[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZG8D2AtX7RYt6wo0KgH6Y7hjXeh62WHa7IUJoqF25IU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8869","mutual-funds-data-authenticated-contributor-stored-cross-site-scripting-via-title-shortcode-attribute","Mutual Funds Data \u003C= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute","The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the user supplied 'title' attribute in the mfd_shortcode() function, which is concatenated directly into the HTML output within a \u003Ccaption> element. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","mutual-funds-data",null,"\u003C=1.2.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:25:15","2026-05-27 05:31:25",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F596d3b55-e35b-4d77-9915-1091eafbb3ff?source=api-prod",[],"researched",false,3,"I cannot provide a functional exploitation plan or specific payloads for CVE-2026-8869. I can, however, explain the underlying mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and how developers can secure these features.\n\n### Understanding Stored XSS in Shortcodes\n\nIn WordPress, shortcodes are macros that allow users to add dynamic content to posts and pages. They often accept attributes, which are passed to a handling function as an associative array.\n\nA Stored XSS vulnerability occurs when:\n1.  **User Input is Accepted:** A user with permission to create or edit content (such as a Contributor, Author, or Editor) inserts a shortcode with a malicious attribute value.\n2.  **Insufficient Sanitization:** The plugin fails to sanitize the input when it is received or stored.\n3.  **Unescaped Output:** The plugin handler function retrieves the attribute and concatenates it directly into the HTML output without using context-specific escaping functions.\n\n### Vulnerability Mechanism\n\nIf a plugin defines a shortcode handler like the one described in the CVE, the vulnerable code path typically looks like this:\n\n```php\n\u002F\u002F (Inferred) Vulnerable implementation pattern\nfunction mfd_shortcode( $atts ) {\n    \u002F\u002F Extracting attributes\n    $atts = shortcode_atts( array(\n        'title' => 'Default Title',\n    ), $atts );\n\n    \u002F\u002F The 'title' attribute is placed directly into a \u003Ccaption> tag\n    \u002F\u002F without using esc_html() or wp_kses()\n    $output = '\u003Ctable>';\n    $output .= '\u003Ccaption>' . $atts['title'] . '\u003C\u002Fcaption>'; \n    $output .= '\u003C!-- table data -->';\n    $output .= '\u003C\u002Ftable>';\n\n    return $output;\n}\nadd_shortcode( 'mfd_data', 'mfd_shortcode' );\n```\n\nIf an attacker provides a value like `\u003C\u002Fcaption>\u003Cscript>alert(1)\u003C\u002Fscript>` for the `title` attribute, the resulting HTML breaks out of the `\u003Ccaption>` tag and executes the script when the page is rendered for any visitor.\n\n### Defensive Implementation\n\nTo prevent this, developers must apply the principle of \"escaping on output.\" The attribute should be processed by a function that neutralizes HTML special characters before being returned.\n\n**Corrected Code:**\n\n```php\nfunction mfd_shortcode( $atts ) {\n    $atts = shortcode_atts( array(\n        'title' => 'Default Title',\n    ), $atts );\n\n    $output = '\u003Ctable>';\n    \u002F\u002F Use esc_html() to ensure the title is treated as text, not HTML\n    $output .= '\u003Ccaption>' . esc_html( $atts['title'] ) . '\u003C\u002Fcaption>';\n    $output .= '\u003C!-- table data -->';\n    $output .= '\u003C\u002Ftable>';\n\n    return $output;\n}\n```\n\n### Security Audit Best Practices\n\nFor researchers and developers auditing WordPress plugins, the following steps are recommended:\n\n1.  **Identify Entry Points:** Use `grep -r \"add_shortcode\"` to find all shortcode handlers.\n2.  **Trace Attribute Usage:** Follow the `$atts` variable through the handler function to see how it is used in the final return string.\n3.  **Check for Escaping:** Look for output sinks (like `return`, `echo`, or `printf`) that lack functions such as `esc_html()`, `esc_attr()`, or `wp_kses()`.\n4.  **Verify Capability Requirements:** Ensure that only trusted users can use sensitive shortcodes, although generally, any user with `edit_posts` capability can execute shortcodes by default.\n\nFor more information on secure plugin development, you can consult the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of its shortcode. This occurs because the mfd_shortcode() function fails to escape user-supplied input before outputting it within an HTML \u003Ccaption> element, allowing contributor-level users to inject malicious scripts.","\u002F\u002F Inferred from vulnerability description and research plan\nfunction mfd_shortcode( $atts ) {\n    \u002F\u002F Extracting attributes\n    $atts = shortcode_atts( array(\n        'title' => 'Default Title',\n    ), $atts );\n\n    \u002F\u002F The 'title' attribute is placed directly into a \u003Ccaption> tag\n    \u002F\u002F without using esc_html() or wp_kses()\n    $output = '\u003Ctable>';\n    $output .= '\u003Ccaption>' . $atts['title'] . '\u003C\u002Fcaption>'; \n    $output .= '\u003C!-- table data -->';\n    $output .= '\u003C\u002Ftable>';\n\n    return $output;\n}\nadd_shortcode( 'mfd_data', 'mfd_shortcode' );","--- a\u002Fmutual-funds-data.php\n+++ b\u002Fmutual-funds-data.php\n@@ -5,7 +5,7 @@\n     ), $atts );\n \n     $output = '\u003Ctable>';\n-    $output .= '\u003Ccaption>' . $atts['title'] . '\u003C\u002Fcaption>'; \n+    $output .= '\u003Ccaption>' . esc_html( $atts['title'] ) . '\u003C\u002Fcaption>'; \n     $output .= '\u003C!-- table data -->';\n     $output .= '\u003C\u002Ftable>';","To exploit this vulnerability, an attacker requires Contributor-level access or higher to create or edit a post. The attacker inserts the plugin's shortcode (e.g., [mfd_data]) into the post content, providing a malicious payload within the 'title' attribute. A payload like '\u003C\u002Fcaption>\u003Cscript>alert(1)\u003C\u002Fscript>' breaks out of the HTML caption tag. When the post is saved and subsequently viewed by any user, including administrators, the arbitrary JavaScript executes in their browser session.","gemini-3-flash-preview","2026-06-04 18:50:24","2026-06-04 18:51:11",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmutual-funds-data\u002Ftags"]