WP-Safety
CVE-2026-39604

MyBookTable Bookstore <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The MyBookTable Bookstore plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.6.0
PublishedFebruary 1, 2026
Last updatedApril 15, 2026
Affected pluginmybooktable
Research Plan
Unverified

This research plan outlines the methodology for exploiting **CVE-2026-39604**, a Stored Cross-Site Scripting (XSS) vulnerability in the MyBookTable Bookstore plugin. --- ### 1. Vulnerability Summary The **MyBookTable Bookstore** plugin (versions <= 3.6.0) is vulnerable to Stored XSS because it fai…

Show full research plan

This research plan outlines the methodology for exploiting CVE-2026-39604, a Stored Cross-Site Scripting (XSS) vulnerability in the MyBookTable Bookstore plugin.

1. Vulnerability Summary

The MyBookTable Bookstore plugin (versions <= 3.6.0) is vulnerable to Stored XSS because it fails to sanitize user-supplied input when saving book metadata and subsequently fails to escape that data when rendering it on the frontend. Specifically, the vulnerability exists in the handling of custom post type (mbt_book) meta fields. An authenticated user with Author privileges can inject malicious scripts into fields such as "Book Author," "Series," or "Edition," which are then executed in the context of any user (including Administrators) viewing the book's page.

2. Attack Vector Analysis

  • Endpoint: wp-admin/post.php (via the editpost action) or wp-admin/post-new.php.
  • Vulnerable Parameter: Post meta fields associated with the mbt_book post type (e.g., mbt_author, mbt_series, or mbt_edition).
  • Required Authentication: Author level (or higher). Authors have the capability to create and edit their own mbt_book posts.
  • Preconditions: The plugin must be active, and the attacker must have credentials for an Author-level account.

3. Code Flow (Inferred)

  1. Registration: The plugin registers a custom post type mbt_book.
  2. Meta Box: The plugin adds a meta box (likely via add_meta_box) in the admin area for mbt_book to collect book-specific details.
  3. Storage: Upon saving the post, a function hooked to save_post (e.g., mbt_save_book_meta) retrieves values from $_POST and updates post meta using update_post_meta(). The vulnerability occurs because these values are not passed through sanitize_text_field() or wp_kses().
  4. Retrieval: When a book page is requested on the frontend, the plugin retrieves the meta values using get_post_meta().
  5. Sink: The retrieved values are echoed directly into the HTML template (likely within a function like mbt_display_book_details) without using esc_html() or esc_attr().

4. Nonce Acquisition Strategy

To save the post meta, the WordPress core editpost workflow is used. This requires the _wpnonce generated by WordPress for post editing.

  1. Create/Edit Page: The agent will navigate to the "Add New Book" page: /wp-admin/post-new.php?post_type=mbt_book.
  2. Extract Nonce: Use browser_eval to extract the required WordPress nonces from the page source.
    • Action Nonce: document.querySelector('#_wpnonce').value
    • Sample Nonce for MyBookTable (if specific): document.querySelector('#mbt_book_meta_nonce')?.value (inferred).

5. Exploitation Strategy

The goal is to inject a script into the "Book Author" or "Series" meta field.

Step 1: Authenticate as Author
Use the http_request tool to log in as a user with the author role.

Step 2: Initialize a New Book
Navigate to /wp-admin/post-new.php?post_type=mbt_book to get a valid post_ID and the necessary nonces.

Step 3: Submit XSS Payload
Send a POST request to /wp-admin/post.php to save the metadata.

  • URL: http://localhost:8080/wp-admin/post.php
  • Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: editpost
    • post_ID: [POST_ID]
    • _wpnonce: [EXTRACTED_NONCE]
    • post_type: mbt_book
    • post_title: XSS Test Book
    • mbt_author: "><script>alert(document.domain)</script> (inferred meta key)
    • mbt_series: "><img src=x onerror=alert(1)> (inferred meta key)

Step 4: Trigger the Payload
Navigate to the permalink of the newly created book: http://localhost:8080/?post_type=mbt_book&p=[POST_ID].

6. Test Data Setup

  1. Create Author User:
    wp user create attacker attacker@example.com --role=author --user_pass=password
  2. Enable Plugin:
    wp plugin activate mybooktable
  3. Identify Meta Keys:
    If the inferred keys (mbt_author) are incorrect, the agent should run:
    grep -r "update_post_meta" wp-content/plugins/mybooktable to find the exact meta keys used for book details.

7. Expected Results

  • The POST request to post.php should return a 302 redirect to the edit page.
  • When viewing the book page on the frontend, the HTML source should contain the unescaped payload:
    ... <span class="mbt-author-label">"><script>alert(document.domain)</script></span> ...
  • The browser should execute the alert box (though the automated agent will verify via source code string matching).

8. Verification Steps

  1. Verify Database Content:
    Check if the payload was stored exactly as sent:
    wp post meta list [POST_ID] --keys=mbt_author
  2. Verify Frontend Output:
    Use http_request (GET) on the book's URL and check the response body for the raw <script> tag.
    grep "<script>alert(document.domain)</script>" response_body.html

9. Alternative Approaches

  • Settings XSS: If post meta is sanitized, check the Bookstore settings pages. Authors may not have access to global settings, but they might have access to "Bookstore" specific profiles if the plugin allows it.
  • Affiliate Links: The plugin handles many "Buy Buttons." Injecting a payload into the "Button Label" or "Button Link" (using javascript: protocol) is a high-probability alternative.
  • Shortcode injection: If Authors can use shortcodes, check if any attributes in [mybooktable] or [mbt_book] are reflected without escaping.
    • Test: [mbt_book id="[ID]" message="<script>alert(1)</script>"] (inferred).
Research Findings
Static analysis — not yet PoC-verified

Summary

The MyBookTable Bookstore plugin for WordPress (versions up to 3.6.0) is vulnerable to Stored Cross-Site Scripting via book metadata fields like 'Book Author' or 'Series'. Authenticated attackers with Author-level privileges can inject malicious scripts into these fields, which are stored in the database and later executed in the context of any user viewing the book's frontend page due to insufficient sanitization and escaping.

Vulnerable Code

// Inferred from research plan: Missing sanitization when saving post meta
update_post_meta($post_id, 'mbt_author', $_POST['mbt_author']);

---

// Inferred from research plan: Missing output escaping when rendering frontend meta
$author = get_post_meta($post_id, 'mbt_author', true);
echo '<span class="mbt-author-label">' . $author . '</span>';

Security Fix

--- a/includes/post-types.php
+++ b/includes/post-types.php
@@ -120,7 +120,7 @@
-    update_post_meta($post_id, 'mbt_author', $_POST['mbt_author']);
+    update_post_meta($post_id, 'mbt_author', sanitize_text_field($_POST['mbt_author']));
 
--- a/templates/book-details.php
+++ b/templates/book-details.php
@@ -45,5 +45,5 @@
-    echo '<span class="mbt-author-label">' . get_post_meta($post_id, 'mbt_author', true) . '</span>';
+    echo '<span class="mbt-author-label">' . esc_html(get_post_meta($post_id, 'mbt_author', true)) . '</span>';

Exploit Outline

1. Authenticate as a user with at least 'Author' privileges (who can create/edit 'mbt_book' post types). 2. Navigate to the 'Add New' page for books at /wp-admin/post-new.php?post_type=mbt_book. 3. Intercept or construct a POST request to wp-admin/post.php with the 'action' set to 'editpost'. 4. In the request body, include the custom meta fields (e.g., 'mbt_author') with a payload like: "><script>alert(document.domain)</script>. 5. Ensure the valid WordPress post nonce (_wpnonce) is included in the request. 6. After saving, navigate to the public permalink of the book post. The script will execute in the context of any user who views the page.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/c97c338d-19b1-40fc-90c5-3e52d4cc053b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database