[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fikU3-xDnzk2nSPXT1D7DnbayyLtZE0ShKG_bH2En5XE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-5694","quick-interest-slider-unauthenticated-stored-cross-site-scripting","Quick Interest Slider \u003C= 3.1.5 - Unauthenticated Stored Cross-Site Scripting","The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","quick-interest-slider",null,"\u003C=3.1.5","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-14 19:44:37","2026-04-15 17:56:06",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe3ce37e7-1dca-4f74-86ce-65bf29ef091e?source=api-prod",[],"researched",false,3,"This research plan outlines the technical steps required to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the **Quick Interest Slider** plugin (versions \u003C= 3.1.5).\n\n### 1. Vulnerability Summary\nThe Quick Interest Slider plugin allows visitors to calculate loan interest rates. When a user submits a \"loan application\" or interacts with the slider, parameters such as `loan-amount` and `loan-period` are processed. The vulnerability exists because the plugin fails to sanitize these parameters before storing them in the database (likely as lead data or settings) and fails to escape them when they are subsequently rendered on an admin-facing lead management page or a results page.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `admin-ajax.php` or the main site frontend via a POST request to a page containing the slider.\n*   **AJAX Action:** Likely `qis_process_form` or `qis_save_application` (inferred).\n*   **Parameters:** `loan-amount` and `loan-period`.\n*   **Authentication:** Unauthenticated (accessible via `wp_ajax_nopriv_*` hooks).\n*   **Preconditions:** The slider must be active on a public page, and the \"Save Applications\" or \"Lead Capture\" feature should be enabled in the plugin settings.\n\n### 3. Code Flow (Inferred)\n1.  **Source:** A user sends a POST request containing `loan-amount` or `loan-period` to an unauthenticated AJAX handler or a frontend form listener.\n2.  **Registration:** The handler is likely registered via:\n    `add_action( 'wp_ajax_nopriv_qis_process_form', 'qis_process_form' );`\n3.  **Processing (The Sink):** Inside `qis_process_form()`, the code captures the input:\n    `$amount = $_POST['loan-amount'];`\n    It then stores this value without using `sanitize_text_field()`:\n    `update_post_meta( $post_id, 'loan_amount', $amount );` or `$wpdb->insert(...)`\n4.  **Trigger:** An administrator logs into the WordPress dashboard and navigates to the \"Quick Interest Slider\" -> \"Applications\" or \"Leads\" page.\n5.  **Execution:** The admin page retrieves the stored value and echoes it directly:\n    `echo '\u003Ctd>' . $lead->loan_amount . '\u003C\u002Ftd>';` (XSS Sink)\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely enqueues a JavaScript file that contains the AJAX URL and a nonce for the form submission.\n\n1.  **Identify Shortcode:** Search for `add_shortcode` in the plugin files to find the slider's shortcode. It is likely `[quick-interest-slider]`.\n2.  **Setup Page:** Create a public page containing the shortcode.\n3.  **Locate Nonce:** Check for `wp_localize_script` in the source code. The variable name is often something like `qis_ajax` or `qis_vars`.\n4.  **Extraction:**\n    *   Navigate to the created page using `browser_navigate`.\n    *   Execute `browser_eval(\"window.qis_ajax?.nonce\")` or search the HTML source for `qis_nonce`.\n\n### 5. Exploitation Strategy\nThe goal is to inject a script that executes when an admin views the leads.\n\n**Step 1: Discover the Handler**\nSearch the codebase for the AJAX action that handles form submission:\n`grep -rn \"wp_ajax_nopriv\" .`\n\n**Step 2: Prepare the Payload**\nUse a standard XSS payload that exfiltrates information or triggers an alert:\n`payload = \"\u003Cscript>alert('CVE-2026-5694_XSS');\u003C\u002Fscript>\"`\n\n**Step 3: Submit the Malicious Request**\nPerform an unauthenticated POST request to `admin-ajax.php`.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=qis_process_form&\n    loan-amount=\u003Cimg src=x onerror=alert(1)>&\n    loan-period=\u003Cscript>console.log(document.cookie)\u003C\u002Fscript>&\n    qis_nonce=[EXTRACTED_NONCE]&\n    [OTHER_REQUIRED_PARAMS]\n    ```\n*(Note: Use `http_request` to send this.)*\n\n### 6. Test Data Setup\nBefore exploitation, ensure the plugin is configured to save leads:\n1.  **Plugin Activation:** `wp plugin activate quick-interest-slider`\n2.  **Configuration:** Ensure the plugin is set to store submissions in the database (Check settings via `wp option get qis_settings`).\n3.  **Shortcode Placement:**\n    `wp post create --post_type=page --post_title=\"Loan Calculator\" --post_status=publish --post_content='[quick-interest-slider]'`\n\n### 7. Expected Results\n*   The AJAX response should indicate success (e.g., `{\"success\":true}` or a generic success message).\n*   The payload will be stored in the database.\n*   When a user (specifically an admin) visits the leads\u002Fapplications page in the WordPress dashboard, the `alert(1)` or `console.log` will execute.\n\n### 8. Verification Steps\nAfter sending the payload, verify storage via WP-CLI:\n1.  **Database Check:**\n    `wp db query \"SELECT * FROM wp_postmeta WHERE meta_key = 'loan_amount' AND meta_value LIKE '%\u003Cscript>%';\"`\n    *(Adjust table name if the plugin uses a custom table like `wp_qis_leads`)*.\n2.  **Dashboard Check:**\n    Use `browser_navigate` to go to the plugin's admin lead page (e.g., `\u002Fwp-admin\u002Fadmin.php?page=qis-leads`) and check for the injected HTML.\n\n### 9. Alternative Approaches\n*   **Direct Form POST:** If the plugin doesn't use AJAX for the initial submission but a standard HTML form, identify the form action (likely the current page URL) and POST directly to that URL with the malicious parameters.\n*   **Parameter Variation:** If `loan-amount` is sanitized, try `loan-period`, `interest-rate`, or any hidden fields like `form_id` that might be reflected in the admin UI.\n*   **Bypass Nonce:** Check if the nonce check is missing in the `nopriv` handler by simply omitting the nonce parameter in the request. If the code uses `if(isset($_POST['nonce']))` instead of a hard requirement, it can be bypassed.","The Quick Interest Slider plugin for WordPress is vulnerable to unauthenticated Stored Cross-Site Scripting due to the lack of sanitization on 'loan-amount' and 'loan-period' parameters. Attackers can inject malicious scripts into loan applications which are then executed when an administrator views the application leads in the WordPress dashboard.","\u002F\u002F quick-interest-slider.php - Inferred AJAX handler for processing submissions\nfunction qis_process_form() {\n    \u002F\u002F ... processing logic ...\n    $loan_amount = $_POST['loan-amount'];\n    $loan_period = $_POST['loan-period'];\n\n    \u002F\u002F Vulnerable: Data is stored without sanitization\n    update_post_meta( $post_id, 'loan_amount', $loan_amount );\n    update_post_meta( $post_id, 'loan_period', $loan_period );\n    \u002F\u002F ... \n}\n\n---\n\n\u002F\u002F quick-interest-slider.php - Inferred admin display logic\nforeach ( $leads as $lead ) {\n    $amount = get_post_meta( $lead->ID, 'loan_amount', true );\n    \u002F\u002F Vulnerable: Stored data is echoed without escaping\n    echo '\u003Ctd>' . $amount . '\u003C\u002Ftd>';\n}","--- a\u002Fquick-interest-slider.php\n+++ b\u002Fquick-interest-slider.php\n@@ -10,8 +10,8 @@\n function qis_process_form() {\n-    $loan_amount = $_POST['loan-amount'];\n-    $loan_period = $_POST['loan-period'];\n+    $loan_amount = sanitize_text_field($_POST['loan-amount']);\n+    $loan_period = sanitize_text_field($_POST['loan-period']);\n \n     update_post_meta( $post_id, 'loan_amount', $loan_amount );\n@@ -40,5 +40,5 @@\n foreach ( $leads as $lead ) {\n     $amount = get_post_meta( $lead->ID, 'loan_amount', true );\n-    echo '\u003Ctd>' . $amount . '\u003C\u002Ftd>';\n+    echo '\u003Ctd>' . esc_html($amount) . '\u003C\u002Ftd>';\n }","1. Navigate to a public page where the [quick-interest-slider] shortcode is rendered.\n2. Extract the AJAX nonce from the page source, typically found in a JavaScript object like `qis_vars` or `qis_ajax`.\n3. Construct an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action set to the plugin's submission handler (e.g., `qis_process_form`).\n4. Include a malicious XSS payload in the `loan-amount` or `loan-period` parameter, such as `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n5. Submit the request. The plugin will store the unsanitized payload in the database.\n6. The exploit triggers when a site administrator logs in and navigates to the plugin's leads\u002Fapplications management page, where the stored payload is rendered without escaping.","gemini-3-flash-preview","2026-04-16 15:43:37","2026-04-16 15:43:58",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquick-interest-slider\u002Ftags"]