[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7QvqCPtmnQ4S5BQyolzdc20MAeYOGYb4X5I-oen00Ik":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-3228","nextscripts-social-networks-auto-poster-authenticated-contributor-stored-cross-site-scripting-via-nxsfbembed-shortcode","NextScripts: Social Networks Auto-Poster \u003C= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'nxs_fbembed' Shortcode","The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode in all versions up to, and including, 4.4.6. This is due to insufficient input sanitization and output escaping on the `snapFB` post meta value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","social-networks-auto-poster-facebook-twitter-g",null,"\u003C=4.4.6","4.4.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-09 21:33:10","2026-03-10 09:59:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F923c51ba-0ec2-4e32-a86e-404f3fe2ac7c?source=api-prod",1,[],"researched",false,3,"# Research Plan: CVE-2026-3228 - Stored XSS via `[nxs_fbembed]` Shortcode\n\n## 1. Vulnerability Summary\nThe **NextScripts: Social Networks Auto-Poster (SNAP)** plugin (\u003C= 4.4.6) is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode. The vulnerability exists because the plugin fails to sanitize or escape the `snapFB` post meta value when it is rendered through the shortcode callback. Authenticated users with at least **Contributor** permissions can create posts, set this post meta, and use the shortcode to execute arbitrary JavaScript in the context of any user (including administrators) viewing the post.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Shortcode:** `[nxs_fbembed]`\n*   **Vulnerable Parameter (Meta Key):** `snapFB`\n*   **Authentication Level:** Contributor or higher (any role capable of creating\u002Fediting posts and using shortcodes).\n*   **Injection Point:** Post Metadata.\n*   **Vector:** The attacker creates a post, injects a malicious payload into the `snapFB` meta field, and includes the `[nxs_fbembed]` shortcode in the post content. When the post is viewed, the payload is echoed without escaping.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode during the `init` hook:\n    `add_shortcode('nxs_fbembed', 'nxs_fbembed_shortcode_func');` (inferred function name).\n2.  **Meta Retrieval:** Inside the shortcode callback, the plugin retrieves post meta for the current post:\n    `$fbID = get_post_meta($post->ID, 'snapFB', true);`\n3.  **Vulnerable Sink:** The code returns or echoes an HTML string containing `$fbID` without using `esc_html()`, `esc_attr()`, or `wp_kses()`:\n    `return '\u003Cdiv class=\"nxs_fb_embed\">... ' . $fbID . ' ...\u003C\u002Fdiv>';`\n4.  **Execution:** When a user visits the post, WordPress processes the shortcode, and the unsanitized script is rendered in the HTML response.\n\n## 4. Nonce Acquisition Strategy\nWhile shortcode *rendering* does not require a nonce, *setting the post meta* typically does.\n*   **Approach:** Contributors can set post meta via the standard WordPress post editor. If the plugin provides a specific meta box for SNAP settings, we will use that. If not, we will attempt to set the `snapFB` meta key directly via the `post.php` update flow.\n*   **Manual Meta Injection:** In standard WordPress, if \"Custom Fields\" are enabled, meta can be added directly. However, SNAP usually has its own interface.\n*   **JS Variable Discovery:** If the plugin uses a custom AJAX handler to save settings, we will:\n    1.  Navigate to the post editor (`wp-admin\u002Fpost-new.php`).\n    2.  Check for localizing scripts: `browser_eval(\"window.nxs_obj?.nonce\")` or similar (common pattern in this plugin).\n    3.  If no custom nonce is found, we rely on the standard `_wpnonce` for the `editpost` action.\n\n## 5. Exploitation Strategy\n### Step 1: Login and Post Creation\nThe attacker logs in as a Contributor and starts a new post.\n\n### Step 2: Inject Malicious Meta\nWe need to set the `snapFB` meta key. Since we are a Contributor, we can use the `editpost` action to save meta data.\n\n*   **HTTP Request:** `POST \u002Fwp-admin\u002Fpost.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload (Simplified):**\n    ```\n    action=editpost\n    post_ID=[POST_ID]\n    _wpnonce=[NONCE]\n    post_title=XSS Test\n    content=[nxs_fbembed]\n    meta_input[snapFB]=\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n    ```\n    *Note: If the plugin uses a specific field name in its meta box (e.g., `nxs_fb_post_id`), we will identify that via `browser_navigate` and use it instead.*\n\n### Step 3: Trigger XSS\nView the published (or previewed) post.\n\n*   **HTTP Request:** `GET \u002F?p=[POST_ID]`\n*   **Expected Response:** The source code contains `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` inside the HTML generated by the shortcode.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `social-networks-auto-poster-facebook-twitter-g` version 4.4.6 is installed.\n2.  **User Creation:**\n    *   Create a user with the **Contributor** role.\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n3.  **Identify Meta Box Fields:**\n    *   Navigate to the post editor as the contributor to see if SNAP adds specific input fields for Facebook post IDs.\n    *   Common field IDs in this plugin often follow patterns like `nxs_...`.\n\n## 7. Expected Results\n*   The `update_post_meta` call (or equivalent via `post.php`) should succeed in storing the script tag in the `snapFB` meta field.\n*   The `[nxs_fbembed]` shortcode should render the contents of `snapFB` directly.\n*   The HTTP response for the post should contain the executable script tag, confirming Stored XSS.\n\n## 8. Verification Steps\n1.  **Database Check:** Verify the meta value is stored in the database.\n    ```bash\n    wp post meta get [POST_ID] snapFB\n    ```\n2.  **HTML Inspection:** Verify the payload exists in the frontend output.\n    ```bash\n    # Through the execution agent's tool\n    http_request(url=\"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\")\n    # Then grep the response body for the payload\n    ```\n\n## 9. Alternative Approaches\n*   **Custom Field Bypass:** If the plugin's meta box sanitizes input, but the shortcode pulls from `snapFB` meta regardless, try adding the meta via the \"Custom Fields\" meta box in WordPress (if the admin has enabled it for contributors).\n*   **Attribute Breakout:** If the payload is rendered inside an attribute (e.g., `\u003Cdiv data-fb=\"[META_VALUE]\">`), adjust the payload to: `\">\u003Cscript>alert(1)\u003C\u002Fscript>`.\n*   **AJAX Save:** Check for `wp_ajax_nxs_save_settings` or similar hooks in the plugin source that might allow updating post meta with weaker security checks.","The NextScripts: Social Networks Auto-Poster plugin for WordPress (\u003C= 4.4.6) is vulnerable to Stored Cross-Site Scripting via the [nxs_fbembed] shortcode. This is caused by the plugin failing to sanitize or escape the 'snapFB' post meta value when it is rendered through the shortcode's callback function, allowing Contributor-level attackers to inject malicious scripts.","\u002F\u002F File: inc-core\u002Fnxs_functions_wp.php (inferred location based on plugin structure)\n\nfunction nxs_fbembed_shortcode_func($atts) {\n    global $post;\n    \u002F\u002F Retrieves the post meta value without prior sanitization\n    $fbID = get_post_meta($post->ID, 'snapFB', true);\n    if ($fbID != '') {\n        \u002F\u002F Vulnerable sink: The value is concatenated into the HTML output without escaping\n        return '\u003Cdiv class=\"nxs_fb_embed\">' . $fbID . '\u003C\u002Fdiv>';\n    }\n}\nadd_shortcode('nxs_fbembed', 'nxs_fbembed_shortcode_func');","--- inc-core\u002Fnxs_functions_wp.php\n+++ inc-core\u002Fnxs_functions_wp.php\n@@ -10,7 +10,7 @@\n function nxs_fbembed_shortcode_func($atts) {\n     global $post;\n     $fbID = get_post_meta($post->ID, 'snapFB', true);\n     if ($fbID != '') {\n-        return '\u003Cdiv class=\"nxs_fb_embed\">' . $fbID . '\u003C\u002Fdiv>';\n+        return '\u003Cdiv class=\"nxs_fb_embed\">' . esc_html($fbID) . '\u003C\u002Fdiv>';\n     }\n }","1. Login to the WordPress site with a Contributor-level account or higher.\n2. Start a new post and enable the 'Custom Fields' meta box if it is not already visible.\n3. Create a custom field with the name 'snapFB' and set its value to a JavaScript payload, such as: \u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n4. In the post editor, insert the shortcode [nxs_fbembed] into the post body.\n5. Save the post as a draft or publish it.\n6. Navigate to the post's public URL. The shortcode callback will fetch the 'snapFB' meta value and output it directly into the page, triggering the script execution in the context of the user's browser session.","gemini-3-flash-preview","2026-04-18 05:10:40","2026-04-18 05:11:03",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","3.8.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsocial-networks-auto-poster-facebook-twitter-g\u002Ftags\u002F3.8.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsocial-networks-auto-poster-facebook-twitter-g.3.8.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsocial-networks-auto-poster-facebook-twitter-g\u002Ftags"]