[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIZE_Pp9XJEVFtbH7_OyzH28Bgj6E4JWZkLDh46BCNok":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-1401","tune-library-missing-authorization-to-authenticated-subscriber-stored-cross-site-scripting-via-csv-import","Tune Library \u003C= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import","The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode.","tune-library",null,"\u003C=1.6.3","1.6.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-05 00:00:00","2026-02-06 06:46:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcd600810-b1bc-4025-b441-5c90da7240de?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1401 (Tune Library \u003C= 1.6.3)\n\n## 1. Vulnerability Summary\nThe **Tune Library** plugin for WordPress is vulnerable to **Stored Cross-Site Scripting (XSS)** due to a lack of authorization checks and improper sanitization in its CSV import functionality. While intended for administrators, the import logic is accessible to any authenticated user (including Subscriber level) because it fails to verify user capabilities. Furthermore, data imported from the CSV is stored in the database and later rendered by the `[tune-library]` shortcode without sufficient escaping, allowing an attacker to execute arbitrary JavaScript in the context of any user viewing a page where the shortcode is present.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: Likely an AJAX action or an `admin_init` hook handling CSV processing. Based on common patterns in this plugin, the target is likely `admin-ajax.php` with a specific action related to CSV importing.\n*   **Action Name**: `tune_library_import_csv` or `tune_library_process_csv` (inferred).\n*   **Payload Parameter**: A `$_FILES` upload containing a `.csv` file with an XSS payload in one of the columns (e.g., `artist`, `title`, or `album`).\n*   **Authentication**: Required (Subscriber level or higher).\n*   **Preconditions**: The plugin must be active. To trigger the XSS, a page containing the `[tune-library]` shortcode must be visited.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point**: A user sends a POST request to `wp-admin\u002Fadmin-ajax.php` with `action=tune_library_import_csv`.\n2.  **Missing Check**: The handler function (e.g., `tune_library_import_handler()`) lacks a `current_user_can('manage_options')` check, allowing Subscribers to trigger the function.\n3.  **Processing**: The function reads the uploaded CSV file. It iterates through the rows and saves them to a custom table (e.g., `{$wpdb->prefix}tune_library`) or an option. It fails to use `sanitize_text_field()` or similar on the CSV column data.\n4.  **Storage**: The malicious payload `\u003Cscript>alert(1)\u003C\u002Fscript>` is saved into the database.\n5.  **Sink**: A user visits a page with the `[tune-library]` shortcode. The shortcode callback function (e.g., `tune_library_shortcode_renderer()`) fetches the rows from the database and echoes them directly or inside an HTML table without using `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nIf the plugin uses `wp_localize_script` to provide a nonce for the import interface, the agent should:\n1.  **Identify Script Localization**: Look for `wp_localize_script` in the plugin code (e.g., `tune-library-admin.php`). \n2.  **Determine Variable**: Identify the JS object and key (e.g., `tuneLibraryAdmin.importNonce`).\n3.  **Create Access Point**: If the script only loads on the plugin's admin page, use a Subscriber account to attempt to access the admin area. Note that even if the Subscriber cannot see the full UI, the script might still be enqueued on `admin-ajax.php` or `wp-admin\u002F`.\n4.  **Browser Evaluation**:\n    *   Navigate to the WordPress Dashboard as a Subscriber.\n    *   Run: `browser_eval(\"window.tuneLibraryAdmin?.importNonce || window.tune_library_settings?.nonce\")`\n5.  **Bypass Check**: If `check_ajax_referer` is called with the third parameter set to `false` and the return value is not checked, the nonce can be omitted or sent with an invalid value.\n\n## 5. Exploitation Strategy\n### Step 1: Prepare the Malicious CSV\nCreate a file named `xss.csv` with the following content:\n```csv\nartist,title,album,year\n\"\u003Cimg src=x onerror=alert('XSS_SUCCESS')>\",Test Song,Test Album,2024\n```\n\n### Step 2: Perform the Import (As Subscriber)\nSend the multipart POST request to `admin-ajax.php`.\n\n*   **URL**: `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method**: `POST`\n*   **Headers**: `Content-Type: multipart\u002Fform-data`\n*   **Body Parameters**:\n    *   `action`: `tune_library_import_csv` (inferred)\n    *   `_wpnonce`: `[EXTRACTED_NONCE]` (if required)\n    *   `csv_file`: `[FILE_CONTENT:xss.csv]`\n\n### Step 3: Trigger the Payload\nCreate a public page with the `[tune-library]` shortcode and navigate to it.\n\n## 6. Test Data Setup\n1.  **Subscriber User**: Create a user with the `subscriber` role.\n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n2.  **Target Page**: Create a page that renders the library.\n    *   `wp post create --post_type=page --post_title=\"Music Library\" --post_status=publish --post_content='[tune-library]'`\n3.  **Identify Action**: Use `grep -r \"wp_ajax_\" wp-content\u002Fplugins\u002Ftune-library\u002F` to find the exact action name for CSV import.\n\n## 7. Expected Results\n*   The import request should return a successful status (e.g., `{\"success\": true}` or `1`).\n*   When navigating to the \"Music Library\" page, an alert box with `XSS_SUCCESS` should appear.\n*   The HTML source of the page should contain the raw, unescaped `\u003Cimg>` tag within the library table\u002Flist.\n\n## 8. Verification Steps\n1.  **Database Check**: Verify the payload is stored in the database.\n    *   `wp db query \"SELECT * FROM wp_tune_library WHERE artist LIKE '%onerror%';\" --allow-root`\n2.  **HTTP Response Check**: Use the `http_request` tool to fetch the \"Music Library\" page and check for the payload in the raw HTML.\n    *   `grep \"\u003Cimg src=x onerror=alert('XSS_SUCCESS')>\"` in the response body.\n\n## 9. Alternative Approaches\n*   **Option-based Storage**: If the plugin stores data in `wp_options` instead of a custom table, use `wp option get tune_library_data` to verify the injection.\n*   **Attribute Breakout**: If the data is rendered inside an attribute (e.g., `\u003Cdiv data-artist=\"VALUE\">`), use a payload like `\">\u003Cscript>alert(1)\u003C\u002Fscript>` to break out of the attribute context.\n*   **Missing Nonce**: If no nonce is found in the code via `grep`, skip the nonce acquisition step and send the request without the `_wpnonce` parameter.","gemini-3-flash-preview","2026-04-21 04:14:02","2026-04-21 04:14:54",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","1.6.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftune-library\u002Ftags\u002F1.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftune-library.1.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftune-library\u002Ftags\u002F1.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftune-library.1.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftune-library\u002Ftags"]