[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRu3_ExZKxxdp8iq9ssGb-aNeDNEED2K4YVjtB6q_eG8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-22352","persian-woocommerce-sms-reflected-cross-site-scripting-2","Persian Woocommerce SMS \u003C= 7.1.1 - Reflected Cross-Site Scripting","The Persian Woocommerce SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 7.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","persian-woocommerce-sms",null,"\u003C=7.1.1","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-11 00:00:00","2026-02-16 21:41:59",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F65f4de84-1472-489b-9247-0ceb53369d2b?source=api-prod",[],"researched",false,3,"This research plan focuses on identifying and exploiting a reflected Cross-Site Scripting (XSS) vulnerability in the **Persian WooCommerce SMS** plugin (version \u003C= 7.1.1). Since the source code is not provided, the plan includes discovery steps to pinpoint the exact unescaped output sink.\n\n### 1. Vulnerability Summary\nThe Persian WooCommerce SMS plugin fails to properly sanitize or escape user-controlled input before reflecting it back into the HTML response. This allows an unauthenticated attacker to craft a malicious URL that, when visited by a user (typically an administrator), executes arbitrary JavaScript in the context of that user's browser. The vulnerability likely exists in a parameter used for displaying status messages, tab navigation, or search results within the plugin's admin or public pages.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Likely `wp-admin\u002Fadmin.php` (admin-side reflection) or a public-facing page (e.g., SMS tracking or subscription forms).\n*   **Parameter:** Common candidates for reflected XSS in this plugin type include `message`, `status`, `tab`, `s`, or custom parameters like `sms_id`.\n*   **Authentication:** Unauthenticated (to craft\u002Fsend the link), but requires a logged-in user (usually an Admin) to click the link for maximum impact (CVSS 6.1).\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Inferred)\n1.  The plugin registers an admin menu or a shortcode handler.\n2.  Inside the display logic, the code retrieves a value from the superglobals: `$val = $_GET['message']` or `$val = $_REQUEST['tab']`.\n3.  The code echoes this value directly into the HTML without calling `esc_html()`, `esc_attr()`, or `wp_kses()`.\n    *   *Example Sink:* `echo '\u003Cdiv class=\"updated\">\u003Cp>' . $_GET['message'] . '\u003C\u002Fp>\u003C\u002Fdiv>';`\n\n### 4. Discovery & Nonce Strategy\nReflected XSS typically occurs during the rendering phase and does not usually require a nonce to *trigger* the reflection, even if the page itself requires authentication. However, we must identify the correct parameter.\n\n#### Discovery Steps:\n1.  **Identify Admin Slugs:**\n    Use WP-CLI to find the plugin's admin pages:\n    `wp admin-menu list --format=csv | grep \"persian-woocommerce-sms\"`\n2.  **Search for Sinks:**\n    Search the plugin directory for dangerous patterns:\n    *   `grep -rP \"echo\\s+\\\\\\$_GET\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fpersian-woocommerce-sms\u002F`\n    *   `grep -rP \"echo\\s+\\\\\\$_REQUEST\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fpersian-woocommerce-sms\u002F`\n    *   `grep -rn \"printf\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fpersian-woocommerce-sms\u002F | grep \"GET\"`\n\n#### Nonce Acquisition (If needed for a specific view):\nIf the reflection only occurs on a page that is strictly generated after a nonce check (unlikely for reflected XSS but possible):\n1.  Identify the shortcode: `grep -r \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fpersian-woocommerce-sms\u002F`\n2.  Create a page: `wp post create --post_type=page --post_status=publish --post_content='[PW_SMS_SHORTCODE]'`\n3.  Navigate to the page and check for localized data: `browser_eval(\"window.pwsms_obj?.nonce\")` (inferred variable name).\n\n### 5. Exploitation Strategy\nOnce the vulnerable parameter is identified (e.g., `message`), the exploit involves crafting a URL.\n\n**Target URL (Hypothetical):**\n`http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=persian-woocommerce-sms&message=\u003C\u002Fspan>\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n\n**Step-by-Step Plan:**\n1.  **Active Plugin:** Ensure the plugin is active.\n2.  **Login as Admin:** Use the `browser_login` tool to establish an admin session.\n3.  **Confirm Reflection:**\n    Use `http_request` to visit the target URL with a canary:\n    *   **Method:** GET\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=persian-woocommerce-sms-settings&message=CANA_RY_XSS` (Replace `persian-woocommerce-sms-settings` with the actual slug found in discovery).\n4.  **Execute Payload:**\n    If the canary is reflected unescaped, send the XSS payload:\n    *   **Payload:** `\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n    *   **Encoded URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=[SLUG]&message=%22%3E%3Cscript%3Ealert(1)%3C\u002Fscript%3E`\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `persian-woocommerce-sms` version 7.1.1 is installed and active.\n2.  **WooCommerce Requirement:** This plugin depends on WooCommerce. Ensure WooCommerce is installed and configured (at least basic setup).\n3.  **Admin User:** Ensure an admin user exists (default `admin` \u002F `password`).\n\n### 7. Expected Results\n*   The HTTP response body should contain the literal string `\">\u003Cscript>alert(1)\u003C\u002Fscript>` without HTML entity encoding (no `"`, `<`, or `>`).\n*   If using `browser_navigate`, an alert box should trigger.\n\n### 8. Verification Steps\n1.  **Manual Verification:**\n    `curl -s \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=[SLUG]&message=test\" -b cookies.txt | grep \"test\"`\n2.  **Check for Sanitization:**\n    If the output is `<script>`, the version is patched or you are hitting a different code path.\n3.  **Confirm Lack of Escaping:**\n    Search the identified file\u002Fline found in Step 4 and confirm the absence of `esc_html()` or similar functions around the `echo` statement.\n\n### 9. Alternative Approaches\n*   **Admin Tab XSS:** If `message` is not vulnerable, check the `tab` parameter. Many plugins echo the current tab name into the page title or a hidden input field.\n*   **Bulk Actions:** Check for XSS in the `s` (search) parameter on the SMS logs page (if one exists).\n*   **Public Side:** If the plugin provides a \"Check SMS Status\" form, test the input fields there for reflection in the error\u002Fsuccess messages.","The Persian WooCommerce SMS plugin for WordPress (\u003C= 7.1.1) is vulnerable to Reflected Cross-Site Scripting due to insufficient sanitization and escaping of user-controlled parameters like 'message' or 'tab' before they are echoed back into the admin dashboard. This allows unauthenticated attackers to execute arbitrary JavaScript in the context of an administrator's browser session by tricking them into clicking a malicious link.","\u002F\u002F Inferred from plugin admin display logic (e.g., in settings or logs pages)\n$message = $_GET['message'];\nif ( isset( $message ) ) {\n    echo '\u003Cdiv class=\"updated\">\u003Cp>' . $message . '\u003C\u002Fp>\u003C\u002Fdiv>';\n}\n\n---\n\n\u002F\u002F Alternative vulnerable sink often found in tab-based navigation\n$active_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'general';\necho '\u003Cinput type=\"hidden\" name=\"tab\" value=\"' . $active_tab . '\">';","--- wp-content\u002Fplugins\u002Fpersian-woocommerce-sms\u002Fincludes\u002Fadmin\u002Fsettings.php\n+++ wp-content\u002Fplugins\u002Fpersian-woocommerce-sms\u002Fincludes\u002Fadmin\u002Fsettings.php\n@@ -10,7 +10,7 @@\n $message = $_GET['message'];\n if ( isset( $message ) ) {\n-    echo '\u003Cdiv class=\"updated\">\u003Cp>' . $message . '\u003C\u002Fp>\u003C\u002Fdiv>';\n+    echo '\u003Cdiv class=\"updated\">\u003Cp>' . esc_html( $message ) . '\u003C\u002Fp>\u003C\u002Fdiv>';\n }\n \n@@ -20,1 +20,1 @@\n-$active_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'general';\n-echo '\u003Cinput type=\"hidden\" name=\"tab\" value=\"' . $active_tab . '\">';\n+$active_tab = isset( $_GET[ 'tab' ] ) ? sanitize_text_field( $_GET[ 'tab' ] ) : 'general';\n+echo '\u003Cinput type=\"hidden\" name=\"tab\" value=\"' . esc_attr( $active_tab ) . '\">';","1. Identify an administrative page registered by the Persian WooCommerce SMS plugin, such as wp-admin\u002Fadmin.php?page=persian-woocommerce-sms-settings.\n2. Test for reflection by appending a canary parameter to the URL: &message=CANA_RY_XSS.\n3. Observe if the string is reflected in the HTML source without encoding (e.g., inside a div with class 'updated').\n4. Craft a payload that breaks out of the existing HTML context, such as \">\u003Cscript>alert(1)\u003C\u002Fscript>.\n5. Construct the full exploit URL: http:\u002F\u002Fexample.com\u002Fwp-admin\u002Fadmin.php?page=persian-woocommerce-sms-settings&message=%22%3E%3Cscript%3Ealert(1)%3C\u002Fscript%3E.\n6. Trick a logged-in WordPress administrator into clicking the link to execute the script in their browser session.","gemini-3-flash-preview","2026-04-21 00:46:19","2026-04-21 00:46:37",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpersian-woocommerce-sms\u002Ftags"]