WP-Safety
CVE-2026-32424

Sprout Clients <= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.2.3
Patched in
48d
Time to patch

Description

The Sprout Clients plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.2.2
PublishedFebruary 27, 2026
Last updatedApril 15, 2026
Affected pluginsprout-clients

What Changed in the Fix

Changes introduced in v3.2.3

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.2.2
Browse source Download .zip
Patched v3.2.3
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-32424 (Sprout Clients) ## 1. Vulnerability Summary The **Sprout Clients** plugin for WordPress (versions <= 3.2.2) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize user input before storing …

Show full research plan

Exploitation Research Plan - CVE-2026-32424 (Sprout Clients)

1. Vulnerability Summary

The Sprout Clients plugin for WordPress (versions <= 3.2.2) is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability exists because the plugin fails to sanitize user input before storing it in user metadata and subsequently fails to escape that data when rendering it in the WordPress admin interface.

Specifically, the SC_Users::save_profile_fields function in controllers/clients/Clients_Users.php updates several user meta fields (sc_dob, sc_phone, sc_twitter, sc_linkedin, sc_note) directly from the $_POST array without using sanitization functions like sanitize_text_field. When an administrator or another privileged user views the affected user's profile, these fields are rendered without proper escaping, leading to script execution.

2. Attack Vector Analysis

  • Endpoint: wp-admin/profile.php (for the Contributor to inject) and wp-admin/user-edit.php (for the Admin to trigger).
  • Authentication: Contributor level or higher is required. A Contributor can edit their own profile, which is sufficient to trigger the vulnerability.
  • Vulnerable Parameters: sc_twitter, sc_phone, sc_linkedin, sc_dob, sc_note.
  • Preconditions: The Sprout Clients plugin must be active.

3. Code Flow

  1. Entry Point: The plugin registers hooks to handle profile updates in SC_Users::init():
    • add_action( 'personal_options_update', array( __CLASS__, 'save_profile_fields' ) );
    • add_action( 'edit_user_profile_update', array( __CLASS__, 'save_profile_fields' ) );
  2. Storage (Sink): When a Contributor saves their profile, SC_Users::save_profile_fields($user_id) is called.
    • It checks current_user_can( 'edit_user', $user_id ), which is true for a user editing themselves.
    • It executes: update_user_meta( $user_id, self::TWITTER, $_POST['sc_twitter'] ); (where self::TWITTER is 'sc_twitter').
    • No sanitization (e.g., sanitize_text_field) is applied to $_POST['sc_twitter'].
  3. Rendering (Source): When an Admin views the user's profile, SC_Users::user_profile_fields($user) is triggered via:
    • add_action( 'show_user_profile', array( __CLASS__, 'user_profile_fields' ) );
    • add_action( 'edit_user_profile', array( __CLASS__, 'user_profile_fields' ) );
  4. Execution: This function calls self::load_view( 'admin/user/profile_fields.php', ... ), passing the unsanitized metadata. The view (inferred from the patch description) echoes these values directly into the HTML without escaping functions like esc_attr().

4. Nonce Acquisition Strategy

The attack leverages the standard WordPress profile update mechanism.

  1. Tool: browser_navigate to wp-admin/profile.php using the Contributor's credentials.
  2. Extraction: Use browser_eval to extract the core WordPress profile nonce and user ID:
    • nonce = document.querySelector('input[name="_wpnonce"]').value
    • user_id = document.querySelector('input[name="user_id"]').value
  3. Note: No plugin-specific AJAX nonce is required for this specific vector.

5. Exploitation Strategy

Step 1: Injection (Contributor)

Submit a POST request to wp-admin/profile.php to save the XSS payload into the sc_twitter field.

  • URL: http://localhost:8080/wp-admin/profile.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • _wpnonce: [EXTRACTED_NONCE]
    • action: update
    • user_id: [CONTRIBUTOR_ID]
    • sc_twitter: "><script>alert(document.domain)</script>
    • sc_phone: 555-0199
    • email: contributor@example.com (required by WP)
    • nickname: contributor (required by WP)

Step 2: Trigger (Administrator)

The Admin views the Contributor's profile to trigger the XSS.

  • URL: http://localhost:8080/wp-admin/user-edit.php?user_id=[CONTRIBUTOR_ID]
  • Action: Simply navigate to this page in the browser using the Admin's session.

6. Test Data Setup

  1. Plugin: Install and activate sprout-clients version 3.2.2.
  2. Users:
    • An Administrator user.
    • A Contributor user (to perform the injection).

7. Expected Results

  • Upon the Contributor's POST request, the database should store the literal string "><script>alert(document.domain)</script> in the wp_usermeta table for the key sc_twitter.
  • Upon the Administrator's navigation to the user edit page, an alert box showing the document domain should appear, confirming the script execution.

8. Verification Steps

  1. Database Check: Use WP-CLI to verify the meta is stored unsanitized:
    • wp user meta get [CONTRIBUTOR_ID] sc_twitter
  2. DOM Check: Use browser_eval on the Admin's view of the profile to check for the injected script tag:
    • browser_eval("document.body.innerHTML.includes('<script>alert(document.domain)</script>')")

9. Alternative Approaches

If the sc_twitter field is sanitized by a global filter, try the sc_note field or the client creation AJAX endpoint:

  • Action: sa_create_client via wp-admin/admin-ajax.php.
  • Parameter: sa_client_street (Note: This may require publish_posts capability).
  • Nonce Action: sc_client_submission (Localized as sa_client_nonce in plugin JS).
  • Code Reference: SC_Clients_AJAX::maybe_create_client in controllers/clients/Clients_AJAX.php. It uses self::esc__, which should be checked for bypasses if the profile fields fail.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Sprout Clients plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via several user profile fields and client metadata fields. Authenticated attackers with contributor-level access or above can inject malicious scripts into fields like Twitter, LinkedIn, and Phone, which are then rendered without sanitization or escaping in the WordPress admin interface when a privileged user views the affected profile.

Vulnerable Code

// controllers/clients/Clients_Users.php:37
public static function save_profile_fields( $user_id = 0 ) {
    if ( ! current_user_can( 'edit_user', $user_id ) ) {
        return false; }

    update_user_meta( $user_id, self::DOB, $_POST['sc_dob'] );
    update_user_meta( $user_id, self::PHONE, $_POST['sc_phone'] );
    update_user_meta( $user_id, self::TWITTER, $_POST['sc_twitter'] );
    update_user_meta( $user_id, self::LINKEDIN, $_POST['sc_linkedin'] );
    update_user_meta( $user_id, self::NOTE, $_POST['sc_note'] );
}

---

// controllers/clients/Clients_Users.php:21
public static function user_profile_fields( $user ) {
    $user_id = $user->ID;
    self::load_view( 'admin/user/profile_fields.php', array(
        'user' => $user,
        'phone' => self::get_users_phone( $user_id ),
        'twitter' => self::get_users_twitter( $user_id ),
        'linkedin' => self::get_users_linkedin( $user_id ),
        'dob' => self::get_users_dob( $user_id ),
        'note' => self::get_users_note( $user_id ),
        'clients' => Sprout_Client::get_clients_by_user( $user_id ),
        ) );
}

---

// controllers/clients/Clients_Admin_Meta_Boxes.php:364
public static function save_meta_box_client_communication( $post_id, $post, $callback_args ) {
    // name is filtered via update_post_data
    $phone = ( isset( $_POST['sa_metabox_phone'] ) && '' !== $_POST['sa_metabox_phone'] ) ? $_POST['sa_metabox_phone'] : '' ;
    $twitter = ( isset( $_POST['sa_metabox_twitter'] ) && '' !== $_POST['sa_metabox_twitter'] ) ? $_POST['sa_metabox_twitter'] : '' ;
    $skype = ( isset( $_POST['sa_metabox_skype'] ) && '' !== $_POST['sa_metabox_skype'] ) ? $_POST['sa_metabox_skype'] : '' ;
    $facebook = ( isset( $_POST['sa_metabox_facebook'] ) && '' !== $_POST['sa_metabox_facebook'] ) ? $_POST['sa_metabox_facebook'] : '' ;
    $linkedin = ( isset( $_POST['sa_metabox_linkedin'] ) && '' !== $_POST['sa_metabox_linkedin'] ) ? $_POST['sa_metabox_linkedin'] : '' ;

Security Fix

--- /controllers/clients/Clients_Users.php
+++ /controllers/clients/Clients_Users.php
@@ -40,11 +40,11 @@
 		if ( ! current_user_can( 'edit_user', $user_id ) ) {
 			return false; }
 
-		update_user_meta( $user_id, self::DOB, $_POST['sc_dob'] );
-		update_user_meta( $user_id, self::PHONE, $_POST['sc_phone'] );
-		update_user_meta( $user_id, self::TWITTER, $_POST['sc_twitter'] );
-		update_user_meta( $user_id, self::LINKEDIN, $_POST['sc_linkedin'] );
-		update_user_meta( $user_id, self::NOTE, $_POST['sc_note'] );
+		update_user_meta( $user_id, self::DOB, sanitize_text_field( wp_unslash( $_POST['sc_dob'] ) ) );
+		update_user_meta( $user_id, self::PHONE, sanitize_text_field( wp_unslash( $_POST['sc_phone'] ) ) );
+		update_user_meta( $user_id, self::TWITTER, sanitize_text_field( wp_unslash( $_POST['sc_twitter'] ) ) );
+		update_user_meta( $user_id, self::LINKEDIN, esc_url_raw( wp_unslash( $_POST['sc_linkedin'] ) ) );
+		update_user_meta( $user_id, self::NOTE, sanitize_textarea_field( wp_unslash( $_POST['sc_note'] ) ) );
 	}
--- /controllers/clients/Clients_Admin_Meta_Boxes.php
+++ /controllers/clients/Clients_Admin_Meta_Boxes.php
@@ -361,12 +356,12 @@
 	 */
 	public static function save_meta_box_client_communication( $post_id, $post, $callback_args ) {
-		$phone = ( isset( $_POST['sa_metabox_phone'] ) && '' !== $_POST['sa_metabox_phone'] ) ? $_POST['sa_metabox_phone'] : '' ;
-		$twitter = ( isset( $_POST['sa_metabox_twitter'] ) && '' !== $_POST['sa_metabox_twitter'] ) ? $_POST['sa_metabox_twitter'] : '' ;
-		$skype = ( isset( $_POST['sa_metabox_skype'] ) && '' !== $_POST['sa_metabox_skype'] ) ? $_POST['sa_metabox_skype'] : '' ;
-		$facebook = ( isset( $_POST['sa_metabox_facebook'] ) && '' !== $_POST['sa_metabox_facebook'] ) ? $_POST['sa_metabox_facebook'] : '' ;
-		$linkedin = ( isset( $_POST['sa_metabox_linkedin'] ) && '' !== $_POST['sa_metabox_linkedin'] ) ? $_POST['sa_metabox_linkedin'] : '' ;
+		$phone = ( isset( $_POST['sa_metabox_phone'] ) && '' !== $_POST['sa_metabox_phone'] ) ? sanitize_text_field( wp_unslash( $_POST['sa_metabox_phone'] ) ) : '' ;
+		$twitter = ( isset( $_POST['sa_metabox_twitter'] ) && '' !== $_POST['sa_metabox_twitter'] ) ? sanitize_text_field( wp_unslash( $_POST['sa_metabox_twitter'] ) ) : '' ;
+		$skype = ( isset( $_POST['sa_metabox_skype'] ) && '' !== $_POST['sa_metabox_skype'] ) ? sanitize_text_field( wp_unslash( $_POST['sa_metabox_skype'] ) ) : '' ;
+		$facebook = ( isset( $_POST['sa_metabox_facebook'] ) && '' !== $_POST['sa_metabox_facebook'] ) ? esc_url_raw( wp_unslash( $_POST['sa_metabox_facebook'] ) ) : '' ;
+		$linkedin = ( isset( $_POST['sa_metabox_linkedin'] ) && '' !== $_POST['sa_metabox_linkedin'] ) ? esc_url_raw( wp_unslash( $_POST['sa_metabox_linkedin'] ) ) : '' ;

Exploit Outline

The exploit requires an attacker with at least Contributor-level access. 1. The attacker logs into the WordPress dashboard and navigates to their own profile page (`wp-admin/profile.php`). 2. The attacker fills one of the Sprout Client fields (e.g., 'Twitter Handle' or 'Phone') with a payload like: `"><script>alert(document.domain)</script>`. 3. The attacker submits the profile update. Because the plugin uses raw `$_POST` data in `update_user_meta` without sanitization in `SC_Users::save_profile_fields`, the payload is stored directly in the database. 4. To trigger the vulnerability, an Administrator navigates to the User Edit screen for the attacker's account (`wp-admin/user-edit.php?user_id=[ID]`). 5. The plugin's `SC_Users::user_profile_fields` function loads the profile view, which echoes the metadata into the HTML without output escaping, resulting in the script executing in the Administrator's browser context.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/097760a6-0b8b-437d-a6ad-29675cbb5091?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database