[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffTTyEpQcqd3nVAakgzCjYMrSf5STwwL5zZfpuMKo8is":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-8900","simple-seo-slideshow-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Simple SEO Slideshow \u003C= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress KSES does not strip malicious shortcode attribute values on post save, allowing contributor-level users to persist payloads that execute for any visitor, including administrators reviewing the post.","simple-seo-slideshow",null,"\u003C=1.2.8","1.2.9","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-05 10:52:25","2026-06-05 23:28:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3b3bb703-fdff-4525-9272-7a3db58b81a0?source=api-prod",1,[22,23,24,25,26,27,28],"js\u002Fmce_dialog.js","js\u002Fsimpleslideshowmce.js","js\u002Fssslide_dialog.htm","readme.txt","simpleslideshow.css","simpleslideshow.js","simpleslideshow.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-8900 (Simple SEO Slideshow Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Simple SEO Slideshow** plugin (versions \u003C= 1.2.8) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the shortcode handler for `[simpleslideshow]` fails to properly sanitize or escape user-supplied attributes (such as `sctitle`, `scexclude`, etc.) before rendering them into the page HTML. A user with **Contributor** level permissions can embed malicious JavaScript within these attributes. When the post is saved, WordPress KSES does not filter attributes within shortcodes, and the plugin later echoes these values directly into the DOM.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post Editor (`\u002Fwp-admin\u002Fpost.php` or `\u002Fwp-admin\u002Fpost-new.php`).\n*   **Vulnerable Component:** The `[simpleslideshow]` shortcode handler in `simpleslideshow.php`.\n*   **Payload Carrier:** Shortcode attributes, specifically `sctitle`.\n*   **Authentication:** Authenticated (Contributor+).\n*   **Preconditions:** The plugin must be active, and the attacker must have permission to create or edit posts (Contributor role is sufficient).\n\n## 3. Code Flow\n1.  **Entry Point:** An attacker creates a post containing a shortcode: `[simpleslideshow sctitle='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`.\n2.  **Persistence:** Upon saving, WordPress core stores the raw shortcode string in the `post_content` column of the `wp_posts` table.\n3.  **Processing:** When a user (including an Admin) views the post, WordPress invokes the shortcode callback function registered via `add_shortcode( 'simpleslideshow', ... )` in `simpleslideshow.php`.\n4.  **The Sink:** The handler extracts the attributes and generates HTML. Based on `js\u002Fsimpleslideshow.js`, the plugin likely renders hidden elements or attributes to pass settings to the frontend script:\n    *   `imgtitle[index][0] = jQuery('img',this).eq(0).attr('title');`\n    *   `imgsubtitle[index][0] = jQuery('.slidedescr',this).html();`\n5.  **Execution:** If the PHP handler outputs `$atts['sctitle']` into a `title` attribute or inside a `div` with class `slidedescr` without using `esc_attr()` or `esc_html()`, the browser interprets the payload. The JS then further propagates the XSS by reading this content and re-inserting it via `.html()`.\n\n## 4. Nonce Acquisition Strategy\nThis exploit involves saving a standard WordPress post. It does not rely on a plugin-specific AJAX nonce, but rather the core WordPress post-editor nonces.\n\n*   **Logic:** To save a post as a Contributor, the agent must obtain the `_wpnonce` used by the editor.\n*   **Procedure:**\n    1.  Login to the WordPress dashboard as a Contributor.\n    2.  Use `browser_navigate` to go to `http:\u002F\u002F[target]\u002Fwp-admin\u002Fpost-new.php`.\n    3.  Use `browser_eval` to extract the nonce required for the `post.php` submission:\n        ```javascript\n        \u002F\u002F Common location for the post nonce in the Gutenberg or Classic editor\n        document.querySelector('#_wpnonce')?.value || document.querySelector('[name=\"_wpnonce\"]')?.value;\n        ```\n    4.  The agent will use this nonce in the subsequent `POST` request to save the post content.\n\n## 5. Exploitation Strategy\n1.  **Preparation:** Identify the Contributor credentials and the target WordPress instance.\n2.  **Authentication:** Authenticate the session using the `http_request` tool.\n3.  **Nonce Extraction:** Navigate to the \"New Post\" page and extract the `_wpnonce` and the `user_id`.\n4.  **Payload Injection:** Submit a request to save a new post containing the malicious shortcode.\n    *   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fpost.php`\n    *   **Method:** `POST`\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Parameters:**\n        *   `action`: `editpost`\n        *   `post_ID`: `[NEW_POST_ID]`\n        *   `_wpnonce`: `[EXTRACTED_NONCE]`\n        *   `post_title`: `Security Research Slideshow`\n        *   `content`: `[simpleslideshow sctitle='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n        *   `post_status`: `publish` (or `pending` if Contributor cannot publish)\n5.  **Trigger:** Use `browser_navigate` to visit the permalink of the newly created post.\n\n## 6. Test Data Setup\n*   **User:** A user with the `contributor` role (e.g., username: `researcher`, pass: `password123`).\n*   **Environment:** WordPress instance with `simple-seo-slideshow` version 1.2.8 installed and activated.\n*   **Shortcode:** The exploit utilizes the default shortcode `[simpleslideshow]`.\n\n## 7. Expected Results\n*   The `POST` request to `post.php` should return a `302 Found` redirecting to the post editor with a success message.\n*   The `post_content` in the database should contain the unescaped payload.\n*   Upon visiting the post frontend, an alert box displaying the `document.domain` should appear, confirming the execution of the injected script.\n\n## 8. Verification Steps\n1.  **Database Check:** Verify the payload is stored correctly using WP-CLI:\n    ```bash\n    wp post list --post_type=post --format=ids | xargs -I % wp post get % --field=post_content\n    ```\n2.  **Frontend Inspection:** Check the rendered HTML source for the presence of the unescaped script:\n    ```bash\n    # Look for the sctitle value in the div or image tags\n    curl -s http:\u002F\u002F[target]\u002Fpath-to-post | grep \"alert(document.domain)\"\n    ```\n3.  **Execution Check:** Confirm that the script executes in the browser context using the `browser_eval` tool to check for a global side effect (e.g., `window.xss_executed = true`).\n\n## 9. Alternative Approaches\n*   **Attribute Breakout:** If `sctitle` is correctly escaped within HTML tags but used inside an attribute (e.g., `value='...'`), try breaking out with `' onmouseover='alert(1)`.\n*   **Other Attributes:** If `sctitle` is sanitized, test `scexclude`, `scdelay`, or `scheight`. Although `js\u002Fmce_dialog.js` uses `parseInt` on `scdelay` and `scheight`, the PHP side might still echo them raw before the JS loads.\n*   **JS-based Trigger:** Since `simpleslideshow.js` uses `jQuery(...).html()`, test if the payload can be stored in a way that bypasses initial PHP rendering but is executed when the JS processes the slideshow captions:\n    *   Payload: `[simpleslideshow sctitle='\u003Cimg src=x onerror=alert(1)>']`","The Simple SEO Slideshow plugin for WordPress (versions up to 1.2.8) is vulnerable to Stored Cross-Site Scripting via shortcode attributes such as 'sctitle'. Authenticated attackers with Contributor-level permissions can inject malicious scripts into these attributes, which are then rendered on the page without proper sanitization and subsequently executed by the plugin's JavaScript logic.","\u002F* js\u002Fsimpleslideshow.js lines 35-36 (v1.2.6) *\u002F\nimgtitle[index][0] = jQuery('img',this).eq(0).attr('title');\nimgsubtitle[index][0] = jQuery('.slidedescr',this).html();\n\n---\n\n\u002F* js\u002Fsimpleslideshow.js line 83 (v1.2.6) *\u002F\n\u002F\u002F The plugin extracts content from the DOM and re-inserts it using .html(), triggering execution\njQuery('.slidedescr',newthis).html(imgsubtitle[index][newci]);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-seo-slideshow\u002F1.2.6\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-seo-slideshow\u002F1.2.9\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-seo-slideshow\u002F1.2.6\u002Freadme.txt\t2013-08-03 22:47:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-seo-slideshow\u002F1.2.9\u002Freadme.txt\t2026-05-28 01:16:58.000000000 +0000\n@@ -1,18 +1,18 @@\n-﻿=== Plugin Name ===\n+=== Plugin Name ===\n Contributors: spyrosvl\n Donate link: https:\u002F\u002Fwww.paypal.com\u002Fcgi-bin\u002Fwebscr?cmd=_s-xclick&hosted_button_id=9QBE26DTURXJQ\n Tags: slideshow widget, page slideshow widget, post slideshow widget\n-Requires at least: 3.2\n-Tested up to: 3.5.2\n-Stable tag: 1.2.6\n+Requires at least: 5.4\n+Tested up to: 7.0\n+Stable tag: 1.2.9\n License: GPLv2 or later\n License URI: http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\n \n == Upgrade Notice ==\n \n+= 1.2.9 =\n+\n+* Resolved security issue (CVE-2026-8900)\n+* Added auto calculation of slider height\n+\n = 1.2.6 =\n \n * New navigation buttons","1. Log in to the WordPress dashboard as an authenticated user with at least Contributor-level permissions.\n2. Create a new post or edit an existing one using the Post Editor.\n3. Insert the [simpleslideshow] shortcode with a malicious payload inside one of its attributes, for example: [simpleslideshow sctitle='\u003Cscript>alert(document.domain)\u003C\u002Fscript>'].\n4. Save the post. Since WordPress does not filter attributes inside shortcode strings on post save, the payload is persisted in the database.\n5. View the post on the frontend. The plugin's PHP handler renders the shortcode attribute directly into the HTML source. \n6. The plugin's JavaScript (js\u002Fsimpleslideshow.js) reads the content of the affected element and re-injects it into the DOM using the jQuery .html() method, which triggers the execution of the stored script.","gemini-3-flash-preview","2026-06-26 03:42:31","2026-06-26 03:43:46",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.2.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-seo-slideshow\u002Ftags\u002F1.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-seo-slideshow.1.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-seo-slideshow\u002Ftags\u002F1.2.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-seo-slideshow.1.2.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-seo-slideshow\u002Ftags"]