[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwYTs4EQ_M8WYgdTWPl7Iv75yn1IyPzHkFz9c0-vRfVM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-32449","themify-event-post-authenticated-contributor-stored-cross-site-scripting-2","Themify Event Post \u003C= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Themify Event Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","themify-event-post",null,"\u003C=1.3.4","1.3.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-08 00:00:00","2026-04-15 21:07:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5782c338-1474-48e1-8b1d-015e3bb1c23d?source=api-prod",39,[22,23,24,25],"includes\u002Ffunctions.php","readme.txt","templates\u002Fshortcode.php","themify-event-post.php","researched",false,3,"This research plan outlines the steps to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the **Themify Event Post** plugin (\u003C= 1.3.4).\n\n### 1. Vulnerability Summary\nThe plugin fails to sanitize and escape post metadata associated with the `event` custom post type. Specifically, the function `themify_event_type()` in `includes\u002Ffunctions.php` retrieves the meta key `event_attendance` and echoes it directly to the page using `sprintf` without any call to `esc_html()`, `esc_attr()`, or `wp_kses()`. This allows a Contributor-level user to inject arbitrary HTML and JavaScript into the `event_attendance` field, which is then executed when any user (including an Administrator) views the affected event post or a list of events.\n\n### 2. Attack Vector Analysis\n* **Vulnerable Endpoint:** `wp-admin\u002Fpost.php` (via the standard WordPress post saving mechanism).\n* **Vulnerable Parameter:** `event_attendance` (sent as a POST parameter during post creation or update).\n* **Authentication Level:** Contributor or above. Contributors can create and edit their own posts of the `event` type.\n* **Preconditions:** The plugin must be active, and the 'event' post type must be registered (handled automatically on activation).\n\n### 3. Code Flow\n1. **Input Source:** An authenticated user with `edit_posts` capability (Contributor+) submits a POST request to `wp-admin\u002Fpost.php` to save or update a post of type `event`. The request contains the malicious payload in the `event_attendance` field.\n2. **Storage:** While the specific saving logic is in `includes\u002Fpost-type.php` (not provided in full), the vulnerability description confirms that input is not sanitized. The payload is stored in the `wp_postmeta` table under the key `event_attendance`.\n3. **Data Retrieval:** When the event is rendered (either on a single post page or via a shortcode), the function `themify_event_type()` is called.\n * Location: `includes\u002Ffunctions.php`\n * Code: `$e_type = get_post_meta( $post_id, 'event_attendance', true );`\n4. **Vulnerable Sink:** The retrieved `$e_type` is printed raw.\n * Location: `includes\u002Ffunctions.php`\n * Code: `echo sprintf('\u003Cdiv class=\"tep_type\">%s\u003C\u002Fdiv>',$e_type);`\n\n### 4. Nonce Acquisition Strategy\nTo save a post in WordPress, a valid `_wpnonce` for the `update-post_\u003CID>` action is required.\n1. **Navigate to Post Creation:** Use `browser_navigate` to `wp-admin\u002Fpost-new.php?post_type=event`.\n2. **Extract Nonce and ID:** Use `browser_eval` to extract the `_wpnonce` value from the form and the `post_ID` from the hidden input or the URL.\n * `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n * `browser_eval(\"document.querySelector('#post_ID').value\")`\n\n### 5. Exploitation Strategy\n1. **Setup:** Create a Contributor user and log in.\n2. **Intercept\u002FIdentify Field:** Although the provided source doesn't show the HTML form, standard Themify meta boxes typically use the meta key as the `name` attribute. We will send `event_attendance` in the POST request.\n3. **HTTP Request (Post Update):**\n * **Tool:** `http_request`\n * **URL:** `https:\u002F\u002F\u003CTARGET>\u002Fwp-admin\u002Fpost.php`\n * **Method:** `POST`\n * **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n * **Body:**\n ```\n action=editpost\n &post_type=event\n &post_ID=\u003CPOST_ID>\n &_wpnonce=\u003CNONCE>\n &post_title=XSS+Test+Event\n &event_attendance=\u003Cimg src=x onerror=alert(origin)>\n &save=Save+Draft\n ```\n4. **Trigger Execution:** View the event post. Since we may not know the theme's layout, the most reliable way to trigger the sink is to view a page containing the plugin's shortcode.\n * Create a page with: `[themify_event_post id=\"\u003CPOST_ID>\"]`\n * Navigate to this page.\n\n### 6. Test Data Setup\n1. **Create Contributor:** `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2. **Create View Page:** `wp post create --post_type=page --post_title=\"Event Display\" --post_status=publish --post_content='[themify_event_post]'`\n\n### 7. Expected Results\n* The `POST` request to `post.php` should return a `302` redirect to the editor page, indicating the post was saved.\n* When navigating to the \"Event Display\" page, the browser should execute the JavaScript `alert(origin)`, confirming that the payload was rendered without escaping.\n\n### 8. Verification Steps\n1. **Check Meta Storage:** `wp post meta get \u003CPOST_ID> event_attendance`\n * *Success criteria:* Output matches `\u003Cimg src=x onerror=alert(origin)>`\n2. **Inspect HTML Output:** Use `http_request` (GET) on the page containing the shortcode and search for the payload.\n * *Success criteria:* The response body contains `\u003Cdiv class=\"tep_type\">\u003Cimg src=x onerror=alert(origin)>\u003C\u002Fdiv>`\n\n### 9. Alternative Approaches\nIf `event_attendance` is not directly editable via `post.php`, try:\n* **Custom Field Injection:** Use the standard WordPress `metakeyselect`\u002F`metavalue` fields if the \"Custom Fields\" meta box is enabled.\n* **Other Meta Keys:** The snippet mentions `event_organizer`, `event_performer`, and `event_location` in the shortcode defaults. Check if functions like `themify_event_organizer()` also lack escaping (common in Themify plugins).\n* **Map Address:** Inject the payload into the `address` parameter of the `[themify_event_post]` shortcode if the Contributor can edit pages, or via the map meta field, as `themify_event_post_map` renders a `data-map` attribute which might be parsed unsafely by the plugin's JavaScript.","The Themify Event Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the `event_attendance` post meta field and the `template_before`\u002F`template_after` shortcode attributes. This allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts that execute whenever a user views an affected event post or shortcode output.","\u002F\u002F includes\u002Ffunctions.php line 1042-1048\nfunction themify_event_type() {\n $post_id = get_the_ID();\n $e_type=get_post_meta( $post_id, 'event_attendance', true );\n if(empty($e_type)){\n return;\n }\n echo sprintf('\u003Cdiv class=\"tep_type\">%s\u003C\u002Fdiv>',$e_type);\n}\n\n---\n\n\u002F\u002F templates\u002Fshortcode.php line 51-54\nif ( empty( $args['template_before'] ) )\n\t$args['template_before'] = '\u003Cdiv class=\"themify_event_post_loop ' . esc_attr( $args['style'] ) . '\">';\nif ( empty( $args['template_after'] ) )\n\t$args['template_after'] = '\u003C\u002Fdiv>';\n\n\u002F\u002F templates\u002Fshortcode.php line 75\necho $args['template_before'] . $this->get_shortcode_template( $events[0], $args['template'], $args ) . $args['template_after'];","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemify-event-post\u002F1.3.4\u002Fincludes\u002Ffunctions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemify-event-post\u002F1.3.5\u002Fincludes\u002Ffunctions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemify-event-post\u002F1.3.4\u002Fincludes\u002Ffunctions.php\t2025-08-14 02:01:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemify-event-post\u002F1.3.5\u002Fincludes\u002Ffunctions.php\t2026-02-27 00:13:42.000000000 +0000\n@@ -1044,4 +1044,47 @@\n }\n }\n return $attribute_string;\n+}\n+\n+\u002F**\n+ * Sanitize user-provided shortcode wrapper templates.\n+ *\n+ * WordPress core unescapes shortcode attributes (e.g. \"\\\\x3c\" -> \"\u003C\").\n+ * Without sanitization, template_before\u002Ftemplate_after can be used for XSS.\n+ *\n+ * @param string $html Wrapper HTML.\n+ * @return string Sanitized HTML.\n+ *\u002F\n+function themify_event_post_sanitize_template_wrapper( $html ) : string {\n+\tif ( $html === '' || ! is_string( $html ) ) {\n+\t\treturn '';\n+\t}\n+\n+\t$allowed = array(\n+\t\t'div' => array( 'class' => true, 'id' => true, 'role' => true, 'aria-label' => true, 'aria-hidden' => true ),\n+\t\t'span' => array( 'class' => true, 'id' => true, 'role' => true, 'aria-label' => true, 'aria-hidden' => true ),\n+\t\t'p' => array( 'class' => true, 'id' => true ),\n+\t\t'br' => array(),\n+\t\t'ul' => array( 'class' => true, 'id' => true ),\n+\t\t'ol' => array( 'class' => true, 'id' => true ),\n+\t\t'li' => array( 'class' => true, 'id' => true ),\n+\t\t'a' => array( 'href' => true, 'class' => true, 'id' => true, 'rel' => true, 'target' => true, 'title' => true, 'aria-label' => true ),\n+\t\t'strong' => array(),\n+\t\t'em' => array(),\n+\t\t'b' => array(),\n+\t\t'i' => array(),\n+\t\t'h1' => array( 'class' => true, 'id' => true ),\n+\t\t'h2' => array( 'class' => true, 'id' => true ),\n+\t\t'h3' => array( 'class' => true, 'id' => true ),\n+\t\t'h4' => array( 'class' => true, 'id' => true ),\n+\t\t'h5' => array( 'class' => true, 'id' => true ),\n+\t\t'h6' => array( 'class' => true, 'id' => true ),\n+\t\t'section' => array( 'class' => true, 'id' => true, 'role' => true, 'aria-label' => true ),\n+\t\t'article' => array( 'class' => true, 'id' => true, 'role' => true, 'aria-label' => true ),\n+\t\t'header' => array( 'class' => true, 'id' => true ),\n+\t\t'footer' => array( 'class' => true, 'id' => true ),\n+\t\t'nav' => array( 'class' => true, 'id' => true, 'role' => true, 'aria-label' => true ),\n+\t);\n+\n+\treturn wp_kses( $html, $allowed );\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemify-event-post\u002F1.3.4\u002Ftemplates\u002Fshortcode.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemify-event-post\u002F1.3.5\u002Ftemplates\u002Fshortcode.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemify-event-post\u002F1.3.4\u002Ftemplates\u002Fshortcode.php\t2025-08-14 02:01:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemify-event-post\u002F1.3.5\u002Ftemplates\u002Fshortcode.php\t2026-02-27 00:13:42.000000000 +0000\n@@ -48,6 +48,10 @@\n if ( empty( $args['template_after'] ) )\n \t$args['template_after'] = '\u003C\u002Fdiv>';\n \n+\u002F\u002F Prevent XSS via user-supplied wrapper templates.\n+$args['template_before'] = themify_event_post_sanitize_template_wrapper( $args['template_before'] );\n+$args['template_after'] = themify_event_post_sanitize_template_wrapper( $args['template_after'] );\n+","The vulnerability can be exploited in two ways by an attacker with at least Contributor-level privileges:\n\n1. Metadata Injection: Create or edit an 'event' custom post type and send a POST request to `wp-admin\u002Fpost.php` with the `event_attendance` parameter containing a JavaScript payload (e.g., `\u003Cscript>alert(1)\u003C\u002Fscript>`). The script will execute whenever the event's metadata is rendered via the `themify_event_type()` function.\n\n2. Shortcode Attribute Injection: Use the `[themify_event_post]` shortcode within a post or page and provide a malicious payload in the `template_before` or `template_after` attributes. For example: `[themify_event_post template_before=\"\u003Cimg src=x onerror=alert(1)>\"]`. Because the plugin retrieves these attributes and echoes them without sanitization, the script will execute when the page containing the shortcode is viewed by any user.","gemini-3-flash-preview","2026-04-18 05:19:00","2026-04-18 05:19:42",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.3.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthemify-event-post\u002Ftags\u002F1.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthemify-event-post.1.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthemify-event-post\u002Ftags\u002F1.3.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthemify-event-post.1.3.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthemify-event-post\u002Ftags"]