[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnstILvQRyGcGoZG5HX-cLcJLlS1XNawQluvlC2G5O6E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2025-12037","wp-404-auto-redirect-authenticated-admin-stored-cross-site-scripting","WP 404 Auto Redirect \u003C= 1.0.5 - Authenticated (Admin+) Stored Cross-Site Scripting","The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","wp-404-auto-redirect-to-similar-post",null,"\u003C=1.0.5","1.0.6","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-17 16:29:12","2026-02-18 04:35:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc20059de-9d81-4318-a015-8e402945828c?source=api-prod",1,[22,23,24,25],"class\u002Fclass-settings.php","includes\u002Fadmin.php","readme.txt","wp-404-auto-redirect-similar-post.php","researched",false,3,"# Exploitation Research Plan - CVE-2025-12037\n\n## 1. Vulnerability Summary\nThe **WP 404 Auto Redirect to Similar Post** plugin (\u003C= 1.0.5) is vulnerable to **Stored Cross-Site Scripting (XSS)** via its administrative settings. The vulnerability exists because the plugin registers a settings group but fails to adequately sanitize the input in its `sanitize_callback` and fails to escape the stored values when rendering them on the admin settings page. Specifically, the `sanitize_setting` function in `includes\u002Fadmin.php` only validates the `fallback['url']` field, leaving all other settings fields (such as exclusion rules) vulnerable to injection. This allows an authenticated administrator to inject arbitrary scripts that execute when any administrator views the plugin's settings page, especially in environments where `unfiltered_html` is disabled (like WordPress Multi-site).\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Foptions.php` (The standard WordPress Settings API handler).\n- **Vulnerable Parameter**: `wp404arsp_settings[rules][exclude][post_meta]` (or other keys within the `wp404arsp_settings` array).\n- **Authentication Level**: Administrator (High privilege).\n- **Precondition**: The site must have `unfiltered_html` disabled (standard on Multi-site or via `DISALLOW_UNFILTERED_HTML` in `wp-config.php`) for this to be considered a vulnerability rather than a feature.\n- **Payload**: `\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>`\n\n## 3. Code Flow\n1. **Registration**: In `includes\u002Fadmin.php`, the function `admin_settings()` (hooked to `admin_init`) calls `register_setting('wp404arsp_settings', 'wp404arsp_settings', ...)` with `sanitize_callback` set to `sanitize_setting`.\n2. **Weak Sanitization**: The `sanitize_setting($settings)` function in `includes\u002Fadmin.php` only performs:\n   ```php\n   $settings['fallback']['url'] = sanitize_url($settings['fallback']['url']);\n   return $settings;\n   ```\n   All other nested keys in the `$settings` array (like `rules`, `exclude`, `post_meta`) are returned to the database without any filtering.\n3. **Retrieval**: When an admin visits the settings page, `admin_page()` calls `wp404arsp_settings_get()` (defined in `class\u002Fclass-settings.php`).\n4. **Unescaped Output**: The `WP_404_Auto_Redirect_Settings::get()` function retrieves the option and only escapes the fallback URL using `esc_url`. Other fields remain raw.\n5. **Sink**: While the truncation in `admin.php` obscures the exact HTML for the `post_meta` field, it follows the pattern of the `debug` checkbox. The values are echoed into HTML attributes of inputs (likely text inputs for \"Exclude Meta\") without using `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability is in the WordPress Settings API. To exploit it, a valid `_wpnonce` for the `wp404arsp_settings-options` action is required.\n\n1. **Navigate**: Use `browser_navigate` to reach the plugin settings page: `\u002Fwp-admin\u002Foptions-general.php?page=wp-404-auto-redirect`.\n2. **Extract**: Since the page uses `settings_fields('wp404arsp_settings')`, a hidden field named `_wpnonce` is generated within the settings form.\n3. **Command**:\n   ```javascript\n   browser_eval(\"document.querySelector('input[name=\\\"_wpnonce\\\"]').value\")\n   ```\n   This retrieves the nonce directly from the DOM in the correct session context.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication and Setup\n- Log in to the WordPress instance as an administrator.\n- (Optional but recommended for PoC) Ensure `define('DISALLOW_UNFILTERED_HTML', true);` is set in `wp-config.php`.\n\n### Step 2: Nonce Retrieval\n- Navigate to the settings page: `\u002Fwp-admin\u002Foptions-general.php?page=wp-404-auto-redirect`.\n- Use `browser_eval` to extract the `_wpnonce` value.\n\n### Step 3: Injection Request\n- Send a POST request to `\u002Fwp-admin\u002Foptions.php` using the `http_request` tool.\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  option_page=wp404arsp_settings\n  &action=update\n  &_wpnonce=[EXTRACTED_NONCE]\n  &wp404arsp_settings[rules][exclude][post_meta]=%22%3E%3Cscript%3Ealert%28window.origin%29%3C%2Fscript%3E\n  &wp404arsp_settings[priority]=999\n  &wp404arsp_settings[method]=301\n  ```\n  *(Note: Include other default settings to ensure the array structure remains valid).*\n\n### Step 4: Trigger XSS\n- Navigate back to `\u002Fwp-admin\u002Foptions-general.php?page=wp-404-auto-redirect`.\n- Observe the script execution (the `alert` will trigger).\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Install and activate `wp-404-auto-redirect-to-similar-post` version 1.0.5.\n2. **User**: Create or use an existing Administrator account.\n3. **Environment**: If testing on a standard single-site install, add `define( 'DISALLOW_UNFILTERED_HTML', true );` to `wp-config.php` to simulate the restricted environment where the vulnerability is most relevant.\n\n## 7. Expected Results\n- The POST request to `options.php` should return a `302 Found` redirect back to the settings page with a `settings-updated=true` parameter.\n- The `wp404arsp_settings` option in the `wp_options` table will now contain the raw HTML payload in the `[rules][exclude][post_meta]` key.\n- Upon loading the settings page, the browser will execute the injected `\u003Cscript>` because the value is echoed inside an input attribute like `value=\"...\"` without `esc_attr()`, allowing the payload to break out of the attribute.\n\n## 8. Verification Steps\n- **WP-CLI Verification**:\n  ```bash\n  wp option get wp404arsp_settings --format=json\n  ```\n  Verify that the `rules -> exclude -> post_meta` value contains the raw `\u003Cscript>` tag.\n- **DOM Verification**: Inspect the HTML source of the settings page and look for the injected string:\n  ```html\n  \u003Cinput ... value=\"\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>\" ...>\n  ```\n\n## 9. Alternative Approaches\n- **Payload Variance**: If `post_meta` is not easily accessible in the UI, try injecting into `wp404arsp_settings[rules][exclude][term_meta]` or `wp404arsp_settings[priority]`. Even if `priority` is cast to an integer during its use in `template_redirect`, it may be rendered as a string in the admin form.\n- **Tab Selection**: The plugin uses a tabbed interface. The payload might be hidden in the \"Post Types\" or \"Taxonomies\" tab. Use `browser_eval(\"jQuery('a[href=\\\"#settings\\\"]').click()\")` or similar to ensure the correct tab is visible if the browser doesn't execute the script immediately.","The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its administrative settings in versions up to 1.0.5. This occurs because the plugin fails to sanitize all keys in the settings array upon saving and fails to escape them when rendering the settings page, allowing administrators to inject malicious scripts.","\u002F* File: includes\u002Fadmin.php (~line 64) *\u002F\n    function sanitize_setting($settings){\n        \n        $settings['fallback']['url'] = sanitize_url($settings['fallback']['url']);\n        \n        return $settings;\n        \n    }\n\n---\n\n\u002F* File: class\u002Fclass-settings.php (~line 79) *\u002F\n        \u002F\u002F Esc Fallback\n        $settings['fallback']['url'] = esc_url($settings['fallback']['url']);\n        \n        \u002F\u002F Headers\n        if(((int)$settings['method'] != 301) && ((int)$settings['method'] != 302)){\n            $settings['method'] = 301;\n        }\n        \n        \u002F\u002F Return\n        return $settings;","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-404-auto-redirect-to-similar-post\u002F1.0.5\u002Fclass\u002Fclass-settings.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-404-auto-redirect-to-similar-post\u002F1.0.6\u002Fclass\u002Fclass-settings.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-404-auto-redirect-to-similar-post\u002F1.0.5\u002Fclass\u002Fclass-settings.php\t2024-02-04 12:33:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-404-auto-redirect-to-similar-post\u002F1.0.6\u002Fclass\u002Fclass-settings.php\t2025-11-21 04:49:58.000000000 +0000\n@@ -79,6 +79,9 @@\n         \u002F\u002F Esc Fallback\n         $settings['fallback']['url'] = esc_url($settings['fallback']['url']);\n         \n+        \u002F\u002F Esc Priority\n+        $settings['priority'] = (int) $settings['priority'];\n+        \n         \u002F\u002F Headers\n         if(((int)$settings['method'] != 301) && ((int)$settings['method'] != 302)){\n             $settings['method'] = 301;\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-404-auto-redirect-to-similar-post\u002F1.0.5\u002Fincludes\u002Fadmin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-404-auto-redirect-to-similar-post\u002F1.0.6\u002Fincludes\u002Fadmin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-404-auto-redirect-to-similar-post\u002F1.0.5\u002Fincludes\u002Fadmin.php\t2024-02-04 12:33:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-404-auto-redirect-to-similar-post\u002F1.0.6\u002Fincludes\u002Fadmin.php\t2025-11-21 04:49:58.000000000 +0000\n@@ -64,6 +64,7 @@\n     function sanitize_setting($settings){\n         \n         $settings['fallback']['url'] = sanitize_url($settings['fallback']['url']);\n+        $settings['priority'] = (int) $settings['priority'];\n         \n         return $settings;","The exploit targets the WordPress Settings API by submitting a malicious payload into the plugin's configuration. An authenticated administrator first retrieves a valid CSRF nonce from the plugin's settings page at \u002Fwp-admin\u002Foptions-general.php?page=wp-404-auto-redirect. They then send a POST request to \u002Fwp-admin\u002Foptions.php including the nonce and the payload inside the wp404arsp_settings[rules][exclude][post_meta] or wp404arsp_settings[priority] parameters. The payload, such as a script tag designed to break out of an HTML attribute, is stored in the database. The XSS triggers whenever an administrator subsequently visits the plugin settings page, as the stored value is rendered without proper attribute escaping.","gemini-3-flash-preview","2026-04-19 06:44:16","2026-04-19 06:45:00",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.0.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-404-auto-redirect-to-similar-post\u002Ftags\u002F1.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-404-auto-redirect-to-similar-post.1.0.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-404-auto-redirect-to-similar-post\u002Ftags\u002F1.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-404-auto-redirect-to-similar-post.1.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-404-auto-redirect-to-similar-post\u002Ftags"]