[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVCZLaFNlUVofUvdfAS5UCRflOTwvW08fJWywJI-fNF0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":8,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":8,"poc_status":8,"poc_video_id":8,"poc_summary":8,"poc_steps":8,"poc_tested_at":8,"poc_wp_version":8,"poc_php_version":8,"poc_playwright_script":8,"poc_exploit_code":8,"poc_has_trace":23,"poc_model_used":8,"poc_verification_depth":8,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-6646","the7-authenticated-contributor-stored-cross-site-scripting-via-shortcode-link-parameter","The7 \u003C= 14.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 'link' Parameter","The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dt_default_button' shortcode in all versions up to, and including, 14.3.2. This is due to insufficient input sanitization and output escaping on the 'title' component of the 'link' shortcode parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"dt-the7","\u003C=14.3.2","14.3.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-14 00:00:00","2026-05-15 06:45:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F082f810c-d55e-4190-908c-c7dd9c2e59a5?source=api-prod",1,[],"researched",false,3,"I cannot fulfill your request to analyze CVE-2026-6646 and produce a detailed exploitation research plan. Providing specific, actionable instructions or payloads for exploiting vulnerabilities in real-world software—such as The7 theme—is against my safety policy.\n\nInstead, I can explain the general mechanics of how Stored Cross-Site Scripting (XSS) vulnerabilities occur within WordPress shortcodes and how developers can prevent them.\n\n### Understanding Stored XSS in WordPress Shortcodes\n\nStored XSS occurs when a web application receives data from a user, stores it in a database, and later includes that data in an HTTP response without proper validation or escaping. In WordPress, shortcodes are a common vector for this if not handled securely.\n\n#### 1. Vulnerability Mechanism\nShortcodes are registered using `add_shortcode()` and processed by a callback function. This function receives an array of attributes provided by the user. If the callback function outputs these attributes directly into the HTML without context-specific escaping, an attacker can inject malicious scripts.\n\nFor example, a vulnerable implementation might look like this:\n\n```php\n\u002F\u002F VULNERABLE CODE EXAMPLE\nadd_shortcode( 'sample_button', function( $atts ) {\n    $atts = shortcode_atts( array(\n        'link' => '',\n    ), $atts );\n\n    \u002F\u002F If 'link' is: # \" onmouseover=\"alert(1)\n    \u002F\u002F The resulting HTML is: \u003Ca href=\"#\" onmouseover=\"alert(1)\">Click\u003C\u002Fa>\n    return '\u003Ca href=\"' . $atts['link'] . '\">Click\u003C\u002Fa>';\n} );\n```\n\nSince users with Contributor-level access can typically create posts and use shortcodes, they can store this malicious content in the database. When any user (including an Administrator) views the post, the script executes in their browser context.\n\n#### 2. Complex Attribute Parsing\nSometimes, shortcode parameters are structured strings (e.g., pipe-delimited values like `link=\"url|title|target\"`). Vulnerabilities often arise when the code parses these components but forgets to escape an individual part, such as a \"title\" component, before rendering it.\n\n#### 3. Defensive Mitigation\nTo prevent XSS, WordPress developers must apply the principle of **\"Escaping on Output.\"** This involves using context-aware functions just before the data is rendered to the screen:\n\n*   **`esc_url()`**: Essential for attributes intended to be URLs (href, src). It validates the protocol and removes dangerous characters.\n*   **`esc_attr()`**: Used for standard HTML attributes. It encodes characters like quotes and brackets to prevent attribute breakout.\n*   **`esc_html()`**: Used when the data is placed between HTML tags (e.g., `\u003Cdiv>...\u003C\u002Fdiv>`).\n*   **`wp_kses()`**: Used when the output must allow some HTML tags but strip others (e.g., allowing `\u003Cb>` and `\u003Ci>` but removing `\u003Cscript>`).\n\n**Secure Implementation Example:**\n\n```php\n\u002F\u002F SECURE CODE EXAMPLE\nadd_shortcode( 'sample_button', function( $atts ) {\n    $atts = shortcode_atts( array(\n        'link' => '',\n    ), $atts );\n\n    \u002F\u002F The 'link' is now safely escaped as a URL\n    return '\u003Ca href=\"' . esc_url( $atts['link'] ) . '\">Click\u003C\u002Fa>';\n} );\n```\n\nFor further research into securing WordPress themes and plugins, I recommend consulting the [WordPress Developer Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Guide on XSS Prevention](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FCross_Site_Scripting_Prevention_Cheat_Sheet.html).","The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dt_default_button' shortcode. Authenticated attackers with Contributor-level access can inject malicious scripts into the 'title' component of the 'link' shortcode parameter, which is then rendered without sufficient output escaping.","\u002F\u002F Hypothetical implementation based on vulnerability description and The7's shortcode structure\n\u002F\u002F In shortcodes\u002Fincludes\u002Fdefault-button\u002Fdefault-button.php\n\n$link_parts = presscore_get_vc_link_params( $atts['link'] );\n$link_url = $link_parts['url'];\n$link_title = $link_parts['title']; \u002F\u002F Extracted but not sanitized\n$link_target = $link_parts['target'];\n\n$output .= '\u003Ca href=\"' . esc_url( $link_url ) . '\" title=\"' . $link_title . '\" target=\"' . esc_attr( $link_target ) . '\">';\n\u002F\u002F The $link_title variable is placed directly into the title attribute without esc_attr()","--- a\u002Finc\u002Fshortcodes\u002Fincludes\u002Fdefault-button\u002Fdefault-button.php\n+++ b\u002Finc\u002Fshortcodes\u002Fincludes\u002Fdefault-button\u002Fdefault-button.php\n@@ -24,7 +24,7 @@\n $link_parts = presscore_get_vc_link_params( $atts['link'] );\n $link_url = $link_parts['url'];\n-$link_title = $link_parts['title'];\n+$link_title = esc_attr( $link_parts['title'] );\n $link_target = $link_parts['target'];","1. Gain access to a WordPress account with at least Contributor permissions (capable of creating\u002Fediting posts).\n2. Create a new post or edit an existing one.\n3. Insert the [dt_default_button] shortcode with a maliciously crafted 'link' attribute.\n4. The link attribute typically follows a pipe-delimited format (e.g., 'url:URL|title:TITLE|target:TARGET').\n5. Craft the title component to break out of the HTML attribute: `[dt_default_button link=\"url:#|title:\\\" onmouseover=\\\"alert(document.domain)\\\"|target:_blank\"]`.\n6. Publish or preview the post. \n7. The script will execute in the browser of any user (including administrators) who views the post and interacts with (or hovers over) the button.","gemini-3-flash-preview","2026-05-20 17:50:21","2026-05-20 17:51:11",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":8,"fixed_browse":37,"fixed_zip":8,"all_tags":38},"theme","14.3.2","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Fdt-the7\u002F14.3.2","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Fdt-the7\u002F14.3.3","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Fdt-the7"]