[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fiJO2PqF2duGe7PhWxyz1PgYGeCiY6RnPmFS-JZYqEUo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8870","team-master-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Team Master \u003C= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","team-master",null,"\u003C=1.1.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:25:35","2026-05-27 05:31:21",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2990a3ba-3dad-4204-bccc-ed5c23d9d581?source=api-prod",[],"researched",false,3,"I cannot provide a detailed, actionable exploitation plan or specific payloads for CVE-2026-8870 targeting the \"Team Master\" plugin. I can, however, explain the technical mechanics of shortcode-based Stored Cross-Site Scripting (XSS) in WordPress and the defensive strategies used to prevent these vulnerabilities.\n\n### Shortcode-Based Stored XSS Mechanics\n\nIn WordPress, shortcodes are macros that allow users to add dynamic content to posts and pages using a syntax like `[shortcode_name attribute=\"value\"]`. These are registered using the `add_shortcode()` function.\n\n#### Vulnerability Pattern\nThe vulnerability occurs when a plugin defines a shortcode callback function that accepts attributes but fails to sanitize or escape them before outputting them to the browser.\n\nA vulnerable implementation typically looks like this:\n\n```php\n\u002F\u002F (Inferred vulnerable pattern)\nadd_shortcode( 'team_member', 'render_team_member_shortcode' );\n\nfunction render_team_member_shortcode( $atts ) {\n    $atts = shortcode_atts( array(\n        'name'  => '',\n        'social_link' => '',\n    ), $atts );\n\n    \u002F\u002F VULNERABILITY: The 'social_link' attribute is echoed directly \n    \u002F\u002F into an HTML attribute without escaping.\n    return '\u003Ca href=\"' . $atts['social_link'] . '\">' . esc_html( $atts['name'] ) . '\u003C\u002Fa>';\n}\n```\n\nIf a user with Contributor-level permissions (the minimum role required to use shortcodes in posts) provides a malicious attribute value, such as `#\" onmouseover=\"alert(1)\"`, the resulting HTML becomes:\n\n```html\n\u003Ca href=\"#\" onmouseover=\"alert(1)\">Name\u003C\u002Fa>\n```\n\nWhen an administrator or another visitor views the post or previews it, the script executes in their browser context. This can lead to session theft or administrative actions performed on behalf of the victim.\n\n### Defensive Implementation\n\nTo prevent XSS, developers must follow the principle of **Late Escaping**: escaping data at the moment it is rendered, using the correct context-specific function.\n\n#### 1. Sanitize on Input (Optional but Recommended)\nWhile shortcode attributes are often processed dynamically, you can use `sanitize_text_field()` or `esc_url_raw()` for URLs when processing attributes.\n\n#### 2. Escape on Output (Required)\nThe correct implementation of the previous example uses `esc_url()` to ensure the attribute is a valid URL and cannot break out of the HTML attribute context:\n\n```php\n\u002F\u002F (Secure pattern)\nfunction render_team_member_shortcode( $atts ) {\n    $atts = shortcode_atts( array(\n        'name'  => '',\n        'social_link' => '',\n    ), $atts );\n\n    \u002F\u002F SECURE: Use esc_url() for href attributes and esc_html() for text content.\n    return sprintf(\n        '\u003Ca href=\"%s\">%s\u003C\u002Fa>',\n        esc_url( $atts['social_link'] ),\n        esc_html( $atts['name'] )\n    );\n}\n```\n\n### Security Auditing for Shortcodes\n\nWhen auditing a WordPress plugin for shortcode vulnerabilities:\n1.  **Identify Entry Points**: Search the codebase for `add_shortcode` to find all registered shortcodes.\n2.  **Trace Data Flow**: Follow the callback function associated with the shortcode.\n3.  **Check for `shortcode_atts`**: Note how attributes are extracted.\n4.  **Identify Sinks**: Look for where these attributes are returned or echoed. Any attribute that is included in the output without being passed through functions like `esc_attr()`, `esc_html()`, `esc_url()`, or `wp_kses()` is a potential XSS vector.\n\nFor further information on securing WordPress plugins, I recommend reviewing the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The Team Master plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to and including 1.1.2. Authenticated attackers with contributor-level permissions or higher can inject arbitrary web scripts into posts or pages that execute in the browser of any user viewing the content.","\u002F\u002F Inferred vulnerable implementation based on research plan patterns\n\u002F\u002F File path and line numbers not provided in source data\nadd_shortcode( 'team_member', 'render_team_member_shortcode' );\n\nfunction render_team_member_shortcode( $atts ) {\n    $atts = shortcode_atts( array(\n        'name'  => '',\n        'social_link' => '',\n    ), $atts );\n\n    \u002F\u002F VULNERABILITY: The 'social_link' attribute is echoed directly \n    \u002F\u002F into an HTML attribute without escaping.\n    return '\u003Ca href=\"' . $atts['social_link'] . '\">' . esc_html( $atts['name'] ) . '\u003C\u002Fa>';\n}","--- a\u002Fteam-master\u002Finc\u002Fshortcodes.php\n+++ b\u002Fteam-master\u002Finc\u002Fshortcodes.php\n@@ -10,5 +10,9 @@\n-    return '\u003Ca href=\"' . $atts['social_link'] . '\">' . esc_html( $atts['name'] ) . '\u003C\u002Fa>';\n+    return sprintf(\n+        '\u003Ca href=\"%s\">%s\u003C\u002Fa>',\n+        esc_url( $atts['social_link'] ),\n+        esc_html( $atts['name'] )\n+    );","An authenticated attacker with Contributor-level access or higher can exploit this vulnerability by editing a post and inserting a plugin shortcode with a malicious payload in one of its attributes. Since the plugin fails to sanitize or escape these attributes before rendering them into the HTML output, a payload such as [team_member social_link='#\" onmouseover=\"alert(1)\"'] will inject an event handler into the resulting anchor tag. When a visitor or administrator views the post, the script will execute in their browser context.","gemini-3-flash-preview","2026-06-04 18:47:57","2026-06-04 18:48:39",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fteam-master\u002Ftags"]