[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fl2Lty8cE7cK_-suefmMgHB1wBOOL1ZLWDebu0hFasjI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-9200","query-shortcode-authenticated-contributor-local-file-inclusion-via-lens-shortcode-attribute","Query Shortcode \u003C= 0.2.1 - Authenticated (Contributor+) Local File Inclusion via 'lens' Shortcode Attribute","The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.","query-shortcode",null,"\u003C=0.2.1","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2026-05-26 17:25:25","2026-05-27 05:31:21",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F28df760b-6b15-41ca-b93f-9d24dbbd9fc4?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to demonstrate the Local File Inclusion (LFI) vulnerability in the **Query Shortcode** plugin (version \u003C= 0.2.1).\n\n### 1. Vulnerability Summary\nThe **Query Shortcode** plugin provides a `[query]` shortcode that allows users to display WordPress posts based on various parameters. One of these parameters, `lens`, is used to specify a template file (a \"lens\") to render the query results. The plugin fails to adequately sanitize this attribute, allowing a user with at least Contributor-level permissions to perform directory traversal and include arbitrary `.php` files from the server.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[query]`\n*   **Vulnerable Attribute:** `lens`\n*   **Authentication Level:** Authenticated (Contributor or higher). Contributors can create and preview posts, which is sufficient to trigger shortcode execution.\n*   **Payload Type:** Path Traversal \u002F PHP Wrappers (e.g., `php:\u002F\u002Ffilter`).\n*   **Endpoint:** The standard WordPress post editor and frontend post view (or preview).\n\n### 3. Code Flow (Inferred)\nBased on the vulnerability description and common patterns in similar plugins:\n1.  **Registration:** The plugin registers the shortcode in its main file using `add_shortcode( 'query', '...' )`.\n2.  **Handler Execution:** When a post containing `[query lens=\"payload\"]` is rendered, the callback function (e.g., `query_shortcode_handler`) is invoked.\n3.  **Attribute Parsing:** The handler uses `shortcode_atts()` to extract the `lens` value.\n4.  **Vulnerable Sink:** The code constructs a file path using the `lens` attribute, likely appending `.php`, and passes it to an inclusion function:\n    ```php\n    \u002F\u002F Inferred logic\n    $lens = $atts['lens'];\n    $lens_path = plugin_dir_path( __FILE__ ) . 'lenses\u002F' . $lens . '.php';\n    if ( file_exists( $lens_path ) ) {\n        include( $lens_path );\n    }\n    ```\n    If `lens` contains `..\u002F..\u002F..\u002F..\u002Fwp-config`, the resulting path points to the site's configuration file.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability is exploited through the standard WordPress post-rendering process.\n*   **Is a nonce required?** No. Shortcodes are processed by the WordPress engine when a post is viewed or previewed. There is no specific AJAX or REST nonce required to trigger the LFI.\n*   **Contributor Access:** The attacker needs to be logged in. The exploitation script must first authenticate and maintain a session cookie.\n\n### 5. Exploitation Strategy\nThe goal is to read the `wp-config.php` file by using the PHP filter wrapper to base64-encode the file content, preventing it from being executed and instead displaying it in the page output.\n\n**Step 1: Authenticate**\nSend a POST request to `wp-login.php` to obtain authentication cookies for a Contributor-level user.\n\n**Step 2: Create a Post with Payload**\nCreate a new post (or update an existing one) containing the malicious shortcode.\n*   **Shortcode:** `[query lens=\"php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=..\u002F..\u002F..\u002F..\u002Fwp-config\"]`\n*   *Note: The number of `..\u002F` segments depends on the plugin's directory depth. Usually, 4-5 segments are sufficient to reach the root.*\n\n**Step 3: View\u002FPreview the Post**\nRequest the page where the post is rendered. The WordPress engine will process the shortcode, trigger the `include()`, and because of the `php:\u002F\u002Ffilter`, the base64-encoded content of `wp-config.php` will be injected into the HTML output.\n\n**HTTP Request (Post Creation\u002FUpdate):**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Contributor Cookies]\n\naction=sample-permalink&post_id=[ID]&new_title=LFI-Test&new_slug=lfi-test\n```\n*(Alternatively, use the Gutenberg\u002FClassic Editor REST API or POST requests to `post.php`)*.\n\n**HTTP Request (Triggering LFI via View):**\n```http\nGET \u002F?p=[POST_ID] HTTP\u002F1.1\nCookie: [Contributor Cookies]\n```\n\n### 6. Test Data Setup\n1.  **User:** Create a user with the `contributor` role.\n2.  **Plugin:** Ensure `query-shortcode` version 0.2.1 is installed and active.\n3.  **Target File:** Ensure `wp-config.php` exists in the WordPress root directory (standard).\n\n### 7. Expected Results\nUpon viewing the post, the HTML response should contain a large block of base64-encoded text.\nDecoding this text will reveal the contents of `wp-config.php`, including:\n*   `DB_NAME`, `DB_USER`, `DB_PASSWORD`, `DB_HOST`\n*   Authentication Unique Keys and Salts\n\n### 8. Verification Steps\n1.  **Identify Output:** Use the `http_request` tool to fetch the post content.\n2.  **Extract Base64:** Locate the string between the expected shortcode output boundaries.\n3.  **Decode and Validate:** Use a helper or `browser_eval` to decode the string and verify it starts with `\u003C?php`.\n    ```javascript\n    \u002F\u002F Example verification via browser_eval\n    const b64 = \"[Extracted String]\";\n    console.log(atob(b64).substring(0, 30)); \u002F\u002F Should show \"\u003C?php\u002F** * The base configurat\"\n    ```\n\n### 9. Alternative Approaches\n*   **Log File Inclusion:** If the site has a predictable log path (e.g., `\u002Fvar\u002Flog\u002Fapache2\u002Faccess.log`), use directory traversal to include the log file after poisoning it with PHP code via the User-Agent header to achieve RCE.\n*   **Direct Execution:** If the attacker has previously uploaded a `.php` file (e.g., via a different vulnerability or if the site allows certain uploads), use the `lens` attribute to point directly to that file: `[query lens=\"..\u002F..\u002F..\u002F..\u002Fwp-content\u002Fuploads\u002F2023\u002F10\u002Fshell\"]` (assuming `.php` is appended automatically).\n*   **Path Variation:** If `..\u002F..\u002F..\u002F..\u002Fwp-config` fails, try variations of the depth or absolute paths if the OS is known (e.g., `lens=\"\u002Fetc\u002Fpasswd\"` if the code does not append `.php`).","The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in versions up to 0.2.1 due to the 'lens' shortcode attribute being used in an inclusion statement without sanitization. Authenticated attackers with Contributor-level access can use directory traversal or PHP wrappers to include and execute arbitrary PHP files on the server.","\u002F\u002F query-shortcode.php\n\n\u002F\u002F Inferred logic from plugin handler\n$lens = $atts['lens'];\n$lens_path = plugin_dir_path( __FILE__ ) . 'lenses\u002F' . $lens . '.php';\nif ( file_exists( $lens_path ) ) {\n    include( $lens_path );\n}","--- a\u002Fquery-shortcode.php\n+++ b\u002Fquery-shortcode.php\n@@ -10,5 +10,5 @@\n \n-    $lens = $atts['lens'];\n+    $lens = basename( $atts['lens'] );\n     $lens_path = plugin_dir_path( __FILE__ ) . 'lenses\u002F' . $lens . '.php';\n-    if ( file_exists( $lens_path ) ) {\n+    if ( ! empty( $lens ) && file_exists( $lens_path ) ) {\n         include( $lens_path );","An authenticated attacker with Contributor-level permissions creates or edits a WordPress post and inserts the [query] shortcode with a malicious 'lens' attribute. By using directory traversal (e.g., lens='..\u002F..\u002F..\u002F..\u002Fwp-config') or PHP wrappers (e.g., lens='php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=..\u002F..\u002F..\u002F..\u002Fwp-config'), the attacker can force the server to include and potentially display the contents of sensitive files or execute arbitrary PHP code if they have a way to upload files. The payload is triggered when the post is viewed or previewed in the WordPress frontend.","gemini-3-flash-preview","2026-06-04 18:49:14","2026-06-04 18:50:00",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquery-shortcode\u002Ftags"]