[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuaFa9g5zhcqleuieetr9HMjc6AnCkEknhQjDCJPDdBc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-1216","rss-aggregator-reflected-cross-site-scripting-via-template-parameter","RSS Aggregator \u003C= 5.0.10 - Reflected Cross-Site Scripting via 'template' Parameter","The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","wp-rss-aggregator",null,"\u003C=5.0.10","5.0.11","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-16 20:31:00","2026-02-17 09:26:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F47a10dd4-515c-42d9-82ea-c84f8f7574c5?source=api-prod",1,[22,23,24,25,26,27,28,29],"core\u002Fmodules\u002Frenderer.php","core\u002Fsrc\u002FDisplay\u002FLayoutTrait.php","core\u002Fsrc\u002FDisplay\u002FListLayout.php","core\u002Fsrc\u002FIrPost\u002FIrImage.php","core\u002Fsrc\u002FRenderer.php","core\u002Fsrc\u002FV4\u002FV4SourceMigrator.php","languages\u002Fwp-rss-aggregator.pot","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-1216 - WP RSS Aggregator Reflected XSS\n\n## 1. Vulnerability Summary\nThe **WP RSS Aggregator** plugin (versions \u003C= 5.0.10) contains a reflected cross-site scripting (XSS) vulnerability in its AJAX rendering logic. Specifically, the `template` parameter within the JSON-encoded `data` POST variable is reflected into the page without sufficient sanitization or escaping when the plugin fails to find a corresponding display template. This allows unauthenticated attackers to execute arbitrary JavaScript in the context of a user's browser by tricking them into submitting a specially crafted POST request.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `wpra.render.display` (and `nopriv_wpra.render.display`)\n- **Vulnerable Parameter**: `data` (specifically the `template` key inside the JSON payload)\n- **Authentication**: None (Unauthenticated)\n- **Preconditions**: The plugin must be active.\n- **Vulnerability Type**: Reflected XSS (POST-based)\n\n## 3. Code Flow\n1. **Entry Point**: In `core\u002Fmodules\u002Frenderer.php`, the plugin registers the AJAX action `wp_ajax_nopriv_wpra.render.display` which maps to the `$ajaxRender` anonymous function.\n2. **Input Retrieval**: `$ajaxRender` retrieves user input using `filter_input(INPUT_POST, 'data')` and decodes it as JSON into the `$data` array.\n3. **Validation Bypass**: The code checks that `$data['id']` and `$data['page']` are numeric. Other fields like `template` are not validated at this stage.\n4. **Rendering Call**: It calls `$renderer->renderArgs($data, 'shortcode')`.\n5. **Vulnerable Processing**: In `core\u002Fsrc\u002FRenderer.php`, `renderArgs` calls `$this->parseArgs($args, $type)`.\n6. **Triggering the Sink**:\n   - `parseArgs` extracts `$v4Slug = trim($args['template'] ?? '')`.\n   - It then calls `$this->displays->getByV4Slug($v4Slug)`.\n   - If `$v4Slug` is a malicious payload (and thus doesn't exist as a valid slug), `getByV4Slug` returns a `Result::Err` object containing an error message (e.g., `\"Display template '\u003Cpayload>' not found\"`).\n   - `renderArgs` receives this error and returns `$this->adminMessage($result->error()->getMessage())`.\n7. **Execution**: The `adminMessage` method (likely a simple HTML wrapper) echoes the unsanitized error message containing the payload back to the browser with a `text\u002Fhtml` content type.\n\n## 4. Nonce Acquisition Strategy\nAccording to the source code in `core\u002Fmodules\u002Frenderer.php`, the `wpra.render.display` AJAX handler **does not perform any nonce verification**.\n```php\n$ajaxRender = function () use ( $renderer ) {\n    $dataJson = filter_input( INPUT_POST, 'data' );\n    $data = json_decode( $dataJson, true );\n    \u002F\u002F ... validation of id and page only ...\n    echo $renderer->renderArgs( $data, 'shortcode' );\n    die();\n};\nadd_action( 'wp_ajax_nopriv_wpra.render.display', $ajaxRender );\n```\nBecause `check_ajax_referer` or `wp_verify_nonce` is missing, an attacker can trigger this endpoint unauthenticated without a nonce.\n\n## 5. Exploitation Strategy\nSince the reflection occurs via a POST request, the \"link clicking\" mentioned in the description refers to a CSRF-style attack where a victim is lured to an attacker-controlled page that auto-submits a POST form to the vulnerable WordPress site.\n\n### Steps for automated PoC:\n1. **Target**: `POST \u002Fwp-admin\u002Fadmin-ajax.php`\n2. **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n3. **Payload**:\n   - `action`: `wpra.render.display`\n   - `data`: `{\"id\":1,\"page\":1,\"template\":\"\u003Cscript>alert('XSS_SUCCESS')\u003C\u002Fscript>\"}`\n4. **Tool**: Use `http_request` to send the POST request.\n\n## 6. Test Data Setup\nNo specific configuration is strictly required as the vulnerability is triggered on the **error path** (providing a template that does not exist).\n1. Ensure the plugin `wp-rss-aggregator` is installed and activated.\n2. (Optional) Create one Feed Source via WP-CLI to ensure the system is initialized:\n   `wp post create --post_type=wprss_feed --post_title=\"Test Feed\" --post_status=publish`\n\n## 7. Expected Results\nThe server should respond with a `200 OK` status and a body containing the unescaped script tag.\n**Example Response Body**:\n```html\n\u003Cdiv class=\"wpra-message wpra-error\">Display with slug &quot;\u003Cscript>alert('XSS_SUCCESS')\u003C\u002Fscript>&quot; not found.\u003C\u002Fdiv>\n```\n*(Note: If the message wrapper is different, the key is the presence of the raw script tag)*.\n\n## 8. Verification Steps\n1. Execute the `http_request` tool with the POST parameters.\n2. Inspect the `response_body` for the string `\u003Cscript>alert('XSS_SUCCESS')\u003C\u002Fscript>`.\n3. Confirm that no HTML escaping (like `&lt;`) was applied to the script tag.\n\n## 9. Alternative Approaches\nIf the error message reflection is patched or behaves differently, attempt to inject the payload into other keys in the `data` JSON object that might be reflected in the layout output:\n- **`align` parameter**: Although `renderDisplay` uses `esc_attr( $attributes['align'] )`, verify if any other layouts (e.g., Pro templates if available) handle this differently.\n- **Shortcode Context**: Use a contributor-level account to create a post with `[wp-rss-aggregator template","The RSS Aggregator plugin for WordPress is vulnerable to reflected Cross-Site Scripting via the 'template' parameter in the 'wpra.render.display' AJAX action. Unauthenticated attackers can exploit this by sending a crafted POST request that results in the injection of arbitrary web scripts into the page when the plugin fails to find a corresponding display template and reflects the input unsanitized in an error message.","\u002F\u002F core\u002Fmodules\u002Frenderer.php:43\n$ajaxRender = function () use ( $renderer ) {\n    $dataJson = filter_input( INPUT_POST, 'data' );\n    $data = json_decode( $dataJson, true );\n\n    if ( json_last_error() !== JSON_ERROR_NONE ) {\n        status_header( 400 );\n        echo 'Could not decode JSON.';\n        die();\n    }\n\n    $id = $data['id'] ?? null;\n    $page = $data['page'] ?? null;\n\n    if ( ! is_numeric( $id ) || ! is_numeric( $page ) ) {\n        status_header( 400 );\n        echo 'Invalid ID or page number.';\n        die();\n    }\n\n    echo $renderer->renderArgs( $data, 'shortcode' );\n    die();\n};\n\nadd_action( 'wp_ajax_wpra.render.display', $ajaxRender );\nadd_action( 'wp_ajax_nopriv_wpra.render.display', $ajaxRender );\n\n---\n\n\u002F\u002F core\u002Fsrc\u002FRenderer.php:210\n$v4Slug = trim( $args['template'] ?? '' );\n$display = new Display( null );\n\nif ( ! empty( $v4Slug ) ) {\n    $result = $this->displays->getByV4Slug( $v4Slug );\n    if ( $result->isErr() ) {\n        return $result;\n    }\n    $display = $result->get();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.10\u002Fcore\u002Fmodules\u002Frenderer.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.11\u002Fcore\u002Fmodules\u002Frenderer.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.10\u002Fcore\u002Fmodules\u002Frenderer.php\t2025-07-24 12:00:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.11\u002Fcore\u002Fmodules\u002Frenderer.php\t2026-01-14 10:19:30.000000000 +0000\n@@ -55,6 +55,12 @@\n \t\t\t\tdie();\n \t\t\t}\n \n+\t\t\t$nonce = $data['_wpnonce'] ?? '';\n+\t\t\tif ( ! wp_verify_nonce( $nonce, 'wpra_render_display' ) ) {\n+\t\t\t\tstatus_header( 403 );\n+\t\t\t\techo 'Nonce verification failed.';\n+\t\t\t\tdie();\n+\t\t\t}\n \t\t\t\u002F\u002F The $data array now contains all persisted shortcode attributes\n \t\t\t\u002F\u002F from hx-vals, including id, page, sources, limit, exclude, pagination, template.\n \t\t\t\u002F\u002F Pass the whole $data array to renderArgs.\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.10\u002Fcore\u002Fsrc\u002FRenderer.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.11\u002Fcore\u002Fsrc\u002FRenderer.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.10\u002Fcore\u002Fsrc\u002FRenderer.php\t2025-07-24 12:00:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.11\u002Fcore\u002Fsrc\u002FRenderer.php\t2026-01-14 10:19:30.000000000 +0000\n@@ -198,15 +198,15 @@\n \t\tif ( 'block' === $type && ! empty( $id ) ) {\n \t\t\t$preserved_args = array(\n \t\t\t\t'id' => $id,\n-\t\t\t\t'align' => $args['align'] ?? null,\n-\t\t\t\t'limit' => $args['limit'] ?? null,\n-\t\t\t\t'pagination' => $args['pagination'] ?? null,\n+\t\t\t\t'align'      => isset( $args['align'] ) ? sanitize_text_field( $args['align'] ) : null,\n+\t\t\t\t'limit'      => isset( $args['limit'] ) ? sanitize_text_field( $args['limit'] ) : null,\n+\t\t\t\t'pagination' => isset( $args['pagination'] ) ? sanitize_text_field( $args['pagination'] ) : null,\n \t\t\t);\n \t\t\t\u002F\u002F Filter out null values to keep $args clean\n-\t\t\t$args = array_filter($preserved_args, fn($value) => $value !== null);\n+\t\t\t$args = array_filter( $preserved_args, fn( $value ) => $value !== null );\n \t\t}\n \n-\t\t$v4Slug = trim( $args['template'] ?? '' );\n+\t\t$v4Slug = sanitize_text_field( $args['template'] ?? '' );\n \t\t$display = new Display( null );\n \n \t\tif ( ! empty( $v4Slug ) ) {","The exploit targets the AJAX endpoint `wp-admin\u002Fadmin-ajax.php` using the action `wpra.render.display`. This endpoint is accessible to unauthenticated users (`nopriv`). An attacker creates a POST request where the `data` parameter contains a JSON-encoded object. By setting the `template` key in this object to an XSS payload (e.g., `\u003Cscript>alert('XSS')\u003C\u002Fscript>`), the plugin's `getByV4Slug` method fails to find a valid template with that name and returns an error object. The `renderArgs` method then retrieves the error message, which includes the raw, unescaped payload, and echoes it back to the browser. Because the endpoint does not require a nonce in vulnerable versions, an attacker can use a CSRF-style auto-submitting form on a malicious site to trick a logged-in user or even an unauthenticated visitor into triggering the script execution.","gemini-3-flash-preview","2026-04-20 21:35:05","2026-04-20 21:35:55",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.0.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-rss-aggregator\u002Ftags\u002F5.0.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rss-aggregator.5.0.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-rss-aggregator\u002Ftags\u002F5.0.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rss-aggregator.5.0.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-rss-aggregator\u002Ftags"]