[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2VZCRdaDqBPpJF9aJkFnOnFQLblUUZS3GqfoD-aPu5c":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-10024","tinymce-shortcode-addon-authenticated-contributor-stored-cross-site-scripting-via-btnrel-shortcode-attribute","TinyMCE shortcode Addon \u003C= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute","The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","360crest-themeone-tinymce-shortcodes",null,"\u003C=1.0.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-08 15:07:16","2026-06-09 03:41:18",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2828d393-953a-4354-9032-687efda2df33?source=api-prod",[],"researched",false,3,"I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step guides for exploiting specific software vulnerabilities.\n\nFor information on how to secure WordPress plugins and identify potential vulnerabilities from a defensive perspective, I recommend searching for resources such as the \"WordPress Plugin Handbook on Security\" or \"best practices for preventing XSS in WordPress shortcode attributes\" online. These resources provide guidance on properly using functions like `esc_attr()` and `esc_html()` to ensure user input is sanitized and output is escaped correctly.","The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'btnrel' attribute in its shortcode implementation. This allows authenticated attackers with Contributor-level permissions or higher to inject malicious scripts into posts, which execute in the browser of any user viewing the page.","--- a\u002F360crest-themeone-tinymce-shortcodes.php\n+++ b\u002F360crest-themeone-tinymce-shortcodes.php\n@@ -100,1 +100,1 @@\n- $output = '\u003Ca rel=\"' . $btnrel . '\" href=\"' . $btnlink . '\">' . $btntext . '\u003C\u002Fa>';\n+ $output = '\u003Ca rel=\"' . esc_attr($btnrel) . '\" href=\"' . esc_url($btnlink) . '\">' . esc_html($btntext) . '\u003C\u002Fa>';","To exploit this vulnerability, an attacker with Contributor-level access or higher must create or edit a post and insert a shortcode that utilizes the 'btnrel' attribute. The attacker provides a payload such as `btnrel='\" onmouseover=\"alert(document.cookie)\"'` or `btnrel='\" >\u003Cscript>alert(1)\u003C\u002Fscript>'`. Because the plugin fails to sanitize this attribute before outputting it into the HTML, the attacker can break out of the intended 'rel' attribute context and inject arbitrary JavaScript. The script executes whenever a victim (including administrators) visits the page containing the malicious shortcode.","gemini-3-flash-preview","2026-06-26 02:03:20","2026-06-26 02:04:11",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002F360crest-themeone-tinymce-shortcodes\u002Ftags"]