WP-Safety
CVE-2026-3228

NextScripts: Social Networks Auto-Poster <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'nxs_fbembed' Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
4.4.7
Patched in
1d
Time to patch

Description

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode in all versions up to, and including, 4.4.6. This is due to insufficient input sanitization and output escaping on the `snapFB` post meta value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.4.6
PublishedMarch 9, 2026
Last updatedMarch 10, 2026
Affected pluginsocial-networks-auto-poster-facebook-twitter-g

Source Code

WordPress.org SVN
Vulnerable v3.8.8
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

# Research Plan: CVE-2026-3228 - Stored XSS via `[nxs_fbembed]` Shortcode ## 1. Vulnerability Summary The **NextScripts: Social Networks Auto-Poster (SNAP)** plugin (<= 4.4.6) is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode. The vulnerability exists because the plugin…

Show full research plan

Research Plan: CVE-2026-3228 - Stored XSS via [nxs_fbembed] Shortcode

1. Vulnerability Summary

The NextScripts: Social Networks Auto-Poster (SNAP) plugin (<= 4.4.6) is vulnerable to Stored Cross-Site Scripting via the [nxs_fbembed] shortcode. The vulnerability exists because the plugin fails to sanitize or escape the snapFB post meta value when it is rendered through the shortcode callback. Authenticated users with at least Contributor permissions can create posts, set this post meta, and use the shortcode to execute arbitrary JavaScript in the context of any user (including administrators) viewing the post.

2. Attack Vector Analysis

  • Vulnerable Shortcode: [nxs_fbembed]
  • Vulnerable Parameter (Meta Key): snapFB
  • Authentication Level: Contributor or higher (any role capable of creating/editing posts and using shortcodes).
  • Injection Point: Post Metadata.
  • Vector: The attacker creates a post, injects a malicious payload into the snapFB meta field, and includes the [nxs_fbembed] shortcode in the post content. When the post is viewed, the payload is echoed without escaping.

3. Code Flow (Inferred)

  1. Registration: The plugin registers the shortcode during the init hook:
    add_shortcode('nxs_fbembed', 'nxs_fbembed_shortcode_func'); (inferred function name).
  2. Meta Retrieval: Inside the shortcode callback, the plugin retrieves post meta for the current post:
    $fbID = get_post_meta($post->ID, 'snapFB', true);
  3. Vulnerable Sink: The code returns or echoes an HTML string containing $fbID without using esc_html(), esc_attr(), or wp_kses():
    return '<div class="nxs_fb_embed">... ' . $fbID . ' ...</div>';
  4. Execution: When a user visits the post, WordPress processes the shortcode, and the unsanitized script is rendered in the HTML response.

4. Nonce Acquisition Strategy

While shortcode rendering does not require a nonce, setting the post meta typically does.

  • Approach: Contributors can set post meta via the standard WordPress post editor. If the plugin provides a specific meta box for SNAP settings, we will use that. If not, we will attempt to set the snapFB meta key directly via the post.php update flow.
  • Manual Meta Injection: In standard WordPress, if "Custom Fields" are enabled, meta can be added directly. However, SNAP usually has its own interface.
  • JS Variable Discovery: If the plugin uses a custom AJAX handler to save settings, we will:
    1. Navigate to the post editor (wp-admin/post-new.php).
    2. Check for localizing scripts: browser_eval("window.nxs_obj?.nonce") or similar (common pattern in this plugin).
    3. If no custom nonce is found, we rely on the standard _wpnonce for the editpost action.

5. Exploitation Strategy

Step 1: Login and Post Creation

The attacker logs in as a Contributor and starts a new post.

Step 2: Inject Malicious Meta

We need to set the snapFB meta key. Since we are a Contributor, we can use the editpost action to save meta data.

  • HTTP Request: POST /wp-admin/post.php
  • Content-Type: application/x-www-form-urlencoded
  • Payload (Simplified):
    action=editpost
post_ID=[POST_ID]
_wpnonce=[NONCE]
post_title=XSS Test
content=[nxs_fbembed]
meta_input[snapFB]=<script>alert(document.domain)</script>
    Note: If the plugin uses a specific field name in its meta box (e.g., nxs_fb_post_id), we will identify that via browser_navigate and use it instead.

Step 3: Trigger XSS

View the published (or previewed) post.

  • HTTP Request: GET /?p=[POST_ID]
  • Expected Response: The source code contains <script>alert(document.domain)</script> inside the HTML generated by the shortcode.

6. Test Data Setup

  1. Plugin Installation: Ensure social-networks-auto-poster-facebook-twitter-g version 4.4.6 is installed.
  2. User Creation:
    • Create a user with the Contributor role.
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
  3. Identify Meta Box Fields:
    • Navigate to the post editor as the contributor to see if SNAP adds specific input fields for Facebook post IDs.
    • Common field IDs in this plugin often follow patterns like nxs_....

7. Expected Results

  • The update_post_meta call (or equivalent via post.php) should succeed in storing the script tag in the snapFB meta field.
  • The [nxs_fbembed] shortcode should render the contents of snapFB directly.
  • The HTTP response for the post should contain the executable script tag, confirming Stored XSS.

8. Verification Steps

  1. Database Check: Verify the meta value is stored in the database.
    wp post meta get [POST_ID] snapFB
  2. HTML Inspection: Verify the payload exists in the frontend output.
    # Through the execution agent's tool
http_request(url="http://localhost:8080/?p=[POST_ID]")
# Then grep the response body for the payload

9. Alternative Approaches

  • Custom Field Bypass: If the plugin's meta box sanitizes input, but the shortcode pulls from snapFB meta regardless, try adding the meta via the "Custom Fields" meta box in WordPress (if the admin has enabled it for contributors).
  • Attribute Breakout: If the payload is rendered inside an attribute (e.g., <div data-fb="[META_VALUE]">), adjust the payload to: "><script>alert(1)</script>.
  • AJAX Save: Check for wp_ajax_nxs_save_settings or similar hooks in the plugin source that might allow updating post meta with weaker security checks.
Research Findings
Static analysis — not yet PoC-verified

Summary

The NextScripts: Social Networks Auto-Poster plugin for WordPress (<= 4.4.6) is vulnerable to Stored Cross-Site Scripting via the [nxs_fbembed] shortcode. This is caused by the plugin failing to sanitize or escape the 'snapFB' post meta value when it is rendered through the shortcode's callback function, allowing Contributor-level attackers to inject malicious scripts.

Vulnerable Code

// File: inc-core/nxs_functions_wp.php (inferred location based on plugin structure)

function nxs_fbembed_shortcode_func($atts) {
    global $post;
    // Retrieves the post meta value without prior sanitization
    $fbID = get_post_meta($post->ID, 'snapFB', true);
    if ($fbID != '') {
        // Vulnerable sink: The value is concatenated into the HTML output without escaping
        return '<div class="nxs_fb_embed">' . $fbID . '</div>';
    }
}
add_shortcode('nxs_fbembed', 'nxs_fbembed_shortcode_func');

Security Fix

--- inc-core/nxs_functions_wp.php
+++ inc-core/nxs_functions_wp.php
@@ -10,7 +10,7 @@
 function nxs_fbembed_shortcode_func($atts) {
     global $post;
     $fbID = get_post_meta($post->ID, 'snapFB', true);
     if ($fbID != '') {
-        return '<div class="nxs_fb_embed">' . $fbID . '</div>';
+        return '<div class="nxs_fb_embed">' . esc_html($fbID) . '</div>';
     }
 }

Exploit Outline

1. Login to the WordPress site with a Contributor-level account or higher. 2. Start a new post and enable the 'Custom Fields' meta box if it is not already visible. 3. Create a custom field with the name 'snapFB' and set its value to a JavaScript payload, such as: <script>alert(document.domain)</script>. 4. In the post editor, insert the shortcode [nxs_fbembed] into the post body. 5. Save the post as a draft or publish it. 6. Navigate to the post's public URL. The shortcode callback will fetch the 'snapFB' meta value and output it directly into the page, triggering the script execution in the context of the user's browser session.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/923c51ba-0ec2-4e32-a86e-404f3fe2ac7c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database