[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZ4xT7sG32QbFiRN5dR0XbqEYFBSNFD5JFUCAUFTk3bw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"source_links":37},"CVE-2026-4059","shoplentor-authenticated-contributor-stored-cross-site-scripting-via-buttontext-shortcode-attribute","ShopLentor \u003C= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute","The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","woolentor-addons",null,"\u003C=3.3.5","3.3.6","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-13 14:48:10","2026-04-14 03:37:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffdf0b13e-154c-4007-bfc2-5346d906f7ca?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fwoolentor-elementor-editor.js","classes\u002Fclass.assest_management.php","classes\u002Fclass.widgets_control.php","includes\u002Faddons\u002Fwb_product_reviews.php","includes\u002Faddons\u002Fwl_product_horizontal_filter.php","includes\u002Fadmin-panel\u002Fassets\u002Fjs\u002Fadmin.js","includes\u002Fadmin-panel\u002Fincludes\u002Fclasses\u002FAdmin\u002FMenu.php","includes\u002Fadmin-panel\u002Fincludes\u002Fclasses\u002FAdmin\u002FOptions_field.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-4059\n\n## 1. Vulnerability Summary\nThe **ShopLentor** (formerly WooLentor) plugin for WordPress is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `button_text` attribute of the `woolentor_quickview_button` shortcode. In versions up to and including 3.3.5, the plugin fails to sanitize the attribute input and fails to escape it upon output. This allows authenticated users with **Contributor-level** permissions or higher to inject arbitrary JavaScript into pages.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[woolentor_quickview_button]`\n*   **Vulnerable Attribute:** `button_text`\n*   **Authentication Requirement:** Contributor+ (any role allowed to create\u002Fedit posts).\n*   **Precondition:** The ShopLentor plugin must be active. WooCommerce usually needs to be active for \"Quick View\" buttons to function, but the rendering of the shortcode attribute often occurs regardless of WooCommerce state if the shortcode handler is registered.\n*   **Endpoint:** Standard WordPress post creation\u002Fediting via `wp-admin\u002Fpost.php` or the REST API (`\u002Fwp\u002Fv2\u002Fposts`).\n\n## 3. Code Flow\nWhile the specific shortcode handler file (likely `includes\u002Fshortcodes\u002Fclass.quickview_button.php` or similar) was not provided in the snippets, the architectural pattern in ShopLentor (visible in `classes\u002Fclass.widgets_control.php` and `includes\u002Faddons\u002Fwb_product_reviews.php`) indicates a structure where attributes are extracted and rendered:\n\n1.  **Registration:** The plugin registers the shortcode using `add_shortcode( 'woolentor_quickview_button', [ $this, 'render_shortcode' ] )`.\n2.  **Parsing:** When a post is viewed, WordPress parses `[woolentor_quickview_button button_text=\"PAYLOAD\"]`.\n3.  **Handler Execution:** The handler receives the `$atts` array. Typically, it uses `shortcode_atts()` to merge defaults.\n4.  **Vulnerable Sink:** The code likely executes a statement similar to:\n    ```php\n    \u002F\u002F Inferred Vulnerable Logic:\n    $button_text = $atts['button_text'];\n    return '\u003Cbutton class=\"...\">' . $button_text . '\u003C\u002Fbutton>'; \n    \u002F\u002F OR\n    echo '\u003Cbutton class=\"...\" data-text=\"' . $button_text . '\">';\n    ```\n5.  **Result:** Because `$button_text` is neither sanitized via `sanitize_text_field()` during input nor escaped via `esc_html()` or `esc_attr()` during output, the payload executes in the victim's browser.\n\n## 4. Nonce Acquisition Strategy\nFor **Stored XSS via Shortcode Attributes**, a specific plugin nonce is usually **not required**. The attacker utilizes the standard WordPress post-creation flow.\n\n1.  **Context:** The execution agent will act as a Contributor.\n2.  **Standard Post Creation:** WordPress core handles nonces for saving posts (`_wpnonce` in the post editor). \n3.  **Bypass:** If using the REST API, the agent needs the `wp_rest` nonce.\n4.  **Action:**\n    -   Navigate to `wp-admin\u002Fpost-new.php`.\n    -   Use `browser_eval` to extract the `_wpnonce` for saving the post if using traditional form submission, or `wp_rest` nonce from `window.wpApiSettings.nonce` if using the REST API.\n\n## 5. Exploitation Strategy\nThe goal is to create a post as a Contributor containing the malicious shortcode and verify that an Admin viewing the post triggers the script.\n\n### Step-by-Step Plan:\n1.  **Login:** Authenticate as a Contributor user.\n2.  **Create Post:** Send an HTTP request to create a new post with the malicious shortcode.\n    -   **Payload 1 (Label Injection):** `[woolentor_quickview_button button_text=\"\u003Cscript>alert('XSS_BY_SHORTCODE')\u003C\u002Fscript>\"]`\n    -   **Payload 2 (Attribute Breakout):** `[woolentor_quickview_button button_text='\">\u003Cimg src=x onerror=alert(\"XSS_BY_SHORTCODE\")>']`\n3.  **Publish:** Ensure the post status is `publish` (or `pending` if the agent needs an Admin to view it in the editor).\n4.  **Trigger:** Access the public URL of the created post.\n\n### HTTP Request Example (REST API):\n```http\nPOST \u002Fwp-json\u002Fwp\u002Fv2\u002Fposts HTTP\u002F1.1\nHost: localhost\nContent-Type: application\u002Fjson\nX-WP-Nonce: [REST_NONCE]\n\n{\n  \"title\": \"QuickView Test\",\n  \"content\": \"[woolentor_quickview_button button_text='\u003Cscript>console.log(\\\"Vulnerable_ShopLentor\\\")\u003C\u002Fscript>']\",\n  \"status\": \"publish\"\n}\n```\n\n## 6. Test Data Setup\n1.  **User:** Create a user with the `contributor` role.\n    -   `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2.  **Plugin State:** Ensure `woolentor-addons` is active.\n3.  **WooCommerce:** Ideally, WooCommerce should be active as the \"Quick View\" functionality is tied to it, ensuring the shortcode logic is fully initialized.\n\n## 7. Expected Results\n1.  The HTTP request to create the post returns `201 Created`.\n2.  When navigating to the post URL (e.g., `\u002F?p=123`), the HTML source contains the unescaped payload.\n3.  The browser executes the JavaScript (e.g., `alert` or `console.log`).\n\n## 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to confirm the content is stored raw.\n    ```bash\n    wp post list --post_type=post --fields=ID,post_content | grep \"woolentor_quickview_button\"\n    ```\n2.  **DOM Inspection:** Use `browser_navigate` to the post and check for the injected tag:\n    ```javascript\n    browser_eval(\"document.body.innerHTML.includes('XSS_BY_SHORTCODE')\")\n    ```\n\n## 9. Alternative Approaches\nIf the `button_text` is rendered inside an Elementor Widget rather than a standard WordPress shortcode:\n1.  **Elementor Editor Path:** The vulnerability might manifest in the Elementor preview.\n2.  **Draft Preview:** Contributors can save drafts. An Admin reviewing the draft would trigger the XSS.\n3.  **Other Attributes:** If `button_text` is patched, check other attributes like `product_id` (if reflected) or `class_name` which are often processed similarly in the same shortcode handler.\n\n### Potential Localization Variables (if AJAX-based):\nBased on `classes\u002Fclass.assest_management.php`, look for:\n- `woolentor_addons_localize` (Inferred from common plugin naming conventions).\n- Check `wp_localize_script` calls in `classes\u002Fclass.assest_management.php` (The provided source is truncated but reveals extensive script registration).\n- Use `browser_eval(\"window.woolentor_addons_localize\")` to find any nonces if an AJAX-based shortcode rendering occurs.","gemini-3-flash-preview","2026-04-16 15:57:47","2026-04-16 15:58:12",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.3.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoolentor-addons\u002Ftags\u002F3.3.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoolentor-addons.3.3.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoolentor-addons\u002Ftags\u002F3.3.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoolentor-addons.3.3.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoolentor-addons\u002Ftags"]