[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBLDG8TEOp3Cyg6sHFeCSlHS8vdqb-Uc2-DsXpmCv1OQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-0557","wp-data-access-authenticated-contributor-stored-cross-site-scripting-via-wpdaapp-shortcode","WP Data Access \u003C= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode","The WP Data Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpda_app' shortcode in all versions up to, and including, 5.5.63 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-data-access",null,"\u003C=5.5.63","5.5.64","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-13 18:19:08","2026-02-14 06:42:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F97ddb0e9-1bb8-48ed-9fa3-d2b5f260263b?source=api-prod",1,[22,23,24,25,26,27,28,29],"WPDataAccess\u002FAPI\u002FWPDA_API.php","WPDataAccess\u002FAPI\u002FWPDA_Apps.php","WPDataAccess\u002FAPI\u002FWPDA_Table.php","WPDataAccess\u002FDashboard\u002FWPDA_Dashboard.php","WPDataAccess\u002FData_Apps\u002FWPDA_App_Container.php","WPDataAccess\u002FData_Publisher\u002FWPDA_Publisher_Form.php","WPDataAccess\u002FDesign_Table\u002FWPDA_Design_Table_Form.php","WPDataAccess\u002FPlugin_Table_Models\u002FWPDA_App_Container_Model.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-0557 (WP Data Access Stored XSS)\n\n## 1. Vulnerability Summary\nThe **WP Data Access** plugin (versions \u003C= 5.5.63) is vulnerable to **Stored Cross-Site Scripting (XSS)** through the `[wpda_app]` shortcode. The vulnerability exists in the way the plugin handles user-supplied shortcode attributes. Specifically, in `WPDataAccess\u002FData_Apps\u002FWPDA_App_Container.php`, arbitrary attributes passed to the shortcode are collected into an array and then echoed directly into HTML `data-` attributes using `implode` without being passed through escaping functions like `esc_attr()`. This allows an attacker with Contributor-level permissions (who can use shortcodes) to break out of the HTML attribute and inject malicious `\u003Cscript>` tags.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post\u002FPage rendering containing the `[wpda_app]` shortcode.\n*   **Vulnerable Parameter:** Any arbitrary attribute added to the `[wpda_app]` shortcode (other than the reserved `id` attribute).\n*   **Authentication:** Authenticated (Contributor-level or higher).\n*   **Preconditions:** A valid \"App\" must exist in the plugin's database to satisfy the `id` requirement, or one must be created.\n*   **Vulnerability Type:** Stored XSS via HTML Attribute Breakout.\n\n## 3","The WP Data Access plugin is vulnerable to Stored Cross-Site Scripting via its 'wpda_app' shortcode due to insufficient output escaping of user-provided shortcode attributes. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into pages by breaking out of HTML data-attributes, which execute whenever a user views the compromised page.","\u002F\u002F WPDataAccess\u002FData_Apps\u002FWPDA_App_Container.php lines 149-156\n\t\t\t\t\tif ( 0 \u003C count( $this->shortcode_args ) ) {\n\t\t\t\t\t\t?>\n\t\t\t\t\t\tdata-shortcode_field_name=\"\u003C?php echo implode( ',', array_keys( $this->shortcode_args ) ); ?>\"\n\t\t\t\t\t\tdata-shortcode_field_value=\"\u003C?php echo implode( ',', array_values( $this->shortcode_args ) ); ?>\"\n\t\t\t\t\t\t\u003C?php\n\t\t\t\t\t}","--- a\u002FWPDataAccess\u002FData_Apps\u002FWPDA_App_Container.php\n+++ b\u002FWPDataAccess\u002FData_Apps\u002FWPDA_App_Container.php\n@@ -151,2 +151,2 @@\n-\t\t\t\t\t\tdata-shortcode_field_name=\"\u003C?php echo implode( ',', array_keys( $this->shortcode_args ) ); ?>\"\n-\t\t\t\t\t\tdata-shortcode_field_value=\"\u003C?php echo implode( ',', array_values( $this->shortcode_args ) ); ?>\"\n+\t\t\t\t\t\tdata-shortcode_field_name=\"\u003C?php echo esc_attr( implode( ',', array_keys( $this->shortcode_args ) ) ); ?>\"\n+\t\t\t\t\t\tdata-shortcode_field_value=\"\u003C?php echo esc_attr( implode( ',', array_values( $this->shortcode_args ) ) ); ?>\"","The attacker requires Contributor-level permissions or higher to use WordPress shortcodes. They identify a valid App ID (or create one using the plugin's App Builder) and then insert a `[wpda_app]` shortcode into a post or page. By including an arbitrary attribute containing double quotes and an event handler (e.g., `[wpda_app id='1' x='\" onmouseover=\"alert(1)\"']`), the attacker can break out of the `data-shortcode_field_value` attribute in the rendered HTML. When an administrator or visitor interacts with the page (e.g., hovering over the app container), the injected JavaScript executes in their browser context.","gemini-3-flash-preview","2026-04-20 23:29:24","2026-04-20 23:30:13",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.5.63","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-data-access\u002Ftags\u002F5.5.63","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-data-access.5.5.63.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-data-access\u002Ftags\u002F5.5.64","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-data-access.5.5.64.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-data-access\u002Ftags"]