[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fts6Z9WGzbsPnRrAQOpND6ftBf9q-z23vLTJ08geNpyo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-42729","property-hive-unauthenticated-stored-cross-site-scripting","Property Hive \u003C= 2.2.2 - Unauthenticated Stored Cross-Site Scripting","The Property Hive plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","propertyhive",null,"\u003C=2.2.2","2.2.3","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-23 00:00:00","2026-05-26 19:15:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe91922d7-5207-45e6-8e0f-071da23771e9?source=api-prod",4,[22,23,24,25,26,27,28,29],"README.txt","includes\u002Fadmin\u002Fclass-ph-admin-help.php","includes\u002Fadmin\u002Fclass-ph-admin-post-types.php","includes\u002Fadmin\u002Fclass-ph-admin.php","includes\u002Fadmin\u002Fph-admin-functions.php","includes\u002Fadmin\u002Fpost-types\u002Fclass-ph-admin-cpt-enquiry.php","includes\u002Fadmin\u002Fpost-types\u002Fclass-ph-admin-cpt-viewing.php","includes\u002Fadmin\u002Fpost-types\u002Fclass-ph-admin-cpt.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-42729 (Property Hive Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Property Hive** plugin for WordPress (versions \u003C= 2.2.2) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in the `PH_Admin::check_install_add_on` method, which is hooked to `admin_init`. This method processes user-supplied data from `$_GET` parameters (`ph_add_on_slug` and `ph_add_on_plugin`), decodes them from Base64, and updates a global WordPress option (`propertyhive_pre_pro_add_ons`) without performing any authentication, authorization (capability), or CSRF (nonce) checks. \n\nThe stored data is subsequently rendered in the WordPress administrative dashboard (specifically the \"Features\" tab of the Property Hive settings), where insufficient output escaping allows injected scripts to execute in the context of an administrator.\n\n## 2. Attack Vector Analysis\n- **Entry Point**: `admin_init` hook. In WordPress, `admin_init` fires on all administrative pages and, crucially, during calls to `\u002Fwp-admin\u002Fadmin-ajax.php`, which is accessible to unauthenticated users.\n- **Vulnerable Action**: `ph_action=install_add_on`.\n- **Payload Parameters**: `ph_add_on_slug` and `ph_add_on_plugin`.\n- **Authentication**: None required (Unauthenticated).\n- **Preconditions**: The plugin must be active.\n\n## 3. Code Flow\n1. **Entry**: An unauthenticated request is made to `\u002Fwp-admin\u002Fadmin-ajax.php?ph_action=install_add_on&ph_add_on_slug=[BASE64]&ph_add_on_plugin=[BASE64]`.\n2. **Hook**: The `admin_init` hook triggers `PH_Admin::check_install_add_on()` in `includes\u002Fadmin\u002Fclass-ph-admin.php`.\n3. **Condition Check**: The function checks if `$_GET['ph_action']` equals `'install_add_on'` (Line 184).\n4. **Processing**:\n    - It decodes the `ph_add_on_slug` and `ph_add_on_plugin` values from Base64.\n    - It applies `ph_clean()` to the decoded values (Line 200). `ph_clean` (likely a wrapper for `sanitize_text_field`) is insufficient for preventing XSS in attribute contexts or if output escaping is missing.\n5. **Storage**: The processed values are appended to an array and stored in the database via `update_option( 'propertyhive_pre_pro_add_ons', ... )` (Line 204).\n6. **Sink**: An administrator navigates to `\u002Fwp-admin\u002Fadmin.php?page=ph-settings&tab=features`. The plugin retrieves the `propertyhive_pre_pro_add_ons` option and renders the content. If the rendering logic (likely in `includes\u002Fadmin\u002Fclass-ph-admin-settings.php`) echoes these values without `esc_attr()` or `esc_","gemini-3-flash-preview","2026-06-04 21:42:13","2026-06-04 21:43:54",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.2.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpropertyhive\u002Ftags\u002F2.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpropertyhive.2.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpropertyhive\u002Ftags\u002F2.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpropertyhive.2.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpropertyhive\u002Ftags"]