[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_EnK0IBnQbDwYzBOGhrWr9awEsFtmsBjZ9op-1yn_Ho":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"source_links":33},"CVE-2026-4479","wholesale-products-dynamic-pricing-management-woocommerce-authenticated-administrator-stored-cross-site-scripting-via-pl","WholeSale Products Dynamic Pricing Management WooCommerce \u003C= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings","The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","wholesale-products-dynamic-pricing-management-woocommerce",null,"\u003C=1.2","1.3.0","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-13 15:13:22","2026-04-14 03:37:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6b0382e2-e029-4e19-981c-6dc570e182f0?source=api-prod",1,[],"researched",false,3,"This research plan focuses on **CVE-2026-4479**, a Stored Cross-Site Scripting (XSS) vulnerability in the \"WholeSale Products Dynamic Pricing Management WooCommerce\" plugin. \n\n---\n\n### 1. Vulnerability Summary\nThe **WholeSale Products Dynamic Pricing Management WooCommerce** plugin (versions \u003C= 1.2) fails to sanitize and escape input saved within its administrative settings. Specifically, settings related to wholesale pricing labels or display messages are stored in the WordPress `options` table and subsequently rendered on both the administrative dashboard and potentially the frontend product pages without passing through security filters like `esc_html()`, `esc_attr()`, or `wp_kses()`.\n\nThis allows an authenticated user with Administrator privileges to inject arbitrary JavaScript. While Administrators usually have the `unfiltered_html` capability, this vulnerability is critical in **WordPress Multisite** environments (where only Super Admins have `unfiltered_html`) or in hardened environments where this capability is explicitly disabled.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The plugin settings page, typically located at `\u002Fwp-admin\u002Fadmin.php?page=wholesale-products-pricing-management` (inferred slug).\n*   **Vulnerable Parameters:** Administrative fields such as \"Wholesale Price Label\", \"Text for Non-Wholesale Users\", or \"Pricing Table Header\".\n*   **Authentication:** Administrator-level account is required.\n*   **Precondition:** The site must be a Multisite installation OR have `define( 'DISALLOW_UNFILTERED_HTML', true );` in `wp-config.php`.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The Administrator navigates to the plugin settings page.\n2.  **Processing (Store):** A `POST` request is sent to `options.php` (if using the Settings API) or a custom handler hooked to `admin_init`.\n3.  **Data Sink (Database):** The plugin calls `update_option()` or `update_post_meta()` without using `sanitize_text_field()` or `wp_kses()` on the input.\n4.  **Retrieval (Source):** When the settings page or a product page is loaded, the plugin calls `get_option()`.\n5.  **Output (Sink):** The retrieved value is echoed directly into the HTML:\n    ```php\n    \u002F\u002F Vulnerable Pattern\n    $label = get_option('wholesale_price_label');\n    echo '\u003Cspan class=\"label\">' . $label . '\u003C\u002Fspan>'; \u002F\u002F XSS Sink\n    ```\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely uses the standard WordPress Settings API or a custom form with `wp_nonce_field`.\n\n1.  **Identify the Page:** Navigate to the plugin settings page: `\u002Fwp-admin\u002Fadmin.php?page=wholesale-products-dynamic-pricing-management-woocommerce` (Slug needs verification via `wp plugin list`).\n2.  **Navigate and Extract:**\n    *   Use `browser_navigate` to reach the settings page.\n    *   The Settings API uses a nonce field usually named `_wpnonce`.\n    *   **Action String:** If it's a standard settings page, the action is often the option group name.\n3.  **Extraction Command:**\n    ```javascript\n    \u002F\u002F To be used with browser_eval\n    document.querySelector('input[name=\"_wpnonce\"]')?.value || \n    document.querySelector('#_wpnonce')?.value;\n    ```\n\n### 5. Exploitation Strategy\nThe goal is to inject a stored XSS payload into a setting field and verify its execution.\n\n**Step 1: Locate the Settings Form**\nAccess the admin page and identify the input fields. Common WooCommerce wholesale plugin options include `wholesale_label` or `wholesale_price_text`.\n\n**Step 2: Submit the Payload**\nSubmit a `POST` request to the settings handler.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions.php` (Standard for Settings API)\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    option_page=wholesale_pricing_settings_group&\n    action=update&\n    _wpnonce=[EXTRACTED_NONCE]&\n    wholesale_price_label=Wholesale\u003Cscript>alert(document.domain)\u003C\u002Fscript>&\n    submit=Save+Changes\n    ```\n\n**Step 3: Trigger the XSS**\nNavigate to either:\n1.  The plugin settings page itself (Admin XSS).\n2.  A product page on the frontend where the wholesale price is displayed (Frontend XSS).\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `wholesale-products-dynamic-pricing-management-woocommerce` v1.2 is installed and active.\n2.  **Hardening:** Add `define( 'DISALLOW_UNFILTERED_HTML', true );` to `wp-config.php` to ensure even the Administrator is subject to sanitization checks (which the plugin fails to implement).\n3.  **WooCommerce Setup:** Ensure at least one product exists so the wholesale label can be rendered on the frontend.\n\n### 7. Expected Results\n*   **Storage:** The database should contain the raw `\u003Cscript>` tag in the `wp_options` table.\n*   **Execution:** When viewing the page, the browser should execute the script, appearing as a JavaScript alert or a failed resource load (if using a more complex payload).\n*   **HTTP Response:** The `POST` request should return a `302` redirect back to the settings page with `settings-updated=true`.\n\n### 8. Verification Steps\nAfter the `http_request`, use `wp-cli` to confirm the injection:\n\n```bash\n# Check if the option value contains the payload\nwp option get wholesale_price_label --allow-root\n\n# Check if the output on the frontend is escaped\n# (Should return the raw tag if vulnerable)\ncurl -s http:\u002F\u002Flocalhost:8080\u002Fproduct\u002Ftest-product\u002F | grep \"\u003Cscript>alert\"\n```\n\n### 9. Alternative Approaches\nIf the plugin does not use `options.php` but a custom AJAX handler:\n1.  **Grep for AJAX:** `grep -r \"wp_ajax_\"` in the plugin directory.\n2.  **Target Action:** Look for actions like `save_wholesale_settings`.\n3.  **New Strategy:**\n    *   Obtain nonce from a JS variable (e.g., `window.wholesale_admin?.nonce`).\n    *   Send `POST` to `admin-ajax.php` with `action=save_wholesale_settings` and the payload.\n\nIf the XSS is only in the **Admin** area:\n*   Focus on the `admin_notices` hook or the form's `value` attribute:\n    `wholesale_price_label=\">\u003Cscript>alert(1)\u003C\u002Fscript>` (Attribute breakout).","The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via administrative settings in versions up to 1.2. This vulnerability allows authenticated administrators to inject arbitrary JavaScript into settings like wholesale labels, which then executes when viewed on both the admin dashboard and frontend product pages.","\u002F\u002F Inferred vulnerability in settings rendering (e.g., admin\u002Fsettings-display.php)\n$wholesale_label = get_option('wholesale_price_label');\necho '\u003Cinput type=\"text\" name=\"wholesale_price_label\" value=\"' . $wholesale_label . '\">'; \u002F\u002F Vulnerable input value echo\n\n---\n\n\u002F\u002F Inferred vulnerability in frontend display (e.g., public\u002Fproduct-display.php)\n$label = get_option('wholesale_price_label');\necho '\u003Cspan class=\"wholesale-label\">' . $label . '\u003C\u002Fspan>'; \u002F\u002F Vulnerable output sink","--- a\u002Fadmin\u002Fsettings-display.php\n+++ b\u002Fadmin\u002Fsettings-display.php\n@@ -10,1 +10,1 @@\n-echo '\u003Cinput type=\"text\" name=\"wholesale_price_label\" value=\"' . $wholesale_label . '\">';\n+echo '\u003Cinput type=\"text\" name=\"wholesale_price_label\" value=\"' . esc_attr($wholesale_label) . '\">';\n\n--- a\u002Fpublic\u002Fproduct-display.php\n+++ b\u002Fpublic\u002Fproduct-display.php\n@@ -25,1 +25,1 @@\n-echo '\u003Cspan class=\"wholesale-label\">' . $label . '\u003C\u002Fspan>';\n+echo '\u003Cspan class=\"wholesale-label\">' . esc_html($label) . '\u003C\u002Fspan>';","1. Login to the WordPress administrative dashboard as a user with Administrator privileges.\n2. Navigate to the plugin settings page (typically via a 'Wholesale Pricing' menu entry).\n3. Locate a text input field such as 'Wholesale Price Label' or 'Price Text'.\n4. Inject a malicious payload into the field, such as: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n5. Save the settings to commit the payload to the WordPress database (wp_options table).\n6. Trigger the XSS by navigating back to the settings page or by viewing any product page on the frontend where the wholesale pricing label is displayed.","gemini-3-flash-preview","2026-04-16 15:57:14","2026-04-16 15:57:38",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwholesale-products-dynamic-pricing-management-woocommerce\u002Ftags"]