[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFsU0XNvgc91B07frIiXPMsykAs2yIYCMmthE0ZapR6I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39665","seo-friendly-images-authenticated-contributor-stored-cross-site-scripting","SEO Friendly Images \u003C= 3.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting","The SEO Friendly Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","seo-image",null,"\u003C=3.0.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 00:00:00","2026-04-15 21:25:59",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff07eb033-f84b-4a17-9b8c-c767ae9285ae?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-39665 - SEO Friendly Images Stored XSS\n\n## 1. Vulnerability Summary\nThe **SEO Friendly Images** plugin (up to version 3.0.5) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin improperly handles the generation of `alt` and `title` attributes for images within post content. Specifically, it allows authenticated users with Contributor-level permissions and above to inject malicious scripts into image attributes (or metadata used to generate those attributes) which are subsequently rendered without sufficient sanitization or attribute escaping (`esc_attr`).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Post Editor (`\u002Fwp-admin\u002Fpost-new.php` or `\u002Fwp-admin\u002Fpost.php`)\n- **Vulnerable Parameter:** Post Title or Custom Meta fields (e.g., `_seo_image_alt` or similar, inferred) used by the plugin to populate image attributes.\n- **Authentication Level:** Contributor or higher.\n- **Preconditions:** The plugin must be active. By default, it processes images in `the_content` to automatically add `alt` and `title` tags based on defined patterns (e.g., `%title` or `%name`).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** A Contributor creates or edits a post.\n2.  **Input:** The user sets a Post Title or specific image metadata containing a payload like `\">\u003Cscript>alert(1)\u003C\u002Fscript>`.\n3.  **Processing:** The plugin registers a filter on `the_content` (e.g., `add_filter('the_content', 'seo_friendly_images_process');`).\n4.  **Transformation:** Inside the processing function (likely using `preg_replace_callback` or a DOM parser), the plugin identifies `\u003Cimg>` tags.\n5.  **Pattern Replacement:** It retrieves the \"ALT\" or \"TITLE\" pattern from plugin settings (e.g., `get_option('seo_image_options')`). If the pattern involves the post title, it fetches `$post->post_title`.\n6.  **Vulnerable Sink:** The plugin constructs the new `alt` or `title` string and concatenates it into the `\u003Cimg>` tag:\n    ```php\n    \u002F\u002F Example of vulnerable logic\n    $new_tag = str_replace('alt=\"', 'alt=\"' . $computed_alt_value . '\" ', $old_tag);\n    ```\n    If `$computed_alt_value` (derived from the user-controlled Post Title) is not passed through `esc_attr()`, the attribute is broken, and the script is injected.\n7.  **Output:** The modified content is returned to `the_content` and rendered in the browser.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability typically exploits the standard WordPress post saving mechanism or metadata updates.\n- **Is a specific plugin nonce needed?** No. Contributors use the standard WordPress `_wpnonce` provided in the post editor form.\n- **Manual Extraction (if needed for AJAX meta updates):**\n    1. Navigate to the Post Editor as a Contributor.\n    2. Use `browser_eval` to extract the post nonce if the plugin uses a custom AJAX save:\n       `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n- **Standard Post Save:** The `http_request` tool will simulate a standard `POST` to `wp-admin\u002Fpost.php`.\n\n## 5. Exploitation Strategy\nThe goal is to inject a payload into a field that the plugin uses to generate image attributes.\n\n### Step 1: Login as Contributor\nUse `browser_navigate` to authenticate as a user with the `contributor` role.\n\n### Step 2: Create a Malicious Post\nCreate a post where the title contains the XSS payload and the content contains an image tag that the plugin will process.\n\n**HTTP Request (Simulation):**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n- **Method:** `POST`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=editpost\n  &post_ID=[ID]\n  &post_title=Test Image Post\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n  &content=\u003Cimg src=\"https:\u002F\u002Fexample.com\u002Ftest.jpg\">\n  &_wpnonce=[NONCE]\n  ```\n\n### Step 3: Trigger the XSS\nLog in as an **Administrator** and navigate to the newly created post on the frontend. The plugin will process the `\u003Cimg>` tag, insert the malicious Post Title into the `alt` or `title` attribute, and execute the script.\n\n## 6. Test Data Setup\n1.  **Plugin Configuration:** Ensure the plugin is configured to use the post title for image attributes.\n    - Check settings page: `\u002Fwp-admin\u002Foptions-general.php?page=seo-image.php` (inferred).\n    - Setting: `ALT attribute` should contain `%title`.\n2.  **User:** Create a user with the `contributor` role.\n3.  **Post:** A post ID must be obtained (via `wp post create` via CLI) before sending the `POST` request to `post.php`.\n\n## 7. Expected Results\nWhen viewing the post as an Administrator:\n1.  The HTML source for the image will look something like:\n    `\u003Cimg src=\"...\" alt=\"Test Image Post\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">`\n2.  An alert box showing the document domain will appear.\n\n## 8. Verification Steps\n1.  **WP-CLI Check:** Verify the post title was saved correctly.\n    `wp post get [ID] --field=post_title`\n2.  **HTML Inspection:** Fetch the post frontend HTML and check for the unescaped script within the image tag.\n    `http_request --url \"http:\u002F\u002Flocalhost:8080\u002F?p=[ID]\"`\n    Search for: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n\n## 9. Alternative Approaches\nIf the plugin does not use the Post Title by default:\n1.  **Check Meta Box:** If the plugin adds a meta box to the editor, identify the parameter names for \"Custom Alt\" or \"Custom Title\" (e.g., `seo_image_alt_override`).\n2.  **Payload in Image Metadata:** Try injecting the payload into the \"Description\" or \"Caption\" of the image via the Media Library, then inserting that image into a post.\n3.  **Shortcode Attribute:** If the plugin provides a shortcode (e.g., `[seo_image]`), test if attributes passed to the shortcode are escaped.\n    - `wp post create --post_content='[seo_image alt=\"\\\">\u003Cscript>alert(1)\u003C\u002Fscript>\"]' --post_author=[CONTRIBUTOR_ID]`","The SEO Friendly Images plugin (\u003C= 3.0.5) is vulnerable to Stored Cross-Site Scripting (XSS) because it fails to sanitize and escape user-controlled post data used to generate image 'alt' and 'title' attributes. An authenticated attacker with Contributor-level permissions can inject malicious scripts into a post title or image metadata, which are then rendered unescaped in the frontend content.","\u002F\u002F seo-image.php (approximate location based on plugin functionality)\n\nfunction seo_friendly_images_process($content) {\n    \u002F\u002F ... logic to parse image tags in the_content ...\n    $options = get_option('seo_image_options');\n    $post_title = get_the_title(); \u002F\u002F User-controlled via post creation\n\n    \u002F\u002F Vulnerable: User-controlled title is inserted into patterns without escaping\n    $new_alt = str_replace('%title', $post_title, $options['alt_pattern']);\n\n    \u002F\u002F Vulnerable: The resulting string is inserted directly into the HTML attribute\n    $img_tag = preg_replace('\u002Falt=\"[^\"]*\"\u002Fi', 'alt=\"' . $new_alt . '\"', $img_tag);\n\n    return $content;\n}\nadd_filter('the_content', 'seo_friendly_images_process');","--- seo-image.php\n+++ seo-image.php\n@@ -115,5 +115,5 @@\n-    $img_tag = preg_replace('\u002Falt=\"[^\"]*\"\u002Fi', 'alt=\"' . $new_alt . '\"', $img_tag);\n+    $img_tag = preg_replace('\u002Falt=\"[^\"]*\"\u002Fi', 'alt=\"' . esc_attr($new_alt) . '\"', $img_tag);\n-    $img_tag = preg_replace('\u002Ftitle=\"[^\"]*\"\u002Fi', 'title=\"' . $new_title . '\"', $img_tag);\n+    $img_tag = preg_replace('\u002Ftitle=\"[^\"]*\"\u002Fi', 'title=\"' . esc_attr($new_title) . '\"', $img_tag);","1. Authenticate as a Contributor or higher user.\n2. Navigate to the Post Editor and create a new post.\n3. Set the Post Title to a payload that breaks the HTML attribute context, such as: XSS Payload\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n4. In the post content, insert a standard image tag: \u003Cimg src=\"https:\u002F\u002Fexample.com\u002Fimage.jpg\" \u002F>.\n5. Publish or save the post for review.\n6. As an administrator or any other user, view the published post on the frontend.\n7. The plugin's content filter will replace the image's alt or title attribute with the malicious title. Because the output is not escaped with esc_attr(), the script tag will be rendered and executed in the browser.","gemini-3-flash-preview","2026-04-19 04:49:27","2026-04-19 04:49:47",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseo-image\u002Ftags"]