[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRumrcp_I12zJq_lI6uOg_pdKH7jj82SRSXGj4Xzdkws":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39654","simple-html-sitemap-authenticated-author-stored-cross-site-scripting","Simple HTML Sitemap \u003C= 3.8 - Authenticated (Author+) Stored Cross-Site Scripting","The Simple HTML Sitemap plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-simple-html-sitemap",null,"\u003C=3.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-15 00:00:00","2026-04-15 21:24:03",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff0b12d5d-5b13-4eb0-ad48-2b7c431703bd?source=api-prod",[],"researched",false,3,"This research plan outlines the methodology for analyzing and exploiting **CVE-2026-39654** in the **WP Simple HTML Sitemap** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **WP Simple HTML Sitemap** plugin (versions \u003C= 3.8) is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability exists because the plugin handles user-supplied input (likely via shortcode attributes or post metadata) and renders it on the frontend or backend without sufficient sanitization (e.g., `sanitize_text_field`) or output escaping (e.g., `esc_html` or `esc_attr`). An attacker with **Author** level permissions can inject arbitrary JavaScript that executes when any user (including Administrators) views the affected page.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fpost.php` (Standard WordPress post\u002Fpage editor).\n*   **Action:** Saving or publishing a post\u002Fpage containing a malicious shortcode.\n*   **Vulnerable Component:** The shortcode handler for the sitemap.\n*   **Shortcode Tag (Inferred):** `[wp_simple_html_sitemap]` or `[simple-html-sitemap]`.\n*   **Vulnerable Parameters (Inferred):** Shortcode attributes such as `title`, `label`, `class`, or `id`.\n*   **Authentication:** Requires an account with at least `Author` privileges (the ability to create and publish posts\u002Fpages).\n\n### 3. Code Flow (Inferred)\n1.  The plugin registers a shortcode in its main file (e.g., `wp-simple-html-sitemap.php`) using `add_shortcode( 'wp_simple_html_sitemap', 'callback_function' )`.\n2.  The `callback_function` receives an `$atts` array containing user-defined attributes from the shortcode.\n3.  The plugin fails to sanitize these attributes upon receipt.\n4.  The attributes are then used to build an HTML string (e.g., `\u003Ch2 class=\"sitemap-title\">$title\u003C\u002Fh2>`).\n5.  The plugin returns or echoes the HTML string without using `esc_html()` or `esc_attr()` on the attributes.\n6.  When a user views the page where the shortcode is placed, the injected script executes.\n\n### 4. Nonce Acquisition Strategy\nSince this vulnerability is exploited through the standard WordPress post editor, the \"Store\" phase relies on standard WordPress core nonces for saving posts.\n\n1.  **Authentication:** Log in as an **Author** user.\n2.  **Navigation:** Navigate to `wp-admin\u002Fpost-new.php?post_type=page`.\n3.  **Extraction:**\n    *   The `_wpnonce` and `_wp_http_referer` are required for the `POST` request to `post.php`.\n    *   The execution agent should use `browser_navigate` to the editor page and then use `browser_eval` to extract the `_wpnonce` value from the hidden input field:\n        `browser_eval(\"document.querySelector('#_wpnonce').value\")`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Authentication and Nonce Retrieval\nLog in as the Author and capture the necessary post-submission nonce.\n\n#### Step 2: Inject Stored XSS via Shortcode\nSubmit a request to create a page containing the malicious shortcode.\n\n*   **Request Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `editpost`\n    *   `post_ID`: (obtained from the `post-new.php` page load)\n    *   `_wpnonce`: (extracted nonce)\n    *   `post_title`: `Sitemap Test`\n    *   `content`: `[wp_simple_html_sitemap title='\u003Cscript>alert(document.cookie)\u003C\u002Fscript>']` (Inferred attribute name)\n    *   `publish`: `Publish`\n\n#### Step 3: Trigger the XSS\nNavigate to the newly created page URL on the frontend to trigger the script execution.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `wp-simple-html-sitemap` version 3.8 is installed and active.\n2.  **User Creation:**\n    ```bash\n    wp user create attacker attacker@example.com --role=author --user_pass=password\n    ```\n3.  **Discovery:** Determine the exact shortcode name and attributes by searching the plugin directory:\n    ```bash\n    grep -rn \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fwp-simple-html-sitemap\u002F\n    ```\n\n### 7. Expected Results\n*   The `POST` request to `post.php` should return a `302 Redirect` to the post editor with `message=1` (Post published).\n*   When navigating to the published page, a JavaScript alert box displaying the user's cookies should appear.\n*   Viewing the page source should show the raw `\u003Cscript>` tag inside the sitemap's container elements.\n\n### 8. Verification Steps (Post-Exploit)\nConfirm the payload is stored in the database:\n```bash\nwp db query \"SELECT post_content FROM wp_posts WHERE post_title='Sitemap Test' LIMIT 1;\"\n```\nCheck if the output in the frontend is truly unescaped:\n```bash\n# Using the http_request tool to fetch the page content\n# Look for the literal string: \u003Cscript>alert(document.cookie)\u003C\u002Fscript>\n```\n\n### 9. Alternative Approaches\nIf shortcode attributes are sanitized, check the **Post Title** vector:\n1.  As an Author, create a post with the title: `\u003Cimg src=x onerror=alert(1)>`.\n2.  Create a separate page with the sitemap shortcode: `[wp_simple_html_sitemap]`.\n3.  If the plugin renders the list of post titles without escaping, the XSS will trigger when viewing the sitemap page.\n\n**Verification for Alternative:**\n```bash\ngrep -rn \"the_title\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fwp-simple-html-sitemap\u002F\n# Check if it uses get_the_title() followed by echo without esc_html()\n```","The WP Simple HTML Sitemap plugin for WordPress (\u003C= 3.8) is vulnerable to Stored Cross-Site Scripting (XSS) because it fails to sanitize and escape shortcode attributes. Authenticated attackers with Author-level permissions can inject malicious scripts into pages by using crafted shortcode attributes, which then execute when any user views the affected sitemap page.","\u002F\u002F wp-simple-html-sitemap\u002Fwp-simple-html-sitemap.php (Inferred shortcode handler)\n\nfunction wp_simple_html_sitemap_shortcode_handler($atts) {\n    $a = shortcode_atts(array(\n        'title' => 'Sitemap',\n        'class' => 'sitemap-list',\n    ), $atts);\n\n    \u002F\u002F Vulnerable output: Attributes are echoed directly without esc_html() or esc_attr()\n    $output = '\u003Cdiv class=\"' . $a['class'] . '\">';\n    $output .= '\u003Ch2>' . $a['title'] . '\u003C\u002Fh2>';\n    \n    \u002F\u002F ... (rest of the sitemap generation code)\n\n    return $output;\n}","--- wp-simple-html-sitemap\u002Fwp-simple-html-sitemap.php\n+++ wp-simple-html-sitemap\u002Fwp-simple-html-sitemap.php\n@@ -10,8 +10,8 @@\n     ), $atts);\n \n-    $output = '\u003Cdiv class=\"' . $a['class'] . '\">';\n-    $output .= '\u003Ch2>' . $a['title'] . '\u003C\u002Fh2>';\n+    $output = '\u003Cdiv class=\"' . esc_attr($a['class']) . '\">';\n+    $output .= '\u003Ch2>' . esc_html($a['title']) . '\u003C\u002Fh2>';\n \n     \u002F\u002F ... (rest of the sitemap generation code)","1. Authentication: Log in to the WordPress dashboard as a user with at least Author permissions.\n2. Nonce Retrieval: Navigate to the 'Add New Post' or 'Add New Page' screen to retrieve the necessary `_wpnonce` and `post_ID` for post creation.\n3. Payload Injection: Create or update a post\u002Fpage and include the plugin's sitemap shortcode (likely `[wp_simple_html_sitemap]`) with a malicious attribute payload, for example: `[wp_simple_html_sitemap title=\"\u003Cscript>alert(document.cookie)\u003C\u002Fscript>\"]`.\n4. Execution: Publish the post and navigate to its permalink on the frontend. The injected script will execute in the context of the user's browser.","gemini-3-flash-preview","2026-04-20 22:10:49","2026-04-20 22:11:08",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-simple-html-sitemap\u002Ftags"]