[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fozp7V4HQQoGZ6XL95xGZRztt03uVkha-5LpoQe_SylE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-0737","shortcodes-ultimate-authenticated-contributor-stored-cross-site-scripting-via-sulightbox-shortcode","Shortcodes Ultimate \u003C= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode","The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the su_lightbox shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","shortcodes-ultimate",null,"\u003C=7.4.7","7.4.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-03 19:32:59","2026-04-04 07:41:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F62a9c9f4-ace4-4029-a720-5ea077e98be4?source=api-prod",1,[22,23,24,25,26,27,28],"admin\u002Fclass-shortcodes-ultimate-admin-settings.php","inc\u002Fcore\u002Fgenerator.php","includes\u002Fconfig\u002Fdefault-settings.php","includes\u002Fjs\u002Fblock-editor\u002Findex.js","includes\u002Fjs\u002Fblock-editor\u002Findex.js.map","includes\u002Fshortcodes\u002Flightbox.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-0737\n\n## 1. Vulnerability Summary\nThe **Shortcodes Ultimate** plugin (\u003C= 7.4.7) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `su_lightbox` shortcode. The vulnerability exists because the plugin insufficiently sanitizes the `src` attribute. While it performs a weak check for the string `javascript` and uses `esc_attr()` on the output, it fails to account for:\n1.  **Protocol Bypasses**: Bypassing the `javascript:` check using `data:` URIs.\n2.  **JavaScript Sink Injection**: The frontend JavaScript (Magnific Popup) reads the `data-mfp-src` attribute and uses it to dynamically construct HTML elements (like `\u003Cimg>` or `\u003Ciframe>`). During this process, attribute-escaped characters (like `&quot;`) are interpreted as real quotes, allowing an attacker to break out of the constructed HTML tag's attributes.\n\n## 2. Attack Vector Analysis\n-   **Endpoint**: Standard WordPress post\u002Fpage creation\u002Fedition.\n-   **Shortcode**: `[su_lightbox]`\n-   **Vulnerable Attribute**: `src`\n-   **Authentication Level**: Authenticated (Contributor+). Contributors can create posts and use shortcodes by default.\n-   **Preconditions**: The `su_option_unsafe_features` setting is typically `on` by default, but this vulnerability persists regardless of that setting as it lies in the core shortcode rendering logic.\n\n## 3. Code Flow\n1.  **Entry Point**: A user with Contributor+ permissions saves a post containing the `[su_lightbox]` shortcode.\n2.  **Processing**: When the post is rendered, WordPress calls `do_shortcode()`, which triggers the registered callback `su_shortcode_lightbox` in `includes\u002Fshortcodes\u002Flightbox.php`.\n3.  **Vulnerable Function**: `su_shortcode_lightbox($atts, $content)`\n    -   Line 112: `$atts['src'] = su_do_attribute($atts['src'], true);` (Processes placeholders).\n    -   Line 114: `if (strpos(strtolower($atts['src']), 'javascript') !== false)` (Blacklist check for `javascript:` protocol).\n    -   Line 124: The `src` is passed to `esc_attr()` and embedded in a `\u003Cspan>` tag:\n        ```php\n        return '\u003Cspan class=\"su-lightbox...\" data-mfp-src=\"' . esc_attr($atts['src']) . '\" ...>';\n        ```\n4.  **Frontend Execution**:\n    -   The plugin enqueues `magnific-popup` and `su-shortcodes` (includes\u002Fjs\u002Fsu-shortcodes.js).\n    -   The JS initializes the lightbox on elements with class `.su-lightbox`.\n    -   When a user clicks the lightbox trigger, Magnific Popup reads the `data-mfp-src` value using jQuery's `.data()` or `.attr()`.\n    -   **Sink**: Magnific Popup uses this value to construct the modal content. If `type=\"image\"`, it creates an `\u003Cimg>` tag. If `type=\"iframe\"`, it creates an `\u003Ciframe>`. Because it often uses string concatenation or jQuery's `$()` to build these elements, the payload executes.\n\n## 4. Nonce Acquisition Strategy\nNo WordPress nonce is required to exploit this vulnerability because it is a **Stored XSS** triggered by the standard rendering of post content.\n-   The shortcode is processed during the `the_content` filter execution.\n-   The Contributor only needs to create or update a post, which uses standard WordPress nonces for the `post.php` or `post-new.php` endpoints. These are managed automatically by a logged-in session.\n\n## 5. Exploitation Strategy\n### Step-by-Step Plan\n1.  **Login as Contributor**: Authenticate with Contributor credentials.\n2.  **Create Post**: Use the WordPress REST API or standard post creation to save a post containing the malicious shortcode.\n3.  **Inject Payload**: Use a payload that bypasses the `javascript` check and breaks out of the JS-constructed attribute.\n\n### Malicious Payloads\n**Option A: Attribute Breakout (via Image type)**\nThis payload uses a double quote to break out of the `src` attribute when Magnific Popup constructs the `\u003Cimg>` tag.\n```text\n[su_lightbox type=\"image\" src='https:\u002F\u002Fexample.com\u002Flogo.png\" onerror=\"alert(window.origin","The Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'su_lightbox' shortcode due to insufficient input validation and output escaping. Authenticated attackers with contributor-level permissions or higher can inject arbitrary scripts through the 'src' attribute, which are then executed by the frontend Magnific Popup library when the lightbox trigger is processed.","\u002F\u002F includes\u002Fshortcodes\u002Flightbox.php line 114\n\tif (strpos(strtolower($atts['src']), 'javascript') !== false) {\n\t\treturn su_error_message('Lightbox', __('please specify correct source', 'shortcodes-ultimate'));\n\t}\n\n---\n\n\u002F\u002F includes\u002Fshortcodes\u002Flightbox.php line 124\n\treturn '\u003Cspan class=\"su-lightbox' . su_get_css_class($atts) . '\" data-mfp-src=\"' . esc_attr($atts['src']) . '\" data-mfp-type=\"' . sanitize_key($atts['type']) . '\" data-mobile=\"' . sanitize_key($atts['mobile']) . '\">' . do_shortcode($content) . '\u003C\u002Fspan>';","--- includes\u002Fshortcodes\u002Flightbox.php\n+++ includes\u002Fshortcodes\u002Flightbox.php\n@@ -111,7 +111,10 @@\n \n \t$atts['src'] = su_do_attribute($atts['src'], true);\n \n-\tif (strpos(strtolower($atts['src']), 'javascript') !== false) {\n+\tif (\n+\t\tstrpos(strtolower($atts['src']), 'javascript') !== false ||\n+\t\tstrpos(strtolower($atts['src']), 'data:') !== false\n+\t) {\n \t\treturn su_error_message('Lightbox', __('please specify correct source', 'shortcodes-ultimate'));\n \t}\n \n@@ -121,5 +124,5 @@\n \tsu_query_asset('js', 'magnific-popup');\n \tsu_query_asset('js', 'su-shortcodes');\n \n-\treturn '\u003Cspan class=\"su-lightbox' . su_get_css_class($atts) . '\" data-mfp-src=\"' . esc_attr($atts['src']) . '\" data-mfp-type=\"' . sanitize_key($atts['type']) . '\" data-mobile=\"' . sanitize_key($atts['mobile']) . '\">' . do_shortcode($content) . '\u003C\u002Fspan>';\n+\treturn '\u003Cspan class=\"su-lightbox' . su_get_css_class($atts) . '\" data-mfp-src=\"' . esc_url($atts['src']) . '\" data-mfp-type=\"' . sanitize_key($atts['type']) . '\" data-mobile=\"' . sanitize_key($atts['mobile']) . '\">' . do_shortcode($content) . '\u003C\u002Fspan>';\n }","The exploit targets the `su_lightbox` shortcode, which is available to any user with the ability to create or edit posts (Contributor+ by default). An attacker inserts a malicious shortcode like `[su_lightbox type=\"image\" src='https:\u002F\u002Fexample.com\u002Flogo.png\" onerror=\"alert(1)']Click Me[\u002Fsu_lightbox]`. When a victim visits the page, the plugin renders the shortcode into a `\u003Cspan>` element with the payload in the `data-mfp-src` attribute. The plugin's frontend JavaScript (Magnific Popup) reads this attribute to dynamically construct a modal element (e.g., an `\u003Cimg>` tag). Because the JavaScript implementation does not properly re-sanitize the data when building the element's inner HTML or attributes, the injected quote breaks out of the `src` attribute, allowing the `onerror` handler to execute arbitrary JavaScript.","gemini-3-flash-preview","2026-04-17 21:39:19","2026-04-17 21:40:25",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","7.4.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortcodes-ultimate\u002Ftags\u002F7.4.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcodes-ultimate.7.4.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortcodes-ultimate\u002Ftags\u002F7.4.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcodes-ultimate.7.4.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortcodes-ultimate\u002Ftags"]