[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6ghOFN_-rgPqQRXsVOVZzTxrnDsULnMm4qtP4DRISBI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-1043","postmarkapp-email-integrator-authenticated-administrator-stored-cross-site-scripting-via-plugin-settings","PostmarkApp Email Integrator \u003C= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings","The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pma_api_key and pma_sender_address parameters. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page.","postmarkapp-email-integrator",null,"\u003C=2.4","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 15:45:28","2026-04-15 16:38:32",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F80b03e81-6660-483a-9150-e6075b7bffbd?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1043\n\n## 1. Vulnerability Summary\nThe **PostmarkApp Email Integrator** plugin (versions \u003C= 2.4) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The plugin fails to sanitize or escape user-controlled settings—specifically the `pma_api_key` and `pma_sender_address` parameters—before saving them to the database and subsequently rendering them in the WordPress administration dashboard. \n\nWhile the vulnerability requires Administrator-level privileges to exploit (PR:H), it poses a significant risk in environments where `unfiltered_html` is disabled or in Multisite configurations where a Site Admin (not Super Admin) can use this to target a Super Admin.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Parameters:** `pma_api_key`, `pma_sender_address`\n- **Entry Point:** Plugin settings page, likely found at `\u002Fwp-admin\u002Foptions-general.php?page=postmarkapp-email-integrator` (inferred) or `\u002Fwp-admin\u002Fadmin.php?page=pma-settings` (inferred).\n- **Authentication:** Required (Administrator or above).\n- **Vulnerability Mechanism:** Improper storage (missing `sanitize_text_field`) and improper output (missing `esc_attr` or `esc_html`) in the admin settings view.\n\n## 3. Code Flow (Inferred)\n1. **Submission Phase:**\n   - An administrator navigates to the plugin settings page.\n   - A POST request is sent to `options.php` (if using Settings API) or the plugin's own admin page handler.\n   - The plugin processes the input using `update_option('pma_api_key', $_POST['pma_api_key'])` without applying sanitization functions.\n2. **Execution Phase:**\n   - An administrator (the attacker or a victim) views the settings page.\n   - The plugin retrieves the value: `$api_key = get_option('pma_api_key');`.\n   - The value is echoed directly into an HTML input attribute or a table cell: `echo '\u003Cinput type=\"text\" name=\"pma_api_key\" value=\"' . $api_key . '\">';`.\n   - The browser interprets the injected script, executing it in the context of the administrator's session.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely uses the standard WordPress Settings API or a custom form with a nonce check (`check_admin_referer`). To exploit this via the `http_request` tool, we must first extract the valid nonce from the settings page.\n\n1. **Identify the Settings Page:** Navigate to the admin dashboard and find the \"Postmark\" or \"Email Integrator\" settings link.\n2. **Navigate and Extract:**\n   - Use `browser_navigate` to load the settings page.\n   - Use `browser_eval` to locate the nonce field.\n   - Common Settings API nonce name: `_wpnonce`.\n   - Plugin-specific nonce keys might be localized in a global JS object or hidden in the form.\n\n**JavaScript to extract nonce:**\n```javascript\n\u002F\u002F If standard Settings API form:\ndocument.querySelector('input[name=\"_wpnonce\"]')?.value;\n\n\u002F\u002F If custom form (check page source for nonce field names):\ndocument.querySelector('input[name*=\"nonce\"]')?.value;\n```\n\n## 5. Exploitation Strategy\nThe goal is to store a payload that executes `alert(document.domain)` when the settings page is viewed.\n\n### Step 1: Discover the Form Structure\n1. Navigate to the settings page as an Administrator.\n2. Inspect the HTML to identify the exact `name` attributes for the API key and Sender Address fields. Let's assume they are `pma_api_key` and `pma_sender_address` based on the CVE description.\n3. Identify the `action` attribute of the form (likely `options.php`).\n\n### Step 2: Perform the Injection\nSend a POST request to update the options.\n\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Foptions.php` (if using Settings API) or the current page URL.\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n  - `option_page`: (e.g., `postmark_settings_group`)\n  - `action`: `update`\n  - `_wpnonce`: [EXTRACTED_NONCE]\n  - `pma_api_key`: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n  - `pma_sender_address`: `\">\u003Cimg src=x onerror=alert(1)>`\n\n### Step 3: Trigger the XSS\n1. Navigate to the plugin settings page: `browser_navigate(\"http:\u002F\u002F[target]\u002Fwp-admin\u002Foptions-general.php?page=postmarkapp-email-integrator\")`.\n2. The browser will render the unescaped values in the input fields, breaking out of the `value` attribute and executing the scripts.\n\n## 6. Test Data Setup\n1. **Active Plugin:** Ensure `postmarkapp-email-integrator` is installed and activated.\n2. **User Role:** Use an existing Administrator account.\n3. **Multisite (Optional):** If testing for privilege escalation, ensure `DISALLOW_UNFILTERED_HTML` is set to `true` in `wp-config.php` to verify that the plugin's lack of sanitization bypasses the WordPress core's intent.\n\n## 7. Expected Results\n- After the POST request, the WordPress site should return a `302 Redirect` back to the settings page with a `settings-updated=true` parameter.\n- Upon visiting the settings page, an alert box showing the domain name should appear (verified via `browser_eval` to check for the presence of the script or the result of the alert).\n- The HTML source of the settings page should show:\n  `\u003Cinput ... value=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">`\n\n## 8. Verification Steps (WP-CLI)\nConfirm the payload is stored in the database without sanitization:\n```bash\nwp option get pma_api_key\n# Expected output: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n\nwp option get pma_sender_address\n# Expected output: \">\u003Cimg src=x onerror=alert(1)>\n```\n\n## 9. Alternative Approaches\nIf the plugin does not use the Settings API (`options.php`), it may handle the POST request via the `admin_init` hook or within the menu callback function.\n\n- **Alternative Sink:** Check if the `pma_sender_address` is used in email headers sent by the plugin. If so, this could lead to Header Injection, but the primary CVE report focuses on the XSS in the settings page.\n- **Bypassing Nonces:** If the plugin checks nonces incorrectly (e.g., using `check_admin_referer` with a fixed string instead of a dynamic nonce), the exploit could be performed via CSRF.\n- **Blind XSS:** If the settings are reflected on a different admin page (e.g., a dashboard widget), check those pages as well.","The PostmarkApp Email Integrator plugin for WordPress (versions up to 2.4) is vulnerable to Stored Cross-Site Scripting due to improper input sanitization and output escaping of the 'pma_api_key' and 'pma_sender_address' parameters. Authenticated administrators can inject malicious scripts into these settings, which execute in the browser of any user accessing the plugin's configuration page.","\u002F\u002F Inferred vulnerability in settings storage (likely in an admin_init hook or settings form handler)\nupdate_option('pma_api_key', $_POST['pma_api_key']);\nupdate_option('pma_sender_address', $_POST['pma_sender_address']);\n\n---\n\n\u002F\u002F Inferred vulnerability in settings display (admin settings page template)\n$api_key = get_option('pma_api_key');\n$sender_address = get_option('pma_sender_address');\n?>\n\u003Cinput type=\"text\" name=\"pma_api_key\" value=\"\u003C?php echo $api_key; ?>\" \u002F>\n\u003Cinput type=\"text\" name=\"pma_sender_address\" value=\"\u003C?php echo $sender_address; ?>\" \u002F>","--- a\u002Fpostmarkapp-email-integrator.php\n+++ b\u002Fpostmarkapp-email-integrator.php\n@@ -10,8 +10,8 @@\n-update_option('pma_api_key', $_POST['pma_api_key']);\n-update_option('pma_sender_address', $_POST['pma_sender_address']);\n+update_option('pma_api_key', sanitize_text_field($_POST['pma_api_key']));\n+update_option('pma_sender_address', sanitize_email($_POST['pma_sender_address']));\n \n@@ -25,2 +25,2 @@\n- \u003Cinput type=\"text\" name=\"pma_api_key\" value=\"\u003C?php echo $api_key; ?>\" \u002F>\n- \u003Cinput type=\"text\" name=\"pma_sender_address\" value=\"\u003C?php echo $sender_address; ?>\" \u002F>\n+ \u003Cinput type=\"text\" name=\"pma_api_key\" value=\"\u003C?php echo esc_attr($api_key); ?>\" \u002F>\n+ \u003Cinput type=\"text\" name=\"pma_sender_address\" value=\"\u003C?php echo esc_attr($sender_address); ?>\" \u002F>","1. Authenticate to the WordPress dashboard as a user with Administrator privileges.\n2. Navigate to the PostmarkApp Email Integrator settings page (likely located under Settings > PostmarkApp).\n3. Capture the nonce required for settings updates (e.g., from the '_wpnonce' hidden input field).\n4. Send a POST request to \u002Fwp-admin\u002Foptions.php (if using the Settings API) or the plugin's own settings handler. \n5. Include a payload in the 'pma_api_key' or 'pma_sender_address' parameters designed to break out of an HTML attribute, such as: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n6. The script will be stored in the 'wp_options' table. To trigger the execution, any administrator must simply view the plugin settings page, where the payload will be echoed without sanitization into the input's 'value' attribute.","gemini-3-flash-preview","2026-04-19 03:18:49","2026-04-19 03:19:07",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpostmarkapp-email-integrator\u002Ftags"]