[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fA90T4pucJRJebU8J0YOK8UuuXEwAP1IaS9IMPGWJfK4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":31},"CVE-2026-32403","toocheke-companion-authenticated-contributor-stored-cross-site-scripting","Toocheke Companion \u003C= 1.194 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Toocheke Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.194 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","toocheke-companion",null,"\u003C=1.194","1.195","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-21 00:00:00","2026-04-15 20:58:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcaa4aed4-0761-4ea6-841a-544a7f2ecb21?source=api-prod",54,[22,23],"readme.txt","toocheke-companion.php","researched",false,3,"This research plan focuses on exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the **Toocheke Companion** plugin (version \u003C= 1.194). The vulnerability allows users with **Contributor-level** permissions and above to inject malicious scripts via shortcode attributes that are rendered without proper escaping.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Stored Cross-Site Scripting (XSS)\n*   **Plugin:** Toocheke Companion\n*   **Affected Versions:** \u003C= 1.194\n*   **Sink:** Shortcode rendering functions (specifically archive-related shortcodes).\n*   **Cause:** The plugin fails to sanitize or escape the `term` attribute (and potentially others like `sid` or `link_to`) when displaying the shortcode's output on the frontend.\n*   **Permission:** Authenticated (Contributor+)\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post Editor \u002F Frontend Page Rendering\n*   **Vulnerable Component:** Shortcode handlers. Based on the `readme.txt`, the following shortcodes are prime candidates for the `term` attribute injection:\n    *   `[toocheke-collection-archive term=\"...\"]`\n    *   `[toocheke-chapter-archive term=\"...\"]`\n    *   `[toocheke-tag-archive term=\"...\"]`\n    *   `[toocheke-location-archive term=\"...\"]`\n    *   `[toocheke-character-archive term=\"...\"]`\n*   **Payload Parameter:** `term` attribute within the shortcode.\n*   **Preconditions:** The attacker must have a Contributor account to create a post and include the shortcode.\n\n### 3. Code Flow\n1.  **Input:** A Contributor creates a post containing the shortcode: `[toocheke-collection-archive term='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`.\n2.  **Storage:** WordPress stores this string in the `post_content` table.\n3.  **Registration:** The plugin registers shortcode handlers (likely in an `init` hook, though truncated in the source provided).\n4.  **Processing:** When the post is viewed, WordPress parses the shortcode and calls the plugin's handler function (e.g., `toocheke_collection_archive_shortcode`).\n5.  **Sink:** The handler retrieves the `term` attribute from the `$atts` array and echoes it back into the HTML (likely inside a heading or a container `div`) without using `esc_html()` or `esc_attr()`.\n\n### 4. Nonce Acquisition Strategy\nShortcode-based XSS **does not require a nonce** for execution. The payload is stored as part of the post content through the standard WordPress post-saving mechanism (which handles its own nonces). Once saved, the script executes whenever any user (including an Administrator) views the post.\n\n### 5. Exploitation Strategy\n1.  **Login as Contributor:** Use the `http_request` tool to authenticate with contributor credentials.\n2.  **Create Malicious Post:** Submit a request to `wp-admin\u002Fpost-new.php` or use the REST API\u002FAJAX `autosave` to create a post containing the payload.\n3.  **Inject Payload:** Use the `[toocheke-collection-archive]` shortcode with an attribute breakout.\n    *   **Payload:** `[toocheke-collection-archive term='\">\u003Cimg src=x onerror=alert(window.origin)>']`\n4.  **Trigger Execution:** Navigate to the newly created post's permalink using `browser_navigate`.\n5.  **Capture Output:** Verify the `alert` or presence of the unescaped HTML in the page source.\n\n### 6. Test Data Setup\n1.  **User Creation:** Create a user with the `contributor` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n2.  **Plugin Activation:** Ensure Toocheke Companion is active.\n    ```bash\n    wp plugin activate toocheke-companion\n    ```\n\n### 7. Expected Results\n*   The shortcode handler will render the HTML. If vulnerable, the output will look like:\n    `\u003Cdiv class=\"toocheke-archive-title\">Archive: \">\u003Cimg src=x onerror=alert(window.origin)>\u003C\u002Fdiv>`\n*   The browser will execute the `onerror` event, triggering the alert.\n\n### 8. Verification Steps\n1.  **Check Page Source:** After navigation, check if the string `onerror=alert` exists in the rendered HTML without being encoded as `&lt;` or `&quot;`.\n2.  **Admin Context:** Navigate to the post as an Administrator to confirm that the script executes in a high-privileged context (this is the primary impact).\n3.  **Database Check:**\n    ```bash\n    wp db query \"SELECT post_content FROM wp_posts WHERE post_title = 'XSS Test'\"\n    ```\n\n### 9. Alternative Approaches\nIf the `term` attribute is sanitized, try these other attributes\u002Fshortcodes identified in `readme.txt`:\n*   **Link Attribute:** `[toocheke-all-series link_to='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n*   **Order Attribute:** `[toocheke-all-series comics_order='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n*   **Series ID Attribute:** `[toocheke-all-chapters sid='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\nIf the Block Editor is used, the payload would be stored in the Gutenberg block comment:\n```html\n\u003C!-- wp:toocheke\u002Fcollection-archive {\"term\":\"\\u0022\\u003e\\u003cimg src=x onerror=alert(1)\\u003e\"} \u002F-->\n```\nThe exploitation logic remains the same as the rendering callback for the block is usually shared with the shortcode handler.","gemini-3-flash-preview","2026-04-19 01:49:02","2026-04-19 01:49:28",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","1.194","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftoocheke-companion\u002Ftags\u002F1.194","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftoocheke-companion.1.194.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftoocheke-companion\u002Ftags\u002F1.195","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftoocheke-companion.1.195.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftoocheke-companion\u002Ftags"]