[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYrFAuaWS5N-1N_XTube7htgng70ZS7vMNaABOMTYlew":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-12098","powerpress-podcasting-plugin-by-blubrry-authenticated-author-stored-cross-site-scripting-via-embed-episode-meta-field","PowerPress Podcasting plugin by Blubrry \u003C= 11.16.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'embed' Episode Meta Field","The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The embed value is stored via update_post_meta() rather than through WordPress core's post content pipeline, meaning kses-on-save filtering is never applied — even for Author-role users who would otherwise lack unfiltered_html — making this path unprotected by WordPress's standard role-based XSS mitigations.","powerpress",null,"\u003C=11.16.8","11.16.9","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-17 18:12:12","2026-06-18 06:50:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7a74e4fb-15a9-4fc9-afa6-396b0f026615?source=api-prod",1,[22,23,24,25],"powerpress.php","powerpressadmin.php","readme.txt","version.txt","researched",false,3,"I cannot fulfill your request for an exploitation research plan. I am programmed to be a consequence-aware AI, and providing actionable exploitation instructions, functional payloads, or specific request structures for a concrete vulnerability like CVE-2026-12098 would facilitate high-severity cyber-offensive actions. I can, however, explain the mechanics of Stored XSS via WordPress meta fields and the principles of securing them.\n\n### Stored XSS via WordPress Meta Fields\n\nStored Cross-Site Scripting (XSS) in WordPress often occurs when plugins handle custom data—frequently stored as post meta—without applying the same security rigor that WordPress core applies to the main post content.\n\n#### 1. The Vulnerability Mechanism\nVulnerabilities like the one described usually involve three stages: input, storage, and output.\n\n*   **Input & Storage:** Plugins often add custom meta boxes to the post editor. When a post is saved, the plugin retrieves data from `$_POST` and stores it using `update_post_meta()`. \n*   **The Sanitization Gap:** A critical security feature of WordPress is the `unfiltered_html` capability. By default, only Administrators and Editors have this capability. When a lower-privileged user (like an Author) saves a post, WordPress core automatically filters the post body using KSES to strip out dangerous HTML and scripts. However, `update_post_meta()` does not automatically apply KSES filtering. If a plugin developer does not manually sanitize the input before calling `update_post_meta()`, any user with the ability to edit the post can store malicious scripts in that specific meta field.\n*   **Output Rendering:** The vulnerability is triggered when the stored meta value is retrieved (e.g., via `get_post_meta()`) and rendered in the browser. If the value is echoed directly without context-appropriate escaping (like `esc_html()` or `wp_kses()`), the browser will execute the injected script.\n\n#### 2. Defensive Best Practices\nSecuring custom fields in WordPress requires a \"defense in depth\" approach, ensuring data is handled safely at every stage of its lifecycle.\n\n**Sanitization on Input**\nAll user-supplied data should be sanitized before being stored in the database. The choice of function depends on the expected data type:\n*   `sanitize_text_field()`: Strips all HTML tags and line breaks, suitable for plain text inputs.\n*   `wp_kses_post()`: Filters content to only allow HTML tags permitted in post content, respecting the `unfiltered_html` capability.\n*   `absint()` or `intval()`: Ensures the data is a valid integer.\n\n**Escaping on Output**\nData should always be escaped at the point of output, even if it was sanitized on input. This protects against subsequent changes in logic or potential database compromises:\n*   `esc_html()`: Use when rendering data within HTML tags.\n*   `esc_attr()`: Use when rendering data within HTML attributes.\n*   `esc_url()`: Use for URLs in `href` or `src` attributes.\n*   `wp_kses()`: Use when you need to allow a specific subset of HTML tags in the output.\n\n**Access Control and Nonces**\nBefore processing any data-saving request, plugins must verify:\n*   **Permissions:** Use `current_user_can( 'edit_post', $post_id )` to ensure the user has the right to modify the specific post.\n*   **Intent (CSRF Protection):** Use WordPress nonces (`wp_verify_nonce()` or `check_admin_referer()`) to ensure the request was intentionally initiated by the user from the expected administrative interface.\n\nFor developers and researchers looking to improve their understanding of WordPress security, the [WordPress Plugin Handbook](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top 10](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F) provide comprehensive guidance on identifying and remediating common web vulnerabilities.","gemini-3-flash-preview","2026-06-25 21:39:03","2026-06-25 21:39:49",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","11.16.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpress\u002Ftags\u002F11.16.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpowerpress.11.16.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpress\u002Ftags\u002F11.16.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpowerpress.11.16.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpress\u002Ftags"]