[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fg5ZkToQytEyAGzMgS7skRCSoZa79hB2SCToU1EUn3V4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-11358","orbit-fox-duplicate-page-menu-icons-svg-support-cookie-notice-custom-fonts-more-authenticated-administrator-stored-cross","Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More \u003C= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter","The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","themeisle-companion",null,"\u003C=3.0.6","3.0.7","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-17 16:48:45","2026-06-18 05:34:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbeb1268c-b680-4ebe-8fe2-65f656390038?source=api-prod",1,[22,23,24,25,26,27,28,29],"CHANGELOG.md","core\u002Fincludes\u002Fclass-orbit-fox.php","languages\u002Fthemeisle-companion.pot","obfx_modules\u002Fmenu-icons\u002Finc\u002Fclass-menu-icons-obfx-walker.php","obfx_modules\u002Fmenu-icons\u002Finit.php","readme.md","readme.txt","themeisle-companion.php","researched",false,3,"This research plan outlines the steps required to demonstrate the Stored Cross-Site Scripting (XSS) vulnerability in the **Orbit Fox Companion** plugin (CVE-2026-11358).\n\n## 1. Vulnerability Summary\nThe Orbit Fox plugin is vulnerable to Stored XSS via the `menu-item-icon` parameter. The plugin provides a \"Menu Icons\" module that allows users to attach icons to navigation menu items. When a menu item is saved, the icon identifier is stored in the post meta. When the WordPress Navigation Menu editor (`wp-admin\u002Fnav-menus.php`) is loaded, the plugin uses a custom Walker class (`Menu_Icons_OBFX_Walker`) to render the menu item settings. This Walker fails to sanitize or escape the stored icon value before outputting it into a hidden HTML input field, allowing an attacker with menu-editing permissions (typically Administrator) to inject arbitrary scripts.\n\n## 2. Attack Vector Analysis\n- **Target Endpoint:** `wp-admin\u002Fnav-menus.php`\n- **Vulnerable Parameter:** `menu-item-icon[\u003CMENU_ITEM_ID>]`\n- **Authentication Level:** Authenticated Administrator (or any user with `edit_theme_options` capability).\n- **Preconditions:** \n    1. The \"Menu Icons\" module must be active (active by default upon installation).\n    2. The environment must have `unfiltered_html` disabled (standard for Multisite Administrators or if `DISALLOW_UNFILTERED_HTML` is true).\n\n## 3. Code Flow\n1. **Input (Storage):** When a user saves a menu, WordPress triggers the `wp_update_nav_menu_item` hook. The plugin's `Menu_Icons_OBFX_Module::save_fields` (in `obfx_modules\u002Fmenu-icons\u002Finit.php`) retrieves the icon value from `$_POST['menu-item-icon'][$menu_item_db_id]` and saves it to the database using `update_post_meta($menu_item_db_id, 'obfx_menu_icon', $icon)`.\n2. **Retrieval:** When the Nav Menu editor is loaded, `Menu_Icons_OBFX_Module::show_menu` is called via the `wp_setup_nav_menu_item` filter. It retrieves the meta: `$icon = get_post_meta( $menu->ID, 'obfx_menu_icon', true );` and assigns it to `$menu->icon`.\n3. **Sink (Execution):** The plugin registers `Menu_Icons_OBFX_Walker` for the menu editor. In `obfx_modules\u002Fmenu-icons\u002Finc\u002Fclass-menu-icons-obfx-walker.php`, the `start_el` method renders the field:\n   ```php\n   $icon    = isset( $item->icon ) ? $item->icon : '';\n   $output .= sprintf( '\u003Cinput type=\"hidden\" name=\"menu-item-icon[%d]\" id=\"menu-item-icon-%d\" value=\"%s\">', $item->ID, $item->ID, $icon );\n   ```\n   The `$icon` variable is injected into the `value` attribute using `%s` without any escaping (like `esc_attr()`), allowing an attacker to break out of the attribute and inject tags.\n\n## 4. Nonce Acquisition Strategy\nTo update the menu, a valid WordPress nonce for the `update-nav_menu` action is required.\n1. **Identify the Source:** The nonce is generated by WordPress on the `wp-admin\u002Fnav-menus.php` page inside a hidden input field with the ID `update-nav-menu-nonce`.\n2. **Extraction:**\n   - Use `browser_navigate` to go to `wp-admin\u002Fnav-menus.php`.\n   - Use `browser_eval` to extract the nonce and the ID of an existing menu item:\n     ```javascript\n     {\n       nonce: document.querySelector('#update-nav-menu-nonce')?.value,\n       menuId: document.querySelector('#nav-menu-meta-object-id')?.value,\n       \u002F\u002F Get the ID of the first menu item in the list\n       firstMenuItemId: document.querySelector('.menu-item-settings')?.id?.split('-')?.pop()\n     }\n     ```\n\n## 5. Exploitation Strategy\n1. **Setup:** Ensure at least one menu and one menu item exist.\n2. **Payload:** `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n3. **Trigger Request:** Send a POST request to `wp-admin\u002Fnav-menus.php` to save the menu item with the malicious icon value.\n   - **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fnav-menus.php`\n   - **Method:** `POST`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body Parameters:**\n     - `action`: `update`\n     - `nav-menu-data`: (Standard menu structure string, can be captured from a legitimate save or left minimal)\n     - `update-nav-menu-nonce`: `\u003CEXTRACTED_NONCE>`\n     - `menu`: `\u003CMENU_ID>`\n     - `menu-item-icon[\u003CITEM_ID>]`: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n4. **Execution:** After the request completes, navigate back to `wp-admin\u002Fnav-menus.php`. The script will execute when the Walker renders the hidden input for that specific menu item.\n\n## 6. Test Data Setup\n1. Create an administrator user.\n2. Activate the `themeisle-companion` plugin.\n3. Use `wp-cli` to ensure a menu exists:\n   ```bash\n   wp menu create \"Test Menu\"\n   wp menu item add-custom \"Test Menu\" \"Home\" \"http:\u002F\u002Flocalhost\u002F\"\n   ```\n4. Verify the \"Menu Icons\" module is active in Orbit Fox settings (it is `active_default = true` in `init.php`).\n\n## 7. Expected Results\n- The POST request should return a `302 Redirect` back to `nav-menus.php`.\n- Upon viewing `nav-menus.php`, the HTML source for the specific menu item will contain:\n  `\u003Cinput type=\"hidden\" name=\"menu-item-icon[ID]\" ... value=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">`\n- An alert box showing the domain will appear in the browser.\n\n## 8. Verification Steps\nAfter performing the exploit via `http_request`, verify the payload is stored in the database:\n```bash\n# Replace \u003CITEM_ID> with the actual ID used\nwp post meta get \u003CITEM_ID> obfx_menu_icon\n```\nConfirm the output exactly matches the payload: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n\n## 9. Alternative Approaches\nIf the `nav-menus.php` POST structure is too complex, the payload can also be injected via the `wp_ajax_obfx_update_module_options` AJAX action if the specific module exposes the icon settings there. However, the `nav-menus.php` vector is the most direct path as it leverages the primary functionality of the Menu Icons module.","The Orbit Fox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu-item-icon' parameter in the Menu Icons module. This occurs because the plugin fails to sanitize or escape the icon identifier when rendering the navigation menu editor, allowing authenticated administrators to inject arbitrary scripts that execute when a user views the menu settings page.","\u002F\u002F obfx_modules\u002Fmenu-icons\u002Finc\u002Fclass-menu-icons-obfx-walker.php line 22\npublic function start_el( &$output, $item, $depth = 0, $args = array(), $id = 0 ) {\n\tparent::start_el( $output, $item, $depth, $args, $id );\n\t$icon    = isset( $item->icon ) ? $item->icon : '';\n\t$output .= sprintf( '\u003Cinput type=\"hidden\" name=\"menu-item-icon[%d]\" id=\"menu-item-icon-%d\" value=\"%s\">', $item->ID, $item->ID, $icon );\n}\n\n---\n\n\u002F\u002F obfx_modules\u002Fmenu-icons\u002Finit.php line 107\npublic function show_menu( $menu ) {\n\t$icon = get_post_meta( $menu->ID, 'obfx_menu_icon', true );\n\tif ( ! empty( $icon ) ) {\n\t\t$menu->icon = $icon;\n\t\tif ( ! is_admin() ) {\n\t\t\t\u002F\u002F ...\n\t\t\t$menu->title = sprintf( '\u003Ci class=\"obfx-menu-icon %s %s\">\u003C\u002Fi>%s', $prefix, $icon, $menu->title );\n\t\t}\n\t}\n\treturn $menu;\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemeisle-companion\u002F3.0.6\u002Fobfx_modules\u002Fmenu-icons\u002Finc\u002Fclass-menu-icons-obfx-walker.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemeisle-companion\u002F3.0.7\u002Fobfx_modules\u002Fmenu-icons\u002Finc\u002Fclass-menu-icons-obfx-walker.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemeisle-companion\u002F3.0.6\u002Fobfx_modules\u002Fmenu-icons\u002Finc\u002Fclass-menu-icons-obfx-walker.php\t2020-02-03 12:45:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemeisle-companion\u002F3.0.7\u002Fobfx_modules\u002Fmenu-icons\u002Finc\u002Fclass-menu-icons-obfx-walker.php\t2026-06-16 09:54:24.000000000 +0000\n@@ -22,6 +22,6 @@\n \tpublic function start_el( &$output, $item, $depth = 0, $args = array(), $id = 0 ) {\n \t\tparent::start_el( $output, $item, $depth, $args, $id );\n \t\t$icon    = isset( $item->icon ) ? $item->icon : '';\n-\t\t$output .= sprintf( '\u003Cinput type=\"hidden\" name=\"menu-item-icon[%d]\" id=\"menu-item-icon-%d\" value=\"%s\">', $item->ID, $item->ID, $icon );\n+\t\t$output .= sprintf( '\u003Cinput type=\"hidden\" name=\"menu-item-icon[%d]\" id=\"menu-item-icon-%d\" value=\"%s\">', $item->ID, $item->ID, esc_attr( $icon ) );\n \t}\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemeisle-companion\u002F3.0.6\u002Fobfx_modules\u002Fmenu-icons\u002Finit.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemeisle-companion\u002F3.0.7\u002Fobfx_modules\u002Fmenu-icons\u002Finit.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemeisle-companion\u002F3.0.6\u002Fobfx_modules\u002Fmenu-icons\u002Finit.php\t2025-08-14 08:53:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemeisle-companion\u002F3.0.7\u002Fobfx_modules\u002Fmenu-icons\u002Finit.php\t2026-06-16 09:54:24.000000000 +0000\n@@ -115,7 +115,7 @@\n \t\t\t\t$array       = explode( '-', $icon );\n \t\t\t\t$prefix      = reset( $array );\n \t\t\t\t$prefix      = apply_filters( 'obfx_menu_icons_icon_class', $prefix, $icon );\n-\t\t\t\t$menu->title = sprintf( '\u003Ci class=\"obfx-menu-icon %s %s\">\u003C\u002Fi>%s', $prefix, $icon, $menu->title );\n+\t\t\t\t$menu->title = sprintf( '\u003Ci class=\"obfx-menu-icon %s %s\">\u003C\u002Fi>%s', esc_attr( $prefix ), esc_attr( $icon ), $menu->title );\n \t\t\t}\n \t\t}\n \t\treturn $menu;","The exploit targets the navigation menu editor in the WordPress admin panel. An authenticated attacker with at least Administrator privileges (or permissions to manage menus) can inject a payload into the 'menu-item-icon' field. To execute this, the attacker first navigates to wp-admin\u002Fnav-menus.php to retrieve a valid 'update-nav-menu-nonce'. They then submit a POST request to update a specific menu item, setting the 'menu-item-icon[ITEM_ID]' parameter to a payload designed to break out of an HTML attribute (e.g., \">\u003Cscript>alert(1)\u003C\u002Fscript>\"). The payload is stored in the database. When the menu editor is subsequently reloaded, the vulnerable custom Walker (Menu_Icons_OBFX_Walker) renders the raw payload into the 'value' attribute of a hidden input field, triggering the script execution.","gemini-3-flash-preview","2026-06-25 21:52:18","2026-06-25 21:53:19",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.0.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthemeisle-companion\u002Ftags\u002F3.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthemeisle-companion.3.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthemeisle-companion\u002Ftags\u002F3.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthemeisle-companion.3.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthemeisle-companion\u002Ftags"]