[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fOH7s5gYetRAGJDtJ2uwJy2DV5ty-R6inLLo2Gef4Q_g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8707","ns-product-icon-badge-reflected-cross-site-scripting-via-phpself","NS Product icon badge \u003C= 1.2.4 - Reflected Cross-Site Scripting via PHP_SELF","The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","product-icon-badge",null,"\u003C=1.2.4","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:24:14","2026-05-27 05:31:31",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd1c1847c-8cc9-4080-8da5-7364c4358034?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8707\n\n## 1. Vulnerability Summary\nThe **NS Product icon badge** plugin for WordPress (\u003C= 1.2.4) is vulnerable to **Reflected Cross-Site Scripting (XSS)**. The vulnerability arises from the improper neutralization of the `PHP_SELF` server variable. In certain versions of PHP and server configurations, `$_SERVER['PHP_SELF']` includes the path information provided in the URL. If a plugin echoes this variable directly into an HTML attribute (most commonly a `\u003Cform action=\"...\">`) without using `esc_url()`, an attacker can append a malicious script payload to the URL path. This payload is then reflected in the page source and executed by the victim's browser.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: Any WordPress admin page or frontend page where the plugin renders a form or link using `PHP_SELF`. Based on the plugin type, this is most likely found in the admin settings page.\n*   **Vulnerable Variable**: `$_SERVER['PHP_SELF']`.\n*   **Attack Parameter**: The URL path (specifically, characters following the script name).\n*   **Authentication Requirement**: \n    *   **Attacker**: Unauthenticated (PR:N).\n    *   **Victim**: An Administrator (Reflected XSS on an admin page requires a logged-in user with access to that page).\n*   **Preconditions**: The plugin must be active, and a victim must be tricked into clicking a specially crafted link.\n\n## 3. Code Flow\nBased on the vulnerability description, the expected code flow is:\n1.  **Entry Point**: A user navigates to a URL such as `\u002Fwp-admin\u002Fadmin.php\u002Findex.php\u002F\">\u003Cscript>alert(1)\u003C\u002Fscript>\u002F?page=product-icon-badge`.\n2.  **Plugin Initialization**: The plugin registers an admin menu (likely via `add_menu_page` or `add_submenu_page`) and a callback function to render the settings.\n3.  **Vulnerable Sink**: Inside the settings callback function (often in a view file or a class method), the code contains a line similar to:\n    ```php\n    \u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=product-icon-badge\">\n    ```\n4.  **Reflection**: Because `$_SERVER['PHP_SELF']` is not wrapped in `esc_url()`, the browser interprets the path segment `\u002F\">\u003Cscript>alert(1)\u003C\u002Fscript>\u002F` as a breakout from the `action` attribute, injecting the `\u003Cscript>` tag into the DOM.\n\n## 4. Nonce Acquisition Strategy\nReflected XSS via `PHP_SELF` typically occurs during a `GET` request to render the page and does **not** require a nonce for the initial reflection.\n\nHowever, if the objective is to escalate the XSS into a **Cross-Site Request Forgery (CSRF)** attack (e.g., to create a new admin user), the XSS payload itself can extract nonces directly from the page context using the `browser_eval` tool:\n\n1.  Identify the target action (e.g., creating a user).\n2.  The script running via XSS can fetch the relevant admin page (e.g., `\u002Fwp-admin\u002Fuser-new.php`).\n3.  Extract the nonce from the DOM:\n    ```javascript\n    const nonce = document.querySelector('#_wpnonce_create-user')?.value;\n    ```\n\n## 5. Exploitation Strategy\nSince the source is not provided, the following steps involve identifying the exact location of the sink:\n\n### Phase 1: Discovery\n1.  **Identify Admin Page**: Use `wp-cli` to find the plugin's menu slug.\n    ```bash\n    grep -rn \"add_menu_page\\|add_submenu_page\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fproduct-icon-badge\u002F\n    ```\n2.  **Locate Sink**: Search for `PHP_SELF` usage in the plugin directory.\n    ```bash\n    grep -rn \"PHP_SELF\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fproduct-icon-badge\u002F\n    ```\n    *   *Note: If `PHP_SELF` is found in a form action, this is the primary target.*\n\n### Phase 2: Execution\n1.  **Construct Payload**:\n    Assuming the slug is `product-icon-badge` (inferred) and the sink is in the admin settings:\n    `URL: http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php\u002Findex.php\u002F\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u002F?page=product-icon-badge`\n2.  **Trigger Reflection**:\n    Use the `http_request` tool (Playwright) to simulate an admin clicking the link.\n    *   **Method**: `GET`\n    *   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php\u002Findex.php\u002F%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E\u002F?page=product-icon-badge`\n    *   **Cookies**: Must include valid admin session cookies.\n\n## 6. Test Data Setup\n1.  **Install Plugin**: Install \"NS Product icon badge\" version 1.2.4.\n2.  **Activate Plugin**: `wp plugin activate product-icon-badge`.\n3.  **User Creation**: Ensure an admin user exists (e.g., user: `admin`, pass: `password`).\n4.  **Admin Session**: Log in as the admin via the browser to establish session cookies for the agent.\n\n## 7. Expected Results\n*   The HTTP response should contain the raw payload: `\u003Cform action=\"\u002Fwp-admin\u002Fadmin.php\u002Findex.php\u002F\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u002F...`\n*   In a browser context, an alert box displaying the domain name should appear.\n*   The `action` attribute of the form will be broken, confirming the lack of `esc_url()`.\n\n## 8. Verification Steps\n1.  **Source Check**: Use `http_request` and check if the string `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` exists in the returned body without being encoded (i.e., not `&lt;script&gt;`).\n2.  **DOM Verification**: Use `browser_eval` to check if a specific element or global variable was modified by the injected script.\n    ```javascript\n    browser_eval(\"window.xss_verified = true;\")\n    ```\n\n## 9. Alternative Approaches\n*   **Attribute Breakout**: If the `PHP_SELF` variable is reflected inside a different HTML attribute (e.g., `value` or `href`), adjust the payload to use single quotes `'` or double quotes `\"` and event handlers:\n    `index.php\u002F\"onmouseover=\"alert(1)\"`\n*   **Bypass Filtering**: If simple `\u003Cscript>` tags are filtered, use an `\u003Cimg>` tag with an `onerror` event:\n    `index.php\u002F\">\u003Cimg src=x onerror=alert(1)>`\n*   **JS Protocol**: If reflected in an `\u003Ca>` tag's `href`:\n    `index.php\u002Fjavascript:alert(1)\u002F\u002F` (Though this is less common for `PHP_SELF` which usually outputs paths).","The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) due to the unsafe use of the PHP_SELF server variable in its admin settings. An attacker can craft a URL containing a malicious script in the path segment, which is reflected into a form's action attribute without sanitization, leading to script execution in the context of an administrator's session.","\u002F\u002F Inferred from vulnerability description and common WordPress patterns\n\u002F\u002F likely located in the admin settings template or class\n\n\u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=product-icon-badge\">\n    \u003C!-- Settings fields -->\n\u003C\u002Fform>","--- a\u002Fproduct-icon-badge\u002Fadmin\u002Fsettings-page.php\n+++ b\u002Fproduct-icon-badge\u002Fadmin\u002Fsettings-page.php\n@@ -10,1 +10,1 @@\n- \u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=product-icon-badge\">\n+ \u003Cform method=\"post\" action=\"\u003C?php echo esc_url($_SERVER['PHP_SELF']); ?>?page=product-icon-badge\">","The exploit targets the admin settings page of the plugin. An attacker crafts a URL that appends a script payload to the PHP script path (e.g., \u002Fwp-admin\u002Fadmin.php\u002Findex.php\u002F\">\u003Cscript>alert(1)\u003C\u002Fscript>\u002F?page=product-icon-badge). When an authenticated administrator clicks this link, the server echoes the malicious path directly into the 'action' attribute of an HTML form. This breaks the attribute context and injects the script into the DOM, where it executes. No nonces are required for the initial reflection as it occurs during a GET request.","gemini-3-flash-preview","2026-06-04 18:55:54","2026-06-04 18:56:39",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproduct-icon-badge\u002Ftags"]