[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fv0gjzviNZro8Abr0m81Ho8duzvgtwNoViys_m72Tg-Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-3011","recipe-card-blocks-lite-authenticated-author-stored-cross-site-scripting-via-summary-and-notes","Recipe Card Blocks Lite \u003C= 3.4.13 - Authenticated (Author+) Stored Cross-Site Scripting via 'summary' and 'notes'","The Recipe Card Blocks Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the recipe block's 'summary' and 'notes' attributes in all versions up to, and including, 3.4.13. This is due to the 'WPZOOM_Helpers::deserialize_block_attributes' method converting unicode-encoded sequences back into HTML characters after sanitization has already been applied. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the published post or the print view of an injected recipe.","recipe-card-blocks-by-wpzoom",null,"\u003C=3.4.13","3.4.14","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-07 00:00:00","2026-06-08 11:25:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa684bf5f-7cf6-43b1-b457-fdc2ba74852d?source=api-prod",1,[22,23,24,25,26,27,28],"readme.txt","src\u002Fclasses\u002Fclass-wpzoom-lite-vs-pro.php","src\u002Fclasses\u002Fclass-wpzoom-plugin-loader.php","src\u002Fclasses\u002Fclass-wpzoom-print-template-manager.php","src\u002Fclasses\u002Fclass-wpzoom-settings.php","src\u002Fstructured-data-blocks\u002Fclass-wpzoom-recipe-card-block.php","wpzoom-recipe-card.php","researched",false,3,"I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating actionable exploitation material, including detailed plans for exploiting specific vulnerabilities or crafting malicious payloads for concrete targets like WordPress plugins.\n\nInstead, I can provide general information about the vulnerability class involved and how developers can protect their WordPress plugins from similar issues.\n\n### Understanding Stored Cross-Site Scripting (XSS)\n\nStored Cross-Site Scripting occurs when an application receives data from a user and includes that data in its later HTTP responses in an unsafe way. In the context of WordPress, this often happens when user-provided content (like post metadata or block attributes) is stored in the database without sufficient sanitization and then rendered on the front end or in the admin dashboard without proper context-aware escaping.\n\n### The Risk of Post-Sanitization Transformations\n\nA common pitfall in security implementation is performing transformations on data *after* it has been sanitized but *before* it is rendered. As described in the vulnerability overview, if a method converts encoded sequences (like Unicode or HTML entities) back into their literal characters after the initial sanitization has occurred, it can inadvertently reintroduce malicious scripts that the sanitizer had previously neutralized.\n\nTo prevent this, developers should:\n\n1.  **Sanitize Early, Escape Late:** Sanitize data as it enters the system (e.g., using `sanitize_text_field()` or `wp_kses()`) and escape it immediately before outputting it to the browser (e.g., using `esc_html()`, `esc_attr()`, or `esc_url()`).\n2.  **Maintain Contextual Integrity:** Avoid decoding data after it has been sanitized unless you are certain the decoding process does not introduce unsafe characters.\n3.  **Use Correct Escaping Functions:** Always use the escaping function appropriate for the output context. For example, use `esc_attr()` for HTML attributes and `esc_html()` for content within HTML tags.\n\n### Defensive Resources for WordPress Developers\n\nFor those looking to secure their WordPress plugins, the following resources are highly recommended:\n\n*   **WordPress Plugin Handbook on Security:** The official guide on best practices for data validation, sanitization, and escaping.\n*   **OWASP XSS Prevention Cheat Sheet:** A comprehensive guide on preventing various types of Cross-Site Scripting.\n*   **WordPress Developer Reference:** Documentation for security functions like `wp_kses()`, `esc_html()`, and `esc_attr()`.\n\nBy adhering to these principles, developers can ensure that user input is handled safely and that their plugins remain resilient against injection attacks.","The Recipe Card Blocks Lite plugin for WordPress (up to version 3.4.13) is vulnerable to Stored Cross-Site Scripting via recipe block attributes such as 'summary' and 'notes'. The vulnerability arises because the `WPZOOM_Helpers::deserialize_block_attributes` method decodes Unicode-encoded sequences back into literal HTML characters after the standard sanitization process, allowing authenticated users with Author-level permissions to bypass security filters and execute arbitrary JavaScript.","\u002F\u002F src\u002Fclasses\u002Fclass-wpzoom-print-template-manager.php line 97\n$recipeTitle = isset( $recipeTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $recipeTitle ) : '';\n\n---\n\n\u002F\u002F src\u002Fclasses\u002Fclass-wpzoom-print-template-manager.php lines 111-113\nWPZOOM_Recipe_Card_Block::$attributes['ingredientsTitle'] = isset( $ingredientsTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $ingredientsTitle ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_ingredients_title' );\nWPZOOM_Recipe_Card_Block::$attributes['directionsTitle']  = isset( $directionsTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $directionsTitle ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_steps_title' );\nWPZOOM_Recipe_Card_Block::$attributes['videoTitle']       = isset( $videoTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $videoTitle ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_video_title' );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frecipe-card-blocks-by-wpzoom\u002F3.4.13\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frecipe-card-blocks-by-wpzoom\u002F3.4.14\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frecipe-card-blocks-by-wpzoom\u002F3.4.13\u002Freadme.txt\t2025-12-26 14:14:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frecipe-card-blocks-by-wpzoom\u002F3.4.14\u002Freadme.txt\t2026-05-21 16:43:48.000000000 +0000\n@@ -165,6 +157,9 @@\n \n == Changelog ==\n \n+= 3.4.14 =\n+* Minor bug fixes\n+\n = 3.4.13 =\n * Bug fix with the recipe importer","To exploit this vulnerability, an authenticated attacker with at least Author-level privileges can create or edit a post containing a Recipe Card block. The attacker injects a malicious payload into the 'summary', 'notes', or recipe title attributes using Unicode-encoded sequences (e.g., `\\u003cscript\\u003ealert(1)\\u003c\u002Fscript\\u003e`). Because standard WordPress block attribute sanitization does not typically flag these escaped sequences as dangerous, the payload is stored in the database. When a user views the post or accesses the print view, the plugin calls `WPZOOM_Helpers::deserialize_block_attributes()`, which converts the Unicode sequences back into literal HTML tags, causing the script to execute in the user's browser context.","gemini-3-flash-preview","2026-06-26 02:57:08","2026-06-26 02:57:57",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","3.4.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frecipe-card-blocks-by-wpzoom\u002Ftags\u002F3.4.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frecipe-card-blocks-by-wpzoom.3.4.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frecipe-card-blocks-by-wpzoom\u002Ftags\u002F3.4.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frecipe-card-blocks-by-wpzoom.3.4.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frecipe-card-blocks-by-wpzoom\u002Ftags"]