[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMkV-ndvYAlV8twMn7mokPGoxlVvPpoCDC6-qf3Qr11A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-6565","style-kits-advanced-theme-styles-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-kit-title","Style Kits – Advanced Theme Styles for Elementor \u003C= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Kit Title","The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '\u002Fwp-json\u002Fagwp\u002Fv1\u002Ftokens\u002Fsave' endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping in an admin attribute context. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","analogwp-templates",null,"\u003C=2.5.0","2.6.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 12:12:14","2026-05-27 01:26:18",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd6332d57-5832-4093-a609-f9c454452815?source=api-prod",1,[22,23,24,25,26,27,28,29],"analogwp-templates.php","assets\u002Fjs\u002Fapp\u002Findex.asset.php","assets\u002Fjs\u002Fapp\u002Findex.js","inc\u002FConsumer.php","inc\u002FCore\u002FSVGs\u002FAllow.php","inc\u002FFeaturesets\u002Frollback\u002Fclass-init.php","inc\u002FFeaturesets\u002Frollback\u002Fclass-rollback-downgrader-skin.php","inc\u002FFeaturesets\u002Frollback\u002Fclass-rollbacker.php","researched",false,3,"This research plan focuses on exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the **Style Kits for Elementor** plugin (version \u003C= 2.5.0). The vulnerability allows authenticated users with Contributor-level permissions to inject malicious scripts via a specific REST API endpoint used for saving kit titles.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Authenticated (Contributor+) Stored Cross-Site Scripting (XSS).\n*   **ID:** CVE-2026-6565.\n*   **Location:** REST API endpoint `\u002Fwp-json\u002Fagwp\u002Fv1\u002Ftokens\u002Fsave`.\n*   **Sink:** The kit title is rendered in an admin context (likely a kit list or the Elementor editor interface) without proper escaping, specifically within an \"admin attribute context\" (e.g., `title=\"...\"` or `value=\"...\"`).\n*   **Cause:** Insufficient sanitization of the `title` parameter during storage and missing escaping during output.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `POST \u002Fwp-json\u002Fagwp\u002Fv1\u002Ftokens\u002Fsave`\n*   **Authentication:** Contributor or higher. Contributors can access the REST API and typically have the `edit_posts` capability, which often suffices for kit-related operations in this plugin.\n*   **Vulnerable Parameter:** `title` (or a similar key representing the kit title in the JSON body).\n*   **Preconditions:**\n    1.  Plugin active on a WordPress site with Elementor.\n    2.  An attacker session with at least Contributor privileges.\n    3.  A valid `wp_rest` nonce for authentication to the REST API.\n\n### 3. Code Flow (Inferred)\n1.  **Entry:** The plugin registers a REST route via `register_rest_route('agwp\u002Fv1', '\u002Ftokens\u002Fsave', ...)` during `rest_api_init`.\n2.  **Permission Check:** The `permission_callback` likely checks for `current_user_can('edit_posts')` rather than `manage_options`, allowing Contributors access.\n3.  **Processing:** The callback function receives the `WP_REST_Request`. It extracts the `title` parameter from the request body.\n4.  **Storage:** The title is saved to the database (likely in `wp_options` as part of a kit configuration or as a custom post type `ang_tokens` meta). No `sanitize_text_field` or similar filter is applied effectively to block HTML tags.\n5.  **Rendering:** When an Administrator views the \"Style Kits\" dashboard or the Elementor editor, the plugin retrieves the stored title and echoes it inside an HTML attribute (e.g., `\u003Cdiv title=\"[USER_INPUT]\">`) without using `esc_attr()`.\n\n### 4. Nonce Acquisition Strategy\nThe WordPress REST API requires a nonce for authenticated POST requests to prevent CSRF. The nonce must be for the action `wp_rest`.\n\n1.  **Identification:** The `wp_rest` nonce is standard for the WordPress REST API. It is usually localized into the `wpApiSettings` JavaScript object on admin pages.\n2.  **Extraction Method:**\n    -   Navigate to any admin page (e.g., `\u002Fwp-admin\u002Findex.php`) as the Contributor user.\n    -   Use the `browser_eval` tool to extract the nonce from the window object.\n3.  **Specific JS Variable:** `window.wpApiSettings.nonce`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Authentication\nLogin as a Contributor user.\n\n#### Step 2: Nonce Retrieval\nExecute `browser_navigate` to `\u002Fwp-admin\u002F` and then `browser_eval(\"window.wpApiSettings.nonce\")`.\n\n#### Step 3: Payload Injection\nSend a POST request to the vulnerable endpoint using the `http_request` tool.\n\n*   **URL:** `https:\u002F\u002F[TARGET]\u002Fwp-json\u002Fagwp\u002Fv1\u002Ftokens\u002Fsave`\n*   **Method:** `POST`\n*   **Headers:**\n    -   `X-WP-Nonce: [EXTRACTED_NONCE]`\n    -   `Content-Type: application\u002Fjson`\n*   **Body (Inferred JSON structure):**\n    ```json\n    {\n      \"title\": \"\\\">\u003Cscript>alert('XSS_SUCCESS')\u003C\u002Fscript>\",\n      \"id\": 0\n    }\n    ```\n    *Note: If `id: 0` fails, a valid kit ID might be needed, but usually, saving a new token\u002Fkit uses 0 or omits the ID.*\n\n#### Step 4: Trigger XSS\nLogin as an Administrator and navigate to the Style Kits dashboard:\n`https:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin.php?page=analogwp_templates` (based on `analogwp_templates` slug in `analogwp-templates.php`).\n\n### 6. Test Data Setup\n1.  **Plugin:** Install and activate \"Style Kits – Advanced Theme Styles for Elementor\" version 2.5.0.\n2.  **Dependencies:** Ensure Elementor is installed and activated (required by the plugin).\n3.  **User:** Create a user with the **Contributor** role.\n4.  **Content:** Create at least one \"Style Kit\" or \"Token\" if the endpoint requires an existing ID.\n\n### 7. Expected Results\n*   **Injection:** The REST API returns a `200 OK` or `201 Created` response.\n*   **Execution:** When the Admin views the kit list, the payload `\">\u003Cscript>alert('XSS_SUCCESS')\u003C\u002Fscript>` breaks out of the attribute and executes the JavaScript.\n*   **Response Analysis:** Check if the script appears unescaped in the page source of the admin dashboard.\n\n### 8. Verification Steps\n1.  **Check Database:** Use WP-CLI to verify the stored value.\n    -   `wp option get analog_tokens` (or similar depending on storage choice).\n    -   Search for the payload: `wp db query \"SELECT * FROM wp_options WHERE option_value LIKE '%XSS_SUCCESS%'\"`.\n2.  **DOM Verification:** After navigating to the settings page as Admin, use `browser_eval` to check if the alert was triggered or if the element exists:\n    -   `browser_eval(\"document.body.innerHTML.includes('XSS_SUCCESS')\")`.\n\n### 9. Alternative Approaches\n*   **Payload Contexts:** If the \"attribute context\" is a `value` attribute inside an input, use:\n    `\" onfocus=\"alert(1)\" autofocus=\"`\n*   **REST Parameters:** If the JSON body is not accepted, try standard POST data:\n    `action=save_token&title=\u003Cscript>alert(1)\u003C\u002Fscript>` (Check if the endpoint falls back to `$_REQUEST`).\n*   **Endpoint Variation:** If `\u002Fagwp\u002Fv1\u002Ftokens\u002Fsave` requires a specific ID, use `GET \u002Fwp-json\u002Fagwp\u002Fv1\u002Ftokens` first to list available IDs to overwrite.","The Style Kits for Elementor plugin is vulnerable to Stored Cross-Site Scripting via the kit title parameter of the '\u002Fwp-json\u002Fagwp\u002Fv1\u002Ftokens\u002Fsave' REST API endpoint in versions up to 2.5.0. Authenticated attackers with Contributor-level access can inject malicious scripts that are stored on the server and executed in the browser of any administrator who subsequently views the plugin's dashboard.","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fanalogwp-templates\u002F2.5.0\u002Fanalogwp-templates.php\t2026-03-27 10:46:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fanalogwp-templates\u002F2.6.0\u002Fanalogwp-templates.php\t2026-05-12 16:43:12.000000000 +0000\n@@ -10,17 +10,17 @@\n  * Plugin Name: Style Kits for Elementor\n  * Plugin URI:  https:\u002F\u002Fanalogwp.com\u002F\n  * Description: Style Kits extends the Elementor theme styles editor with more global styling options. Boost your design workflow in Elementor with intuitive global controls and theme style presets.\n- * Version:     2.5.0\n+ * Version:     2.6.0\n  * Author:      AnalogWP\n  * Author URI:  https:\u002F\u002Fanalogwp.com\u002F\n  * License:     GPL2\n  * License URI: https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\n- * Text Domain: ang\n+ * Text Domain: analogwp-templates\n  * Requires at least: 6.0\n  * Requires PHP: 7.4\n  *\n- * Elementor tested up to: 3.35.9\n- * Elementor Pro tested up to: 3.35.1\n+ * Elementor tested up to: 4.0.8\n+ * Elementor Pro tested up to: 4.0.4\n  *\u002F\n \n defined( 'ABSPATH' ) || exit;\n@@ -28,7 +28,9 @@\n define( 'ANG_ELEMENTOR_MINIMUM', '3.32.0' );\n define( 'ANG_PHP_MINIMUM', '7.4' );\n define( 'ANG_WP_MINIMUM', '6.0' );\n-define( 'ANG_VERSION', '2.5.0' );\n+define( 'ANG_VERSION', '2.6.0' );\n+define( 'ANG_TEXT_DOMAIN', 'analogwp-templates' );\n+define( 'ANG_LEGACY_TEXT_DOMAIN', 'ang' );\n define( 'ANG_PLUGIN_FILE', __FILE__ );\n define( 'ANG_PLUGIN_URL', plugin_dir_url( ANG_PLUGIN_FILE ) );\n define( 'ANG_PLUGIN_DIR', plugin_dir_path( ANG_PLUGIN_FILE ) );","An authenticated attacker with Contributor-level permissions or higher can exploit this by first obtaining a REST API nonce from any admin page (usually found in the 'wpApiSettings.nonce' JavaScript variable). The attacker then sends a POST request to the '\u002Fwp-json\u002Fagwp\u002Fv1\u002Ftokens\u002Fsave' endpoint with a JSON body including a 'title' parameter containing a malicious script, such as '\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>'. The payload is stored in the database and executes whenever an administrator views the Style Kits dashboard (wp-admin\u002Fadmin.php?page=analogwp_templates), as the plugin fails to escape the stored title when rendering it within an HTML attribute.","gemini-3-flash-preview","2026-06-04 19:27:43","2026-06-04 19:28:36",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.5.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanalogwp-templates\u002Ftags\u002F2.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanalogwp-templates.2.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanalogwp-templates\u002Ftags\u002F2.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanalogwp-templates.2.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanalogwp-templates\u002Ftags"]