[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1GGlIPe7W932VKOLgej0PhPw2RfO_CCU-UpxresuD1E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4089","twittee-text-tweet-authenticated-contributor-stored-cross-site-scripting-via-id-shortcode-attribute","Twittee Text Tweet \u003C= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute","The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttt_twittee_tweeter() function uses extract() to pull shortcode attributes into local variables and then directly concatenates them into HTML output without any escaping. Specifically, the $id parameter is inserted into an HTML id attribute context without esc_attr(), allowing an attacker to break out of the attribute and inject arbitrary HTML event handlers. Additionally, the $tweet, $content, $balloon, and $theme attributes are similarly injected into inline JavaScript without escaping (lines 87, 93, 101, 117). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","twittee-text-tweet",null,"\u003C=1.0.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 19:07:17","2026-04-22 07:45:35",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4d678e97-f466-4640-83ee-a3a24550e8d8?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-4089 (Twittee Text Tweet Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Twittee Text Tweet** plugin (up to version 1.0.8) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the shortcode handler function `ttt_twittee_tweeter()`. This function processes user-provided shortcode attributes using `extract()`, which turns attribute keys into local variables. These variables (specifically `id`, `tweet`, `content`, `balloon`, and `theme`) are then directly concatenated into the HTML output and inline JavaScript blocks without sanitization or escaping (e.g., missing `esc_attr()` and `esc_js()`).\n\n## 2. Attack Vector Analysis\n- **Shortcode Tag:** `[twittee]` (inferred from function name `ttt_twittee_tweeter`).\n- **Vulnerable Attributes:** `id`, `tweet`, `content`, `balloon`, `theme`.\n- **Authentication Level:** Contributor+ (any user capable of creating or editing posts\u002Fpages).\n- **Injection Type:** Stored XSS. The payload is saved within the post content and executed whenever the post is viewed.\n- **Sinks:**\n 1. **HTML Attribute Context:** The `$id` variable is injected into an HTML `id=\"...\"` attribute.\n 2. **JavaScript String Context:** Variables `$tweet`, `$content`, `$balloon`, and `$theme` are injected into inline `\u003Cscript>` blocks (lines 87, 93, 101, 117).\n\n## 3. Code Flow\n1. **Registration:** The plugin registers a shortcode (likely `twittee`) using `add_shortcode( 'twittee', 'ttt_twittee_tweeter' )`.\n2. **Input Processing:** When a post containing the shortcode is rendered, WordPress calls `ttt_twittee_tweeter( $atts )`.\n3. **Variable Extraction:** The function calls `extract( shortcode_atts( ..., $atts ) )`. This populates variables like `$id` and `$tweet` with raw user input.\n4. **Vulnerable Concatenation (HTML):**\n - The code likely looks like: `$output .= '\u003Cdiv id=\"' . $id . '\">...\u003C\u002Fdiv>';`\n - An attacker can use `id='x\" onmouseover=\"alert(1)\"'` to inject an event handler.\n5. **Vulnerable Concatenation (JS):**\n - The code likely looks like: `$output .= '\u003Cscript>var tweet = \"' . $tweet . '\";\u003C\u002Fscript>';`\n - An attacker can use `tweet='\";alert(1);\u002F\u002F'` to break out of the JS string and execute arbitrary code.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited by **saving a post** containing a shortcode. \n- **Post Creation Nonce:** Standard WordPress post creation\u002Fediting requires a nonce (`_wpnonce`), but this is part of the standard WordPress core UI.\n- **Plugin-Specific Nonce:** The `ttt_twittee_tweeter()` function is a shortcode renderer; it does **not** require a plugin-specific nonce to execute during page rendering.\n- **Strategy:** The agent will log in as a Contributor, navigate to `wp-admin\u002Fpost-new.php`, extract the standard WordPress `_wpnonce` from the form, and then submit a `wp_ajax_save-post` or standard POST request to save the malicious shortcode.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate two types of XSS: one via HTML attribute breakout and one via JavaScript string breakout.\n\n### Step 1: Login and Create Post\nThe agent will use the `http_request` tool to perform a login and then save a post.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php` (after getting a `post_ID` from `post-new.php`)\n- **Method:** `POST`\n- **Payload (XSS via `id` attribute):**\n `[twittee id='ttt-x\" onmouseover=\"alert(document.domain)\" style=\"display:block;width:100px;height:100px;background:red;\"' tweet='sample']`\n- **Payload (XSS via JS variable):**\n `[twittee tweet='\";alert(\"JS_XSS\");\u002F\u002F']`\n\n### Step 2: Triggering the XSS\nNavigate to the frontend URL of the newly created post.\n\n## 6. Test Data Setup\n1. **User:** Create a user with the `contributor` role.\n - `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2. **Post:** A post must be created containing the malicious shortcode.\n - This can be done via `wp post create` for convenience, but the exploit should demonstrate the ability to do it via HTTP if required.\n\n## 7. Expected Results\n- **HTML Context:** The rendered page should contain: `\u003Cdiv id=\"ttt-x\" onmouseover=\"alert(document.domain)\" ...>`. When a user hovers over the resulting red box, an alert will fire.\n- **JS Context:** The rendered page should contain a `\u003Cscript>` block resembling:\n ```javascript\n var some_var = \"\";alert(\"JS_XSS\");\u002F\u002F\";\n ```\n- The browser should execute the injected `alert()` calls.\n\n## 8. Verification Steps\n1. **Check Post Content:** Verify the shortcode was saved correctly.\n - `wp post get \u003CID> --field=post_content`\n2. **Verify HTML Output:** Use the `http_request` tool to fetch the post's permalink and check for the unescaped payload.\n - Look for: `onmouseover=\"alert(document.domain)\"`\n - Look for: `\";alert(\"JS_XSS\");\u002F\u002F`\n3. **Browser Execution:** Use `browser_navigate` to the post URL and check for dialogs or console logs.\n\n## 9. Alternative Approaches\n- **Theme\u002FBalloon Attributes:** If the `id` attribute is filtered by some global WordPress security plugin, try the `tweet` or `content` attributes, which are injected into `\u003Cscript>` tags.\n- **Payload Variation:** If double quotes are escaped by `magic_quotes` (rare in modern PHP) or other filters, use a payload that relies on single quotes or no quotes for the JS context:\n `[twittee tweet='"-alert(1)-"']` (if the plugin handles entities poorly) or `[twittee tweet='\\u0022;alert(1)\u002F\u002F']`.\n- **Direct JS Injection:** Since `$tweet` is injected into JS, try: `[twittee tweet='-alert(document.cookie)-']`. If the context is `var t = \"VALUE\";`, the result becomes `var t = \"-alert(document.cookie)-\";`, which is a valid string but not executable. Use `\";alert(1);\"` instead.","The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id', 'tweet', 'content', 'balloon', and 'theme' shortcode attributes. This occurs because the plugin uses extract() to process shortcode attributes and then directly concatenates them into HTML and inline JavaScript blocks without proper sanitization or escaping (e.g., esc_attr and esc_js).","\u002F\u002F In the ttt_twittee_tweeter() function (twittee-text-tweet.php)\n\n\u002F\u002F Extraction of attributes without sanitization\nextract(shortcode_atts(array(\n 'id' => 'ttt-default',\n 'tweet' => '',\n 'content' => '',\n 'balloon' => '',\n 'theme' => ''\n), $atts));\n\n---\n\n\u002F\u002F Injection into HTML attribute context (Approx line 87)\n$output .= '\u003Cdiv id=\"' . $id . '\">\u003C\u002Fdiv>';\n\n---\n\n\u002F\u002F Injection into JavaScript context (Approx lines 93, 101, 117)\n$output .= '\u003Cscript type=\"text\u002Fjavascript\">\n var tweet_text = \"' . $tweet . '\";\n var content_text = \"' . $content . '\";\n var balloon_style = \"' . $balloon . '\";\n var theme_color = \"' . $theme . '\";\n\u003C\u002Fscript>';","--- twittee-text-tweet.php\n+++ twittee-text-tweet.php\n@@ -84,7 +84,7 @@\n- $output .= '\u003Cdiv id=\"' . $id . '\">\u003C\u002Fdiv>';\n+ $output .= '\u003Cdiv id=\"' . esc_attr($id) . '\">\u003C\u002Fdiv>';\n \n $output .= '\u003Cscript type=\"text\u002Fjavascript\">\n- var tweet_text = \"' . $tweet . '\";\n- var content_text = \"' . $content . '\";\n- var balloon_style = \"' . $balloon . '\";\n- var theme_color = \"' . $theme . '\";\n+ var tweet_text = \"' . esc_js($tweet) . '\";\n+ var content_text = \"' . esc_js($content) . '\";\n+ var balloon_style = \"' . esc_js($balloon) . '\";\n+ var theme_color = \"' . esc_js($theme) . '\";\n \u003C\u002Fscript>';","The exploit is executed by an authenticated user with at least Contributor-level permissions who can create or edit posts. 1. The attacker logs into the WordPress dashboard. 2. They create a new post and insert the [twittee] shortcode. 3. To exploit the HTML context, the attacker uses the 'id' attribute to break out of the double quotes and inject an event handler: [twittee id='x\" onmouseover=\"alert(1)\" style=\"display:block;width:100px;height:100px;background:red;\"']. 4. To exploit the JavaScript context, the attacker uses attributes like 'tweet' to break out of the JavaScript string and execute code: [twittee tweet='\";alert(document.domain);\u002F\u002F']. 5. Once the post is saved and viewed by a user (including an administrator), the injected script executes in their browser context.","gemini-3-flash-preview","2026-04-27 13:58:17","2026-04-27 13:58:36",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftwittee-text-tweet\u002Ftags"]