[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcZF6knykdvg48dDEEaMYAUGKwGK4aUam8aR75jA_HTU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":20,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"source_links":39},"CVE-2026-5226","optimole-reflected-cross-site-scripting-via-page-profiler-url","Optimole \u003C= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL","The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","optimole-wp",null,"\u003C=4.2.3","4.2.4","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-10 11:39:59","2026-04-13 12:04:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F112cea93-fa4b-4692-8c8b-e74255f61939?source=api-prod",3,[22,23,24,25,26,27,28],"inc\u002Fmanager.php","optimole-wp.php","readme.txt","vendor\u002Fcodeinwp\u002Fthemeisle-sdk\u002Fload.php","vendor\u002Fcodeinwp\u002Fthemeisle-sdk\u002Fsrc\u002FLoader.php","vendor\u002Fcodeinwp\u002Fthemeisle-sdk\u002Fsrc\u002FModules\u002FAbout_us.php","vendor\u002Fcodeinwp\u002Fthemeisle-sdk\u002Fsrc\u002FModules\u002FAnnouncements.php","researched",false,"# Exploitation Research Plan: CVE-2026-5226 - Optimole Reflected XSS\n\n## 1. Vulnerability Summary\nThe **Optimole** plugin for WordPress (versions \u003C= 4.2.3) contains a reflected cross-site scripting (XSS) vulnerability. The vulnerability resides in the **Page Profiler** feature. Specifically, the plugin's `get_current_url()` function (likely within the `OptimoleWP\\PageProfiler\\Profile` class) retrieves the current request's URL path without sufficient sanitization. This unsanitized URL is then injected into a JavaScript block using a simple `str_replace()` call within the `replace_content()` function, rather than using proper JavaScript context escaping (like `esc_js()` or `wp_json_encode()`).\n\n## 2. Attack Vector Analysis\n* **Endpoint:** Any frontend WordPress page.\n* **Trigger:** Appending the Page Profiler trigger parameter (likely `?optml_profile=1`) to the URL.\n* **Vulnerable Parameter:** The URL path itself (Reflected via `$_SERVER['REQUEST_URI']`).\n* **Authentication:** None (Unauthenticated). The vulnerability is reachable by any visitor who can trigger the Page Profiler output.\n* **Preconditions:** The plugin must be active. The Page Profiler feature must be reachable (usually via query parameter).\n\n## 3. Code Flow\n1. **Initialization:** `Optml_Manager::instance()` (in `inc\u002Fmanager.php`) instantiates the `OptimoleWP\\PageProfiler\\Profile` class:\n ```php\n self::$instance->page_profiler = new Profile();\n ```\n2. **Hook Registration:** The `Profile` class (likely in `inc\u002Fpage-profiler\u002Fprofile.php`, though file not provided) registers hooks to output the Page Profiler script (e.g., `wp_footer` or `wp_enqueue_scripts`).\n3. **URL Retrieval:** When the profiler is triggered (e.g., via `?optml_profile=1`), the plugin calls `get_current_url()` to identify the page being profiled. This function typically returns `$_SERVER['REQUEST_URI']`.\n4. **Insecure Injection:** The `replace_content()` function contains a template JavaScript string with a placeholder. It uses `str_replace()` to swap the placeholder with the result of `get_current_url()`:\n ```php\n \u002F\u002F Inferred logic in replace_content()\n $js_template = '\u003Cscript>var optml_data = {\"url\":\"{{URL_PLACEHOLDER}}\"};\u003C\u002Fscript>';\n $current_url = $this->get_current_url(); \u002F\u002F Unescaped \u002Fpath\u002F\";alert(1);\u002F\u002F\n echo str_replace('{{URL_PLACEHOLDER}}', $current_url, $js_template);\n ```\n5. **Execution:** The browser renders the page, encounters the broken JavaScript string, and executes the injected script.\n\n## 4. Nonce Acquisition Strategy\nThis is a **Reflected XSS** vulnerability via a GET request. Based on the vulnerability description and type:\n* **No Nonce Required:** The vulnerability triggers during the rendering of the page itself. Nonces are typically required for state-changing actions (POST\u002FAJAX), but here the \"action\" is simply visiting a crafted URL.\n\n## 5. Exploitation Strategy\nWe will use the `http_request` tool to perform a GET request to the WordPress site with a malicious URL path designed to break out of a JavaScript string.\n\n### Step-by-Step Plan:\n1. **Construct Malicious URL:**\n The payload needs to break out of a JSON-like object or variable assignment.\n * **Context:** `{\"url\":\"\u002Findex.php\u002F[PAYLOAD]\"}`\n * **Payload:** `\";alert(document.domain);var+dummy=\"`\n * **Full Path:** `\u002Findex.php\u002F\";alert(document.domain);var+dummy=\"\u002F?optml_profile=1`\n\n2. **Send Request:**\n Use `http_request` to visit the URL. We must ensure the path is sent exactly as intended.\n ```javascript\n \u002F\u002F Target URL construction\n const targetUrl = \"http:\u002F\u002Flocalhost:8080\u002Findex.php\u002F\\\";alert(document.domain);var+dummy=\\\"\u002F?optml_profile=1\";\n ```\n\n3. **Analyze Response:**\n Inspect the HTML source for the Page Profiler script block. Search for the string `optml` and verify if the `alert` payload exists unescaped within a `\u003Cscript>` tag.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure Optimole version 4.2.3 is installed and active.\n2. **Permalinks:** While not strictly required, having \"Plain\" permalinks (`\u002Findex.php\u002Fpath`) or \"Post name\" permalinks helps in manipulating the path.\n3. **Profiler Activation:** No specific backend settings are required if the `optml_profile=1` parameter is sufficient to trigger the code path.\n\n## 7. Expected Results\nA successful exploit will return an HTML response containing a script block similar to:\n```html\n\u003Cscript type=\"text\u002Fjavascript\">\n \u002F\u002F ... other code ...\n var some_optimole_var = {\"url\":\"\u002Findex.php\u002F\";alert(document.domain);var dummy=\"\u002F?optml_profile=1\"};\n \u002F\u002F ...\n\u003C\u002Fscript>\n```\nThe browser (if it were a real user) would execute `alert(document.domain)`.\n\n## 8. Verification Steps\n1. **Search for Sink:** In the response body from `http_request`, look for the `\u003Cscript>` tag containing the Page Profiler data.\n2. **Check Escaping:** Confirm that the double quotes (`\"`) and semicolons (`;`) from the URL path are present verbatim in the response, proving that no JavaScript-context escaping was applied.\n3. **Regex Match:**\n ```bash\n grep -P \"var.*optml.*\\\";alert\\(document\\.domain\\)\"\n ```\n\n## 9. Alternative Approaches\nIf `?optml_profile=1` does not trigger the output:\n1. **Check Authenticated State:** Try triggering the profiler while logged in as an administrator (using `browser_navigate` and the agent's session). If it only triggers for admins, it is still a \"Medium\" severity Reflected XSS (Admin XSS).\n2. **Vary URL Position:** If the path injection is blocked by the web server (404\u002F403), try injecting the payload into a query parameter if `get_current_url()` captures the full URL including query strings:\n * URL: `http:\u002F\u002Flocalhost:8080\u002F?optml_profile=1&dummy=\";alert(1)\u002F\u002F`\n3. **Check for different localization keys:** Look for other JS variables like `optimole_profiler_data` or `optmlProfiler` in the source of `inc\u002Fmanager.php` or `inc\u002Fpage-profiler\u002Fprofile.php` if accessible.","The Optimole plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the Page Profiler feature in versions up to 4.2.3. Unauthenticated attackers can inject arbitrary scripts into the page by crafting a malicious URL path that breaks out of a JavaScript variable assignment within the plugin's profiler script block.","\u002F\u002F inc\u002Fmanager.php (lines 456-462 in version 4.2.3)\n$hmac = wp_hash( $profile_id . $time . $this->get_current_url(), 'nonce' );\n$js_optimizer = str_replace(\n [ Profile::PLACEHOLDER, Profile::PLACEHOLDER_MISSING, Profile::PLACEHOLDER_TIME, Profile::PLACEHOLDER_HMAC, Profile::PLACEHOLDER_URL ],\n [ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, $this->get_current_url() ],\n $js_optimizer\n);","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Foptimole-wp\u002F4.2.3\u002Finc\u002Fmanager.php\t2026-03-25 10:54:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Foptimole-wp\u002F4.2.4\u002Finc\u002Fmanager.php\t2026-04-03 08:34:00.000000000 +0000\n@@ -453,10 +453,11 @@\n \t\t\t\tif ( ! $this->page_profiler->exists_all( $profile_id ) ) {\n \t\t\t\t\t$missing = $this->page_profiler->missing_devices( $profile_id );\n \t\t\t\t\t$time = time();\n-\t\t\t\t\t$hmac = wp_hash( $profile_id . $time . $this->get_current_url(), 'nonce' );\n+\t\t\t\t\t$url = esc_url( esc_js( $this->get_current_url() ) );\n+\t\t\t\t\t$hmac = wp_hash( $profile_id . $time . $url, 'nonce' );\n \t\t\t\t\t$js_optimizer = str_replace(\n \t\t\t\t\t\t[ Profile::PLACEHOLDER, Profile::PLACEHOLDER_MISSING, Profile::PLACEHOLDER_TIME, Profile::PLACEHOLDER_HMAC, Profile::PLACEHOLDER_URL ],\n-\t\t\t\t\t\t[ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, $this->get_current_url() ],\n+\t\t\t\t\t\t[ $profile_id, implode( ',', $missing ), strval( $time ), $hmac, $url ],\n \t\t\t\t\t\t$js_optimizer\n \t\t\t\t\t);\n \t\t\t\t\t$html = str_replace( Optml_Admin::get_optimizer_script( true ), $js_optimizer, $html );","The exploit targets the Page Profiler feature of the Optimole plugin. \n\n1. Target Endpoint: Any public-facing page on the WordPress site.\n2. Methodology: An attacker crafts a URL where the path contains a JavaScript breakout payload. Since the plugin uses the current URL (retrieved via `$_SERVER['REQUEST_URI']`) and reflects it inside a `\u003Cscript>` tag using `str_replace` without proper escaping, the payload can terminate the existing string and execute arbitrary code.\n3. Payload Shape: `\u002Findex.php\u002F\";alert(document.domain);var+dummy=\"\u002F?optml_profile=1` \n4. Authentication: No authentication is required (Unauthenticated Reflected XSS). The attacker simply needs to trick a logged-in user or an administrator into clicking the crafted link, or target any visitor to execute the script in their browser session.","gemini-3-flash-preview","2026-04-16 16:12:13","2026-04-16 16:12:56",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","4.2.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Foptimole-wp\u002Ftags\u002F4.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Foptimole-wp.4.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Foptimole-wp\u002Ftags\u002F4.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Foptimole-wp.4.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Foptimole-wp\u002Ftags"]