[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDWJxpPqxh2XBi4sPpLHzr_JczGNta_egmsqpXSAUWzo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-24573","visualizer-tables-and-charts-manager-for-wordpress-authenticated-contributor-stored-cross-site-scripting","Visualizer: Tables and Charts Manager for WordPress \u003C 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","visualizer",null,"\u003C4.0.0","4.0.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-20 00:00:00","2026-05-26 19:31:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F639410e2-aecd-4545-aa3e-c795c663e8f0?source=api-prod",7,[22,23,24,25,26],"CHANGELOG.md","classes\u002FVisualizer\u002FGutenberg\u002F.eslintrc","classes\u002FVisualizer\u002FGutenberg\u002FBlock.php","classes\u002FVisualizer\u002FGutenberg\u002Fbuild\u002Fblock.css","classes\u002FVisualizer\u002FGutenberg\u002Fbuild\u002Fblock.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-24573 (Visualizer Stored XSS)\n\n## 1. Vulnerability Summary\n**CVE-2026-24573** is a Stored Cross-Site Scripting (XSS) vulnerability in the **Visualizer: Tables and Charts Manager for WordPress** plugin (\u003C 4.0.0). The vulnerability stems from insufficient sanitization of chart configuration or data (labels, tooltips, or manual data entries) when saved by an authenticated user with **Contributor+** permissions. These payloads are subsequently executed in the context of any user (including Administrators) viewing the page where the chart is rendered.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API or AJAX. Based on `Visualizer_Gutenberg_Block`, the plugin registers REST endpoints via `register_rest_endpoints`.\n*   **Action:** Likely a `POST` or `PUT` request to update chart settings or data.\n*   **Vulnerable Parameter:** Chart titles, legend labels, or manual data cells.\n*   **Authentication:** Authenticated, Contributor-level or higher.\n*   **Preconditions:** The plugin must be active, and a contributor must have the ability to create or edit a chart (enabled by default in Gutenberg).\n\n## 3. Code Flow\n1.  **Entry Point:** `Visualizer_Gutenberg_Block::register_rest_endpoints` (registered in `__construct` via `rest_api_init`).\n2.  **Data Handling:** User-provided chart data (manual edit feature added in 3.11.0) or settings are sent via the block editor.\n3.  **Storage:** Data is stored as a Custom Post Type (`visualizer`) or in post meta.\n4.  **Sink:** `Visualizer_Gutenberg_Block::gutenberg_block_callback` (and the underlying rendering engine) retrieves the chart configuration.\n5.  **Rendering:** The frontend script (likely using Google Charts or ChartJS libraries as seen in `block.js`) renders the labels. If labels are not escaped before being passed to the JS library or if the library renders them as HTML, the XSS triggers.\n\n## 4. Nonce Acquisition Strategy\nThe Gutenberg block editor enqueues scripts using `visualizerLocalize`. For REST API requests, WordPress uses the standard `wp-api` nonce.\n\n1.  **Identify Block Script:** The script `visualizer-gutenberg-block` is localized with `visualizerLocalize`.\n2.  **Setup Page:** Create a page as a Contributor containing the `visualizer\u002Fchart` block.\n3.  **Extraction:**\n    *   Navigate to the WordPress dashboard as a Contributor.\n    *   Use `browser_eval` to extract the REST nonce provided by WordPress core for Gutenberg:\n        ```javascript\n        window.wpApiSettings?.nonce\n        ```\n    *   Additionally, check `visualizerLocalize` for specific URLs:\n        ```javascript\n        window.visualizerLocalize?.chartEditUrl\n        ```\n\n## 5. Exploitation Strategy\nThe goal is to inject a script into a chart's configuration that executes when viewed.\n\n### Step 1: Create a Chart (Inferred REST\u002FAJAX)\nVisualizer typically uses a Custom Post Type. We will attempt to create a chart via the REST API.\n\n*   **URL:** `\u002Fwp-json\u002Fvisualizer\u002Fv1\u002Fcharts` (inferred)\n*   **Method:** `POST`\n*   **Headers:** `X-WP-Nonce: [NONCE]`\n*   **Payload (JSON):**\n    ```json\n    {\n      \"title\": \"Test Chart \u003Cimg src=x onerror=alert('XSS_TITLE')>\",\n      \"type\": \"line\",\n      \"data\": [\n        [\"Label\", \"Value\"],\n        [\"\u003Cimg src=x onerror=alert('XSS_DATA')>\", 10]\n      ],\n      \"settings\": {\n        \"legend\": {\"position\": \"top\"}\n      }\n    }\n    ```\n\n### Step 2: Alternative (AJAX)\nIf the REST API is restricted, use the AJAX endpoint identified in `Visualizer_Gutenberg_Block`.\n*   **URL:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `visualizer-create-chart` (found in `createChart` localized variable).\n*   **Parameters:** `action=visualizer-create-chart&...`\n\n### Step 3: Trigger\n1.  Embed the created chart ID into a public post using the shortcode: `[visualizer id=\"[CHART_ID]\"]`.\n2.  Navigate to the post URL as an unauthenticated user or Admin.\n\n## 6. Test Data Setup\n1.  **User:** Create a user with the `contributor` role.\n2.  **Chart Creation:** The contributor creates a new \"Visualizer\" chart.\n3.  **Shortcode Placement:** Contributor creates a post\u002Fpage and adds the Visualizer block or shortcode:\n    ```php\n    wp post create --post_type=page --post_status=publish --post_content='[visualizer id=\"[ID]\"]'\n    ```\n\n## 7. Expected Results\n*   The chart configuration is saved successfully containing the HTML tags.\n*   When the page is viewed, the browser attempts to render the malformed label\u002Ftitle.\n*   An alert box with `XSS_TITLE` or `XSS_DATA` appears, confirming script execution.\n\n## 8. Verification Steps\n1.  **Database Check:** Verify the raw payload in the database.\n    ```bash\n    wp db query \"SELECT post_title, post_content FROM wp_posts WHERE post_type='visualizer' ORDER BY ID DESC LIMIT 1;\"\n    ```\n2.  **HTML Inspection:** Check the frontend source for the unescaped payload.\n    ```bash\n    http_request GET \"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\"\n    # Look for: \u003Cimg src=x onerror=...\n    ```\n\n## 9. Alternative Approaches\n*   **JSON Import:** If manual editing is filtered, try the \"Import from JSON\" feature (common in Visualizer). The vulnerability might exist in the parser for imported files.\n*   **ChartJS vs. Google Charts:** The plugin supports multiple libraries. If Google Charts escapes by default, try switching the library to `chartjs` (mentioned in `CHANGELOG.md` version 3.11.0) via the `settings` payload.\n*   **Attribute Injection:** Instead of a full `\u003Cscript>` tag, try breaking out of a JSON string in a script block if the plugin reflects settings into a `var visualizerConfig = {...}` block.","The Visualizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 4.0.0. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into chart settings or manual data entries, which are then executed in the context of any user viewing the chart.","\u002F\u002F classes\u002FVisualizer\u002FGutenberg\u002FBlock.php:285\n\t\tregister_rest_route(\n\t\t\t'visualizer\u002Fv' . VISUALIZER_REST_VERSION,\n\t\t\t'\u002Fupdate-chart',\n\t\t\tarray(\n\t\t\t\t'methods'  => 'POST',\n\t\t\t\t'callback' => array( $this, 'update_chart_data' ),\n\t\t\t\t'args'     => array(\n\t\t\t\t\t'id' => array(\n\t\t\t\t\t\t'sanitize_callback' => 'absint',\n\t\t\t\t\t),\n\t\t\t\t),\n\t\t\t\t'permission_callback' => function () {\n\t\t\t\t\treturn current_user_can( 'edit_posts' );\n\t\t\t\t},\n\t\t\t)\n\t\t);\n\n---\n\n\u002F\u002F classes\u002FVisualizer\u002FGutenberg\u002FBlock.php:655\n\tpublic function update_chart_data( $data ) {\n\t\tif ( ! current_user_can( 'edit_posts' ) ) {\n\t\t\treturn false;\n\t\t}\n\n\t\tif ( $data['id'] && ! is_wp_error( $data['id'] ) ) {\n\t\t\tif ( get_post_type( $data['id'] ) !== Visualizer_Plugin::CPT_VISUALIZER ) {\n\t\t\t\treturn new WP_Error( 'invalid_post_type', 'Invalid post type.' );\n\t\t\t}\n\t\t\t$chart_type = sanitize_text_field( $data['visualizer-chart-type'] );\n\t\t\t$source_type = sanitize_text_field( $data['visualizer-source'] );\n\t\t\t$default_data  = (int) $data['visualizer-default-data'];\n\t\t\t$series_data   = map_deep( $data['visualizer-series'], array( $this, 'sanitize_value' ) );\n\t\t\t$settings_data = map_deep( $data['visualizer-settings'], array( $this, 'sanitize_value' ) );\n\n\t\t\tupdate_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_TYPE, $chart_type );\n\t\t\tupdate_post_meta( $data['id'], Visualizer_Plugin::CF_SOURCE, $source_type );\n\t\t\tupdate_post_meta( $data['id'], Visualizer_Plugin::CF_DEFAULT_DATA, $default_data );\n\t\t\tupdate_post_meta( $data['id'], Visualizer_Plugin::CF_SERIES, $series_data );\n\t\t\tupdate_post_meta( $data['id'], Visualizer_Plugin::CF_SETTINGS, $settings_data );","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fvisualizer\u002F3.11.15\u002Fclasses\u002FVisualizer\u002FGutenberg\u002FBlock.php\t2026-03-04 16:13:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fvisualizer\u002F4.0.0\u002Fclasses\u002FVisualizer\u002FGutenberg\u002FBlock.php\t2026-03-31 13:30:52.000000000 +0000\n@@ -284,117 +284,6 @@\n \t\tregister_rest_route(\n \t\t\t'visualizer\u002Fv' . VISUALIZER_REST_VERSION,\n-\t\t\t'\u002Fupdate-chart',\n-\t\t\tarray(\n-\t\t\t\t'methods'  => 'POST',\n-\t\t\t\t'callback' => array( $this, 'update_chart_data' ),\n-\t\t\t\t'args'     => array(\n-\t\t\t\t\t'id' => array(\n-\t\t\t\t\t\t'sanitize_callback' => 'absint',\n-\t\t\t\t\t),\n-\t\t\t\t),\n-\t\t\t\t'permission_callback' => function () {\n-\t\t\t\t\treturn current_user_can( 'edit_posts' );\n-\t\t\t\t},\n-\t\t\t)\n-\t\t);\n-","An attacker with Contributor-level access or higher can exploit this vulnerability by submitting a malicious payload to the `\u002Fwp-json\u002Fvisualizer\u002Fv1\u002Fupdate-chart` REST API endpoint. The payload should target chart metadata or data fields, such as `visualizer-settings` or `visualizer-series`. For example, a POST request with the chart ID and a JSON payload containing `{\"visualizer-settings\": {\"title\": \"\u003Cscript>alert('XSS')\u003C\u002Fscript>\"}}` can be sent using a valid WordPress REST API nonce. Once saved, the script will execute whenever an administrator or another user views the post or page where the specific chart is embedded.","gemini-3-flash-preview","2026-06-04 22:45:46","2026-06-04 22:47:24",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.11.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvisualizer\u002Ftags\u002F3.11.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvisualizer.3.11.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvisualizer\u002Ftags\u002F4.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvisualizer.4.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvisualizer\u002Ftags"]