[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFOQszpecoBoAIfk6glw8_UgoQW76PKbhspMNelBssOs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-0703","nextmove-lite-thank-you-page-for-woocommerce-authenticated-contributor-stored-cross-site-scripting-via-xlwctycurrentdate","NextMove Lite - Thank You Page for WooCommerce \u003C= 2.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'xlwcty_current_date' Shortcode","The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","woo-thank-you-page-nextmove-lite",null,"\u003C=2.23.0","2.24.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-01 00:00:00","2026-05-02 13:26:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa8eab201-04a5-43df-bb9b-2964c50a1833?source=api-prod",2,[22,23,24,25,26,27,28,29],"admin\u002Fassets\u002Fjs\u002Fxlwcty-admin-app.js","admin\u002Fassets\u002Fjs\u002Fxlwcty-admin-app.min.js","admin\u002Fassets\u002Fjs\u002Fxlwcty-admin.js","admin\u002Fassets\u002Fjs\u002Fxlwcty-admin.min.js","admin\u002Fincludes\u002Findex.php","admin\u002Findex.php","admin\u002Fxlwcty-admin.php","assets\u002Fcss\u002Fxlwcty-public-rest.css","researched",false,3,"# Research Plan: CVE-2026-0703 - NextMove Lite Stored XSS via Shortcode\n\n## 1. Vulnerability Summary\nThe **NextMove Lite – Thank You Page for WooCommerce** plugin (versions \u003C= 2.23.0) is vulnerable to Stored Cross-Site Scripting (XSS) via the `xlwcty_current_date` shortcode. The vulnerability exists because the plugin fails to properly sanitize or escape user-supplied attributes within the shortcode's rendering logic. An authenticated attacker with **Contributor** level permissions (who can create posts but cannot use `unfiltered_html`) can inject malicious JavaScript into a post or page using this shortcode. The script will execute in the browser of any user (including administrators) who views the affected page.\n\n## 2. Attack Vector Analysis\n* **Shortcode Name:** `xlwcty_current_date`\n* **Vulnerable Attribute:** Likely `format`, `prefix`, or `suffix` (inferred based on date shortcode patterns).\n* **Authentication Level:** Authenticated (Contributor+).\n* **Preconditions:** The plugin must be active. WooCommerce is likely required as a dependency for this plugin to function fully, but the shortcode rendering may be independent.\n* **Endpoint:** The standard WordPress post\u002Fpage editor or any area where shortcodes are processed.\n\n## 3. Code Flow\n1. **Registration:** The plugin registers the shortcode (likely in a frontend-facing class or during `init`) using `add_shortcode( 'xlwcty_current_date', [ $this, 'render_current_date' ] )`.\n2. **Processing:** When a post is rendered, WordPress identifies the `[xlwcty_current_date]` tag and calls the associated callback function.\n3. **Attribute Handling:** The callback function extracts attributes using `shortcode_atts()`.\n4. **Sink:** One or more of these attributes (e.g., a custom date format string or a wrapper) is concatenated into the return string without being passed through escaping functions like `esc_html()`, `esc_attr()`, or `wp_kses()`.\n5. **Output:** The final HTML string containing the malicious script is returned to the WordPress content filter and rendered in the browser.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability involves **Stored XSS** via a shortcode.\n* **Post Creation:** To store the payload, a Contributor creates a post. This can be done via `wp-cli` in the test environment (bypassing the need for CSRF nonces) or via the REST API\u002FClassic Editor.\n* **Rendering:** No nonce is required to trigger the XSS. The shortcode is executed automatically when the page is viewed.\n* **Plugin-Specific Nonces:** While `xlwcty-admin-app.js` localizes `xlwctyParams` with `ajax_nonce`, `search_products_nonce`, and `ajax_chosen`, these are for admin-side AJAX operations and are **not required** for exploiting the shortcode rendering on the frontend.\n\n## 5. Exploitation Strategy\n1. **Preparation:** Identify the exact attributes accepted by the `xlwcty_current_date` shortcode. Standard date shortcodes often use `format`.\n2. **Payload Construction:**\n * Primary Payload: `[xlwcty_current_date format='\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n * Note: Since PHP's `date()` function might mangle the script tags if they are used as the format string, try escaping characters or using supplementary attributes if they exist (e.g., `before` or `after`).\n * Alternative Payload: `[xlwcty_current_date format='\\\" autofocus onfocus=alert(1) ']` (If the attribute is reflected inside an HTML tag).\n3. **Injection:** Use `wp-cli` to create a post as a contributor with the shortcode.\n4. **Trigger:** Use `http_request` to fetch the permalink of the newly created post.\n5. **Exfiltration\u002FImpact:** In a real scenario, this would be used to steal cookies or perform CSRF against an admin. For the PoC, `alert()` or a console log is sufficient.\n\n## 6. Test Data Setup\nPerform the following via `wp_cli`:\n1. **Create Contributor User:**\n `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2. **Create Malicious Post:**\n ```bash\n wp post create --post_type=post --post_status=publish --post_title=\"Thank You Date\" --post_author=$(wp user get attacker --field=ID) --post_content='[xlwcty_current_date format=\"\u003Cscript>console.log(\\\"XSS_TRIGGERED\\\")\u003C\u002Fscript>\"]'\n ```\n3. **Identify URL:**\n `wp post list --post_type=post --field=url --title=\"Thank You Date\"`\n\n## 7. Expected Results\n* When the post is requested via `http_request`, the response body should contain the literal string: `\u003Cscript>console.log(\"XSS_TRIGGERED\")\u003C\u002Fscript>`.\n* The script should not be entity-encoded (e.g., no `<script>`).\n\n## 8. Verification Steps\n1. **HTML Inspection:** Use `http_request` to get the page content and grep for the payload:\n ```bash\n # (Pseudocode for agent)\n response = http_request(post_url)\n if '\u003Cscript>console.log(\"XSS_TRIGGERED\")\u003C\u002Fscript>' in response.body:\n print(\"Vulnerability Confirmed: Unescaped shortcode attribute found in output.\")\n ```\n2. **Browser Execution:** Use `browser_navigate(post_url)` and check for the console message or an alert.\n\n## 9. Alternative Approaches\nIf the `format` attribute is processed by PHP's `date()` function (which would replace 's', 'c', 'r', 'i', 'p', 't' with date values):\n* **Bypass:** Use the backslash to escape every character in the format string:\n `[xlwcty_current_date format='\\\u003C\\s\\c\\r\\i\\p\\t\\>\\a\\l\\e\\r\\t\\(\\1\\)\\\u003C\\\u002F\\s\\c\\r\\i\\p\\t\\>']`\n* **Search for other attributes:** Check if the plugin supports `prefix`, `suffix`, `before`, or `after` attributes, which are likely concatenated directly without being passed through `date()`.\n Example: `[xlwcty_current_date suffix='\u003Cscript>alert(1)\u003C\u002Fscript>']`\n* **Admin-Side Stored XSS:** If the shortcode is used within the plugin's \"Thank You Page\" settings (which are managed in the admin dashboard), check if a Contributor can access those settings via the AJAX actions defined in `xlwcty-admin.php` (e.g., `xlwcty_change_rule_type`). However, the shortcode in post content is the most direct path.","The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'xlwcty_current_date' shortcode in versions up to and including 2.23.0. This vulnerability allows authenticated attackers with Contributor-level permissions to inject malicious scripts into posts or pages via unescaped shortcode attributes, which then execute in the context of any user viewing the page.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-thank-you-page-nextmove-lite\u002F2.23.0\u002Fadmin\u002Fassets\u002Fjs\u002Fxlwcty-admin-app.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-thank-you-page-nextmove-lite\u002F2.24.0\u002Fadmin\u002Fassets\u002Fjs\u002Fxlwcty-admin-app.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-thank-you-page-nextmove-lite\u002F2.23.0\u002Fadmin\u002Fassets\u002Fjs\u002Fxlwcty-admin-app.js\t2021-01-21 12:22:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-thank-you-page-nextmove-lite\u002F2.24.0\u002Fadmin\u002Fassets\u002Fjs\u002Fxlwcty-admin-app.js\t2026-03-14 16:07:36.000000000 +0000\n@@ -59,7 +59,7 @@\n if (!(typeof pagenow !== \"undefined\" && pagenow === \"xlwcty_thankyou\")) {\n return;\n }\n- $('#xlwcty_settings_location').on('change',function () {\n+ $('#xlwcty_settings_location').on('change', function () {\n if ($(this).val() == 'custom:custom') {\n $('.xlwcty-settings-custom').show();\n } else {\n@@ -83,12 +83,12 @@\n \n $(\"select.ajax_chosen_select_products\").xlAjaxChosen({\n method: 'GET',\n- url: xlwctyParams.ajax_url,\n+ url: (typeof xlwctyParams !== 'undefined' && xlwctyParams.ajax_url) ? xlwctyParams.ajax_url : (typeof ajaxurl !== 'undefined' ? ajaxurl : '\u002Fwp-admin\u002Fadmin-ajax.php'),\n dataType: 'json',\n afterTypeDelay: 100,\n data: {\n action: 'woocommerce_json_search_products_and_variations',\n- security: xlwctyParams.search_products_nonce\n+ security: (typeof xlwctyParams !== 'undefined' && xlwctyParams.search_products_nonce) ? xlwctyParams.search_products_nonce : ''\n }\n }, function (data) {\n\n... (truncated)","The exploitation of this vulnerability requires an authenticated user with at least Contributor-level access. The attacker creates a new post or edits an existing one and inserts the plugin's '[xlwcty_current_date]' shortcode. By supplying a malicious JavaScript payload within attributes that are concatenated into the output without proper escaping (such as 'format', 'prefix', or 'suffix'), the attacker ensures the payload is stored in the database. A sample payload would be: [xlwcty_current_date suffix='\u003Cscript>alert(document.domain)\u003C\u002Fscript>']. When an administrator or any site visitor navigates to the affected post, the shortcode logic executes server-side, rendering the unescaped script tag directly into the HTML response, which then executes the malicious JavaScript in the visitor's browser.","gemini-3-flash-preview","2026-05-04 17:35:36","2026-05-04 17:35:58",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.23.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-thank-you-page-nextmove-lite\u002Ftags\u002F2.23.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-thank-you-page-nextmove-lite.2.23.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-thank-you-page-nextmove-lite\u002Ftags\u002F2.24.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-thank-you-page-nextmove-lite.2.24.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-thank-you-page-nextmove-lite\u002Ftags"]