[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFU9CuzZS2_nIebU9EBPZxYnrXSSGz4aEdINNCZB2Z4k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-56007","ocean-product-sharing-authenticated-shop-manager-stored-cross-site-scripting","Ocean Product Sharing \u003C= 2.2.2 - Authenticated (Shop manager+) Stored Cross-Site Scripting","The Ocean Product Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","ocean-product-sharing",null,"\u003C=2.2.2","2.2.3","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-18 00:00:00","2026-06-23 15:52:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F310e2405-b6ff-4f52-9502-09fa7d5fcc62?source=api-prod",6,[22,23,24,25,26],"README.md","languages\u002Focean-product-sharing.pot","ocean-product-sharing.php","readme.txt","template\u002Fproduct-share.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-56007 (Ocean Product Sharing Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Ocean Product Sharing** plugin (up to 2.2.2) is vulnerable to Stored Cross-Site Scripting (XSS) due to improper sanitization and escaping of plugin settings managed through the WordPress Customizer. Specifically, settings related to colors and styling (e.g., icon colors, background colors) are stored and subsequently output into the site's `\u003Chead>` within a `\u003Cstyle>` block via the `ocean_head_css` filter. Because the plugin does not properly sanitize these inputs upon saving or escape them upon output, an authenticated user with permission to modify these settings (Shop Managers and above) can inject malicious scripts.\n\nThis vulnerability is significant in environments where `unfiltered_html` is disabled (such as WordPress Multi-site for non-Super Admins), as it allows users to bypass intended security restrictions on executing JavaScript.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `customize_save` (Standard WordPress Customizer save action)\n*   **Vulnerable Parameter:** `customized` (A JSON-encoded string containing the setting ID and its malicious value)\n*   **Setting IDs (Inferred from `includes\u002Foptions.php` and `.pot` file):**\n    *   `ocean_product_sharing_borders_color`\n    *   `ocean_product_sharing_bg_color`\n    *   `ocean_product_sharing_icons_color`\n*   **Authentication:** Authenticated (Shop Manager or higher). Note that Shop Managers must have the `edit_theme_options` capability or the plugin must explicitly grant them access to its Customizer section.\n*   **Preconditions:** The **OceanWP** theme must be active, as the plugin hooks into OceanWP-specific filters (`ocean_customize_options_data`, `ocean_head_css`).\n\n## 3. Code Flow\n1.  **Entry Point:** An authenticated user accesses the WordPress Customizer.\n2.  **Registration:** `Ocean_Product_Sharing::register_customize_options` (in `ocean-product-sharing.php`) calls `ops_customizer_options()` (in `includes\u002Foptions.php`) to register settings like `ocean_product_sharing_icons_color`.\n3.  **Storage:** When the user saves settings, a POST request is sent to `admin-ajax.php` with `action=customize_save`. WordPress core saves the values into the `wp_options` table.\n4.  **Retrieval & Sink:**\n    *   On the frontend, `Ocean_Product_Sharing::ops_setup` registers the filter `add_filter('ocean_head_css', array( $this, 'ops_head_css' ));`.\n    *   The `ops_head_css` function (likely in `includes\u002Fhelpers.php`) retrieves the stored options using `get_theme_mod()` or `get_option()`.\n    *   The values are concatenated into a CSS string and returned to the theme, which outputs them inside a `\u003Cstyle>` tag in the `\u003Chead>` of the page.\n    *   If a color value like `*\u002F\u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>\u003Cstyle>\u002F*` is used, it breaks out of the CSS context and executes the script.\n\n## 4. Nonce Acquisition Strategy\nThe WordPress Customizer requires a specific nonce for the `customize_save` action. This nonce is unique to the user's session.\n\n1.  **Preparation:** Ensure the agent is logged in as a user with Shop Manager or Admin privileges.\n2.  **Navigation:** Use `browser_navigate` to go to the Customizer page: `\u002Fwp-admin\u002Fcustomize.php`.\n3.  **Extraction:** Use `browser_eval` to extract the `nonce` and `customize_url` from the `_wpCustomizeSettings` object globally available in the Customizer's JavaScript context.\n    *   **JavaScript:** `window._wpCustomizeSettings?.nonce?.save`\n4.  **Identification:** The `customize_save` action also requires a `customized` parameter containing the changes.\n\n## 5. Exploitation Strategy\n1.  **Construct Payload:** The payload must break out of a CSS declaration. \n    *   Example: `green; } \u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003Cstyle> .dummy { color: blue`\n2.  **Request Construction:** Use the `http_request` tool to send the following POST request:\n    *   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body Parameters:**\n        *   `action`: `customize_save`\n        *   `wp_customize`: `on`\n        *   `nonce`: `[EXTRACTED_NONCE]`\n        *   `customized`: `{\"ocean_product_sharing_icons_color\":\"green;}\u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>\u003Cstyle>\u002F*\"}`\n3.  **Triggering:** Navigate to any single product page (WooCommerce) or download item (EDD) where the sharing buttons are rendered.\n\n## 6. Test Data Setup\n1.  **Theme:** Install and activate the **OceanWP** theme.\n2.  **Dependencies:** Install and activate **WooCommerce**.\n3.  **Product:** Create at least one public product:\n    *   `wp post create --post_type=product --post_title=\"Security Test Product\" --post_status=publish`\n4.  **Plugin Config:** Ensure the \"Product Sharing\" feature is enabled in the Customizer settings.\n5.  **User:** Create a Shop Manager user if testing role-based access:\n    *   `wp user create shopmanager shopmanager@example.com --role=shop_manager --user_pass=password`\n\n## 7. Expected Results\n*   The `admin-ajax.php` request should return a `200 OK` with a JSON response indicating `{\"success\":true}`.\n*   Upon visiting the \"Security Test Product\" page, the HTML source code within the `\u003Chead>` section should contain the injected `\u003Cscript>` tag.\n*   The browser should execute the JavaScript payload.\n\n## 8. Verification Steps\n1.  **DB Check:** Use WP-CLI to verify the option is stored:\n    *   `wp option get theme_mods_oceanwp` (Look for the `ocean_product_sharing_icons_color` key).\n2.  **Response Check:** Use `http_request` (GET) to fetch the product page and grep for the payload:\n    *   `grep -a10 \"ocean-product-sharing\" product_page_source.html`\n\n## 9. Alternative Approaches\n*   **Other Settings:** If `ocean_product_sharing_icons_color` is sanitized, attempt exploitation via `ocean_product_sharing_bg_color` or `ocean_product_sharing_borders_color`.\n*   **Direct Option Update:** If the Customizer UI is restricted, check if the plugin exposes an AJAX handler for its \"Theme Panel\" (referenced in `ocean-product-sharing.php` as `oe_theme_panels`) which might allow updating options with lower capability requirements.","The Ocean Product Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 2.2.2. This occurs due to insufficient input sanitization and output escaping of settings managed through the WordPress Customizer and product metadata, allowing authenticated attackers with Shop Manager privileges or higher to inject arbitrary web scripts into pages.","\u002F\u002F ocean-product-sharing.php line 261\n\tpublic function register_customize_options($options) {\n\n\t\tif ( OCEAN_EXTRA_ACTIVE\n\t\t\t&& class_exists( 'Ocean_Extra_Theme_Panel' ) ) {\n\n\t\t\tif ( empty( Ocean_Extra_Theme_Panel::get_setting( 'ocean_product_sharing_panel' ) ) ) {\n\t\t\t\treturn $options;\n\t\t\t}\n\n\t\t}\n\n\t\tinclude_once $this->plugin_path . '\u002Fincludes\u002Foptions.php';\n\n\t\t$options['ocean_product_sharing_settings'] = ops_customizer_options();\n\n\t\treturn $options;\n\t}\n\n---\n\n\u002F\u002F template\u002Fproduct-share.php line 21\n$product_title = get_the_title();\n$product_url   = get_permalink();\n$product_img   = wp_get_attachment_url( get_post_thumbnail_id() ); ?>\n\n\u003Cdiv class=\"oew-product-share clr\">\n\n\t\u003Cul class=\"ocean-social-share clr\" aria-label=\"\u003C?php echo esc_attr__( 'Share this product on social media', 'ocean-product-sharing' ); ?>\">\n\n\u002F\u002F ... lines 39, 77, and 100 contain variations of:\n\u002F\u002F echo html_entity_decode( wp_strip_all_tags( $product_title ) );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Focean-product-sharing\u002F2.2.2\u002Ftemplate\u002Fproduct-share.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Focean-product-sharing\u002F2.2.3\u002Ftemplate\u002Fproduct-share.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Focean-product-sharing\u002F2.2.2\u002Ftemplate\u002Fproduct-share.php\t2023-12-11 11:02:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Focean-product-sharing\u002F2.2.3\u002Ftemplate\u002Fproduct-share.php\t2026-06-15 10:26:18.000000000 +0000\n@@ -19,9 +19,43 @@\n }\n \n \u002F\u002F Vars\n-$product_title = get_the_title();\n+$product_title = wp_strip_all_tags( get_the_title() );\n $product_url   = get_permalink();\n-$product_img   = wp_get_attachment_url( get_post_thumbnail_id() ); ?>\n+$product_img   = wp_get_attachment_url( get_post_thumbnail_id() );\n+\n+$twitter_url = add_query_arg(\n+\tarray(\n+\t\t'text' => $product_title,\n+\t\t'url'  => $product_url,\n+\t),\n+\t'https:\u002F\u002Ftwitter.com\u002Fintent\u002Ftweet'\n+);\n+\n+$facebook_url = add_query_arg(\n+\tarray(\n+\t\t'u' => $product_url,\n+\t),\n+\t'https:\u002F\u002Fwww.facebook.com\u002Fsharer.php'\n+);\n+\n+$pinterest_url = add_query_arg(\n+\tarray(\n+\t\t'url'         => $product_url,\n+\t\t'media'       => $product_img,\n+\t\t'description' => $product_title,\n+\t),\n+\t'https:\u002F\u002Fwww.pinterest.com\u002Fpin\u002Fcreate\u002Fbutton\u002F'\n+);\n+\n+$email_url = add_query_arg(\n+\tarray(\n+\t\t'subject' => $product_title,\n+\t\t'body'    => $product_url,\n+\t),\n+\t'mailto:'\n+);\n+\n+?>\n \n \u003Cdiv class=\"oew-product-share clr\">\n \n@@ -36,7 +70,7 @@\n \t\t\t\t?>\n \n \t\t\t\t\u003Cli class=\"twitter\">\n-\t\t\t\t\t\u003Ca aria-label=\"\u003C?php esc_attr_e( 'Share this product on X', 'ocean-product-sharing' ); ?>\" class=\"twitter-share-button\" href=\"https:\u002F\u002Ftwitter.com\u002Fintent\u002Ftweet?text=\u003C?php echo html_entity_decode( wp_strip_all_tags( $product_title ) ); ?>+\u003C?php echo esc_url( $product_url ); ?>\" onclick=\"ops_onClick( this.href );return false;\">\n+\t\t\t\t\t\u003Ca aria-label=\"\u003C?php esc_attr_e( 'Share this product on X', 'ocean-product-sharing' ); ?>\" class=\"twitter-share-button\" href=\"\u003C?php echo esc_url( $twitter_url ); ?>\" onclick=\"ops_onClick( this.href );return false;\">\n \t\t\t\t\t\t\u003Cspan class=\"screen-reader-text\">\u003C?php echo esc_attr__( 'Opens in a new window', 'ocean-product-sharing' ); ?>\u003C\u002Fspan>\n \t\t\t\t\t\t\u003Cspan class=\"ops-icon-wrap\">\n \t\t\t\t\t\t\t\u003Csvg class=\"ops-icon\" role=\"img\" viewBox=\"0 0 512 512\" xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" aria-hidden=\"true\" focusable=\"false\">\n@@ -54,7 +88,7 @@\n \t\t\t\t?>\n \n \t\t\t\t\u003Cli class=\"facebook\">\n-\t\t\t\t\t\u003Ca href=\"https:\u002F\u002Fwww.facebook.com\u002Fsharer.php?u=\u003C?php echo rawurlencode( esc_url( $product_url ) ); ?>\" target=\"_blank\" aria-label=\"\u003C?php esc_attr_e( 'Share on Facebook', 'ocean-product-sharing' ); ?>\" onclick=\"ops_onClick( this.href );return false;\">\n+\t\t\t\t\t\u003Ca href=\"\u003C?php echo esc_url( $facebook_url ); ?>\" target=\"_blank\" aria-label=\"\u003C?php esc_attr_e( 'Share on Facebook', 'ocean-product-sharing' ); ?>\" onclick=\"ops_onClick( this.href );return false;\">\n \t\t\t\t\t\t\u003Cspan class=\"screen-reader-text\">\u003C?php echo esc_attr__( 'Opens in a new window', 'ocean-product-sharing' ); ?>\u003C\u002Fspan>\n \t\t\t\t\t\t\u003Cspan class=\"ops-icon-wrap\">\n \t\t\t\t\t\t\t\u003Csvg class=\"ops-icon\" role=\"img\" viewBox=\"0 0 512 512\" xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" aria-hidden=\"true\" focusable=\"false\">\n@@ -74,7 +108,7 @@\n \t\t\t\t?>\n \n \t\t\t\t\u003Cli class=\"pinterest\">\n-\t\t\t\t\t\u003Ca href=\"https:\u002F\u002Fwww.pinterest.com\u002Fpin\u002Fcreate\u002Fbutton\u002F?url=\u003C?php echo rawurlencode( esc_url( $product_url ) ); ?>&amp;media=\u003C?php echo wp_get_attachment_url( get_post_thumbnail_id() ); ?>&amp;description=\u003C?php echo rawurlencode( wp_strip_all_tags( $product_title ) ); ?>\" target=\"_blank\" aria-label=\"\u003C?php esc_attr_e( 'Share on Pinterest', 'ocean-product-sharing' ); ?>\" onclick=\"ops_onClick( this.href );return false;\">\n+\t\t\t\t\t\u003Ca href=\"\u003C?php echo esc_url( $pinterest_url ); ?>\" target=\"_blank\" aria-label=\"\u003C?php esc_attr_e( 'Share on Pinterest', 'ocean-product-sharing' ); ?>\" onclick=\"ops_onClick( this.href );return false;\">\n \t\t\t\t\t\t\u003Cspan class=\"screen-reader-text\">\u003C?php echo esc_attr__( 'Opens in a new window', 'ocean-product-sharing' ); ?>\u003C\u002Fspan>\n \t\t\t\t\t\t\u003Cspan class=\"ops-icon-wrap\">\n \t\t\t\t\t\t\t\u003Csvg class=\"ops-icon\" role=\"img\" viewBox=\"0 0 496 512\" xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" aria-hidden=\"true\" focusable=\"false\">\n@@ -97,7 +131,7 @@\n \t\t\t\t?>\n \n \t\t\t\t\u003Cli class=\"email\">\n-\t\t\t\t\t\u003Ca href=\"mailto:?subject=\u003C?php echo html_entity_decode( wp_strip_all_tags( $product_title ) ); ?>&amp;body=\u003C?php echo esc_url( $product_url ); ?>\" target=\"_blank\" aria-label=\"\u003C?php esc_attr_e( 'Share via email', 'ocean-product-sharing' ); ?>\" onclick=\"ops_onClick( this.href );return false;\">\n+\t\t\t\t\t\u003Ca href=\"\u003C?php echo esc_url( $email_url, array( 'mailto' ) ); ?>\" target=\"_blank\" aria-label=\"\u003C?php esc_attr_e( 'Share via email', 'ocean-product-sharing' ); ?>\" onclick=\"ops_onClick( this.href );return false;\">\n \t\t\t\t\t\t\u003Cspan class=\"screen-reader-text\">\u003C?php echo esc_attr__( 'Opens in a new window', 'ocean-product-sharing' ); ?>\u003C\u002Fspan>\n \t\t\t\t\t\t\u003Cspan class=\"ops-icon-wrap\">\n \t\t\t\t\t\t\t\u003Csvg class=\"ops-icon\" role=\"img\" viewBox=\"0 0 512 512\" xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" aria-hidden=\"true\" focusable=\"false\">","To exploit this vulnerability, an attacker must have Shop Manager or higher privileges. The primary attack vector involves the WordPress Customizer, where an attacker can submit a payload through the 'customize_save' AJAX action. By injecting a payload like `*\u002F\u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>\u003Cstyle>\u002F*` into styling settings (such as `ocean_product_sharing_icons_color`), the attacker can break out of the CSS block generated by the `ocean_head_css` filter in the document head. Alternatively, malicious scripts can be injected into product titles, which are rendered unescaped in the social sharing links on the front-end product pages. The vulnerability is especially effective in multi-site environments or where `unfiltered_html` is disabled.","gemini-3-flash-preview","2026-06-25 21:29:50","2026-06-25 21:31:06",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","2.2.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Focean-product-sharing\u002Ftags\u002F2.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Focean-product-sharing.2.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Focean-product-sharing\u002Ftags\u002F2.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Focean-product-sharing.2.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Focean-product-sharing\u002Ftags"]