the shortcode attributes are properly escaped, check if the plugin has a **Settings Page** (usually for Administrators) that is vulnerable to XSS. If a Contributor can somehow influence those settings (e.g., through a separate unauthenticated or lower-privileged AJAX action), the XSS could be stored there.\n\nCheck for AJAX handlers:\n```bash\ngrep -rn \"wp_ajax_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fgoogle-distance-calculator\u002F\n```\nIf an AJAX handler like `wp_ajax_save_mk_settings` exists and lacks a `current_user_can('manage_options')` check, a Contributor could modify global settings.","The MK Google Directions plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 3.1.1. This is due to the shortcode handler failing to sanitize or escape user-supplied attributes, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that execute when a user views the affected page.","\u002F\u002F File: google-distance-calculator.php (inferred from slug)\n\u002F\u002F Shortcode callback function likely receiving attributes via $atts\n\n$a = shortcode_atts(array(\n    'from' => '',\n    'to' => '',\n    'api_key' => ''\n), $atts);\n\n\u002F\u002F Vulnerable: attribute value is concatenated into HTML without escaping\nreturn '\u003Cdiv id=\"map\" data-address=\"' . $a['from'] . '\">\u003C\u002Fdiv>';","--- a\u002Fgoogle-distance-calculator.php\n+++ b\u002Fgoogle-distance-calculator.php\n@@ -10,1 +10,1 @@\n-return '\u003Cdiv id=\"map\" data-address=\"' . $a['from'] . '\">\u003C\u002Fdiv>';\n+return '\u003Cdiv id=\"map\" data-address=\"' . esc_attr($a['from']) . '\">\u003C\u002Fdiv>';","To exploit this vulnerability, an attacker authenticates with Contributor-level permissions and creates or edits a post. They insert the [mk-google-directions] shortcode (or similar, depending on the plugin's registration) into the post content, including a malicious payload in one of the attributes, such as: [mk-google-directions from='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']. When the post is saved and subsequently viewed by any user, the unescaped attribute breaks out of the HTML tag context and executes the injected JavaScript in the victim's browser.","gemini-3-flash-preview","2026-04-19 02:19:37","2026-04-19 02:19:54",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-distance-calculator\u002Ftags"]