[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkltekfKsv1_ChjR2Cvd3ss3OsZMBmBisQYmcEKitKFo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-1319","robin-image-optimizer-authenticated-author-stored-cross-site-scripting-via-image-alternative-text-field","Robin Image Optimizer \u003C= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field","The Robin Image Optimizer – Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","robin-image-optimizer",null,"\u003C=2.0.2","2.0.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-04 19:32:21","2026-02-05 08:25:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F288cd86b-8d13-46bf-99ef-76698cd62a41?source=api-prod",1,[],"researched",false,3,"This research plan targets **CVE-2026-1319**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Robin Image Optimizer** plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe Robin Image Optimizer plugin (\u003C= 2.0.2) fails to sufficiently sanitize and escape the **Alternative Text** (alt text) field of images in the Media Library. While WordPress core provides some protections, the plugin likely hooks into image rendering or optimization logs to display this metadata. An authenticated user with **Author** privileges or higher can inject a malicious script into the Alt Text field. This script is stored in the database (usually as `_wp_attachment_image_alt` post meta) and executes when an administrative user views the plugin's optimization reports or when the plugin renders the image on the frontend (e.g., during WebP conversion or lazy loading).\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: `wp-admin\u002Fadmin-ajax.php` (Standard WordPress media update) or the plugin's optimization dashboard.\n*   **Action**: `save-attachment` (Core WP) or a plugin-specific AJAX action if they provide a custom edit interface.\n*   **Vulnerable Parameter**: `changes[alt_text__column]` or `alt` (depending on the AJAX handler).\n*   **Authentication**: Required (Author level or higher). Authors can upload images and modify their metadata.\n*   **Preconditions**: Robin Image Optimizer must be active. The XSS typically triggers when the plugin processes the image or displays optimization logs.\n\n## 3. Code Flow\n1.  **Entry Point**: An Author updates an image's \"Alternative Text\" via the Media Library.\n2.  **Storage**: The input is saved to the `wp_postmeta` table under the key `_wp_attachment_image_alt`.\n3.  **Processing**: The plugin (Robin Image Optimizer) retrieves this meta during optimization or when building its \"Optimization Statistics\" or \"Image Comparison\" views.\n4.  **Sink**: The plugin outputs the metadata without calling `esc_attr()` or `esc_html()`.\n    *   *Potential Sink 1*: The plugin's comparison tool (likely `admin\u002Fviews\u002Fimage-statistics.php` or similar).\n    *   *Potential Sink 2*: Frontend rendering logic where the plugin replaces standard `\u003Cimg>` tags with WebP\u002Foptimized versions (likely in `includes\u002Fclasses\u002Fclass-rio-image-statistic.php` or `includes\u002Fclasses\u002Fclass-rio-attachment.php`).\n\n## 4. Nonce Acquisition Strategy\nSince this exploit requires Author-level authentication to update Media, we must acquire the standard WordPress Media nonces.\n\n1.  **Login**: Log in as an **Author**.\n2.  **Navigate**: Use `browser_navigate` to go to the Media Library: `\u002Fwp-admin\u002Fupload.php`.\n3.  **Extract Nonce**: The `save-attachment` action requires a nonce typically found in the `wp.media` JavaScript object or localized variables.\n    *   **Action**: `browser_eval(\"wp.media.model.settings.post.nonce\")` or inspecting the `_wpnonce` in the edit attachment modal.\n4.  **Plugin Specifics**: Check if Robin Image Optimizer localizes its own nonce for its dashboard.\n    *   **Target Variable**: `window.wio_optimization?.nonce` (inferred prefix for Robin Image Optimizer).\n\n## 5. Exploitation Strategy\nWe will exploit this by updating an existing attachment's alternative text via the standard AJAX interface.\n\n### Step 1: Upload and Get ID\nAs an Author, upload a test image to get an `attachment_id`.\n\n### Step 2: Inject Payload\nSend an AJAX request to update the Alt Text.\n\n*   **Tool**: `http_request`\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method**: `POST`\n*   **Content-Type**: `application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```\n    action=save-attachment&id=[ATTACHMENT_ID]&_wpnonce=[NONCE]&changes[alt_text__column]=\u003Cimg src=x onerror=alert(\"CVE-2026-1319\")>\n    ```\n\n### Step 3: Trigger Execution\nThe payload needs to be rendered. We will test two triggers:\n1.  **Admin Dashboard**: Navigate to the Robin Image Optimizer \"Bulk Optimization\" page: `\u002Fwp-admin\u002Fadmin.php?page=bulk_optimization-robin-image-optimizer`. This page often lists images and their optimization status.\n2.  **Frontend**: Create a post containing the image and view it. Robin Image Optimizer will process the `\u003Cimg>` tag and may output the unsanitized alt text in its optimized HTML.\n\n## 6. Test Data Setup\n1.  **User**: Create a user with the **Author** role.\n2.  **Image**: Upload a standard `.jpg` or `.png` to the Media Library.\n3.  **Post**: Create a public post that includes this image.\n4.  **Plugin Config**: Ensure \"WebP Conversion\" or \"Image Optimization\" is enabled in Robin Image Optimizer settings to ensure the plugin's code path for image replacement is active.\n\n## 7. Expected Results\n*   **Storage**: The `_wp_attachment_image_alt` meta for the image should contain the raw `\u003Cimg src=x onerror=...>` string.\n*   **Execution**: When an Admin visits the plugin's \"Optimization\" page, the browser should execute the `alert()` call.\n*   **Response**: The `admin-ajax.php` request should return a JSON success message: `{\"success\":true,\"data\":{...}}`.\n\n## 8. Verification Steps\n1.  **Database Check**: Use WP-CLI to verify the stored meta:\n    ```bash\n    wp post meta get [ATTACHMENT_ID] _wp_attachment_image_alt\n    ```\n2.  **DOM Inspection**: Navigate to the optimization page via `browser_navigate` and check for the presence of the payload:\n    ```bash\n    browser_eval(\"document.body.innerHTML.includes('onerror=alert')\")\n    ```\n\n## 9. Alternative Approaches\nIf the standard `save-attachment` action is sanitized by WordPress core before the plugin sees it (though this is unlikely given the CVE description), the plugin may have its own settings page for \"Bulk Optimization\" where it allows editing image metadata directly. \n\n**Alternative Payload**:\nIf the attribute is rendered inside an existing `alt=\"...\"` attribute:\n`\" onmouseover=\"alert(1)\" style=\"position:fixed;top:0;left:0;width:100%;height:100%;\" `\nThis would break out of the attribute and execute on mouse hover over the image.","The Robin Image Optimizer plugin (\u003C= 2.0.2) is vulnerable to Stored Cross-Site Scripting (XSS) via the 'Alternative Text' metadata field of images. Authenticated attackers with Author-level access or higher can inject malicious scripts into this field, which are then stored and executed when viewed by other users, particularly administrators, in the plugin's optimization logs or dashboard.","1. Authenticate to the WordPress dashboard as a user with Author-level privileges.\n2. Identify a media attachment ID or upload a new image to the Media Library.\n3. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `save-attachment` and the payload `\u003Cimg src=x onerror=alert(document.domain)>` assigned to the `changes[alt_text__column]` parameter.\n4. Ensure the request includes a valid nonce for the `save-attachment` action.\n5. Trigger the vulnerability by navigating to the plugin's 'Bulk Optimization' page (`\u002Fwp-admin\u002Fadmin.php?page=bulk_optimization-robin-image-optimizer`) where the plugin renders the image metadata without proper escaping, causing the script to execute in the administrator's browser context.","gemini-3-flash-preview","2026-04-27 15:11:42","2026-04-27 15:13:29",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","2.0.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frobin-image-optimizer\u002Ftags\u002F2.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frobin-image-optimizer.2.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frobin-image-optimizer\u002Ftags\u002F2.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frobin-image-optimizer.2.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frobin-image-optimizer\u002Ftags"]