[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0ml7xXBK2cuLMS-56r9v2gjvL5W6SbS-ryqwrBclvx8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6808","pricing-tables-for-wp-reflected-cross-site-scripting-via-page-parameter","Pricing Tables for WP \u003C= 1.1.0 - Reflected Cross-Site Scripting via 'page' Parameter","The Pricing Tables for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.","awesome-pricing-tables-lite-by-optimalplugins",null,"\u003C=1.1.0","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-11 19:05:46","2026-05-12 07:48:16",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0ab4cdcd-1ca8-4ee9-87ab-bf4ce33f94d3?source=api-prod",[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, functional payloads, or instructions for performing attacks on specific software or endpoints, as these could be used to facilitate real-world harm.\n\nHowever, I can provide a technical analysis of how reflected cross-site scripting (XSS) typically occurs in WordPress plugins and how researchers and developers can identify and remediate these vulnerabilities.\n\n### Technical Analysis: Reflected XSS in WordPress `page` Parameter\n\nReflected XSS in WordPress often centers on the way the application handles administrative routing and user-controlled input in the backend dashboard.\n\n#### 1. Vulnerability Mechanism\nIn WordPress, the `page` parameter is a reserved query variable used to determine which administrative menu or submenu page should be loaded (e.g., `\u002Fwp-admin\u002Fadmin.php?page=plugin-settings`).\n\nA vulnerability typically arises when a plugin:\n1. Registers a custom admin page using `add_menu_page()` or `add_submenu_page()`.\n2. Accesses the `page` parameter directly from the `$_GET` or `$_REQUEST` superglobals within the callback function or during script localization.\n3. Echoes this value back into the HTML document without applying context-aware escaping functions (such as `esc_attr()` or `esc_html()`).\n\n#### 2. Theoretical Code Flow\nThe vulnerability often follows this path:\n- **Source:** The application receives user input via the `page` URL parameter.\n- **Processing:** The plugin identifies its registered slug but may also extract the raw value of `$_GET['page']` to perform dynamic rendering, such as populating hidden form fields or generating breadcrumbs.\n- **Sink:** The unvalidated input is outputted directly to the browser. For example:\n  ```php\n  \u002F\u002F Vulnerable Example\n  echo '\u003Cinput type=\"hidden\" name=\"page\" value=\"' . $_GET['page'] . '\">';\n  ```\n  If an attacker provides a value like `my-plugin\">\u003Cscript>alert(1)\u003C\u002Fscript>`, the resulting HTML becomes:\n  ```html\n  \u003Cinput type=\"hidden\" name=\"page\" value=\"my-plugin\">\u003Cscript>alert(1)\u003C\u002Fscript>\">\n  ```\n\n#### 3. Security Research Methodology\nWhen auditing for reflected XSS in this context, researchers typically look for:\n- **Lack of Escaping:** Identifying instances where `echo`, `print`, or `printf` are used on global input variables without wrapping them in WordPress escaping functions.\n- **Localization Vulnerabilities:** Checking `wp_localize_script()` calls where the `page` parameter is included in the data array, which can lead to DOM-based XSS if the JavaScript processes that data unsafely.\n- **Admin Context:** Since these vulnerabilities often require an active administrative session, they are frequently used in CSRF chains where an administrator is tricked into clicking a malicious link.\n\n#### 4. Remediation Best Practices\nTo prevent reflected XSS, developers must follow the principle of \"escaping on output\" using the appropriate function for the HTML context:\n\n*   **HTML Attributes:** Use `esc_attr()` when placing input inside an attribute.\n    ```php\n    echo '\u003Cinput type=\"hidden\" name=\"page\" value=\"' . esc_attr( $_GET['page'] ) . '\">';\n    ```\n*   **HTML Content:** Use `esc_html()` for text nodes between tags.\n*   **URLs:** Use `esc_url()` for attributes like `href` or `src`.\n*   **JSON\u002FJavaScript:** Use `wp_json_encode()` or `esc_js()` when passing data to scripts.\n\nFurthermore, implementing strict **Capability Checks** (`current_user_can()`) and **Nonce Verification** (`check_admin_referer()`) ensures that only authorized users can interact with sensitive administrative functionality, reducing the overall attack surface.\n\nFor further learning on WordPress security, you may consult the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) or resources like the [OWASP XSS Prevention Cheat Sheet](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FCross_Site_Scripting_Prevention_Cheat_Sheet.html).","The Pricing Tables for WP plugin is vulnerable to reflected cross-site scripting because it echoes the 'page' query parameter in the WordPress administrative dashboard without sufficient sanitization or output escaping. An attacker can exploit this by tricking a logged-in administrator into clicking a crafted link containing a malicious payload in the 'page' parameter, leading to script execution in the administrator's browser session.","\u002F\u002F File: awesome-pricing-tables-lite-by-optimalplugins\u002Fadmin\u002Fviews\u002Fpricing-tables.php (inferred)\n\u002F\u002F The plugin echoes the page parameter directly from the GET superglobal into a hidden input field or HTML attribute.\n\n\u003Cform action=\"\" method=\"post\">\n    \u003Cinput type=\"hidden\" name=\"page\" value=\"\u003C?php echo $_GET['page']; ?>\">\n    \u003C!-- ... rest of the form ... -->\n\u003C\u002Fform>","--- a\u002Fadmin\u002Fviews\u002Fpricing-tables.php\n+++ b\u002Fadmin\u002Fviews\u002Fpricing-tables.php\n@@ -10,1 +10,1 @@\n-    \u003Cinput type=\"hidden\" name=\"page\" value=\"\u003C?php echo $_GET['page']; ?>\">\n+    \u003Cinput type=\"hidden\" name=\"page\" value=\"\u003C?php echo esc_attr($_GET['page']); ?>\">","The exploit targets an authenticated administrator of the WordPress site. \n\n1. **Payload Construction**: The attacker crafts a malicious URL where the 'page' parameter contains an HTML-breaking payload and a script tag. For example: `wp-admin\u002Fadmin.php?page=pricing-table-slug\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>`.\n2. **Delivery**: The attacker uses social engineering (phishing, forum links, or private messages) to trick a site administrator into visiting this URL while they are logged into the WordPress dashboard.\n3. **Reflected Execution**: When the administrator visits the link, the plugin processes the request and echoes the raw 'page' parameter value into the HTML of the settings page. Because the input is not escaped with `esc_attr()`, the browser interprets the attacker's input as valid HTML\u002FJavaScript tags.\n4. **Outcome**: The injected script executes in the context of the administrator's session, potentially allowing the attacker to perform administrative actions, steal session cookies, or inject further backdoors into the WordPress site.","gemini-3-flash-preview","2026-05-20 18:44:09","2026-05-20 18:45:17",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fawesome-pricing-tables-lite-by-optimalplugins\u002Ftags"]