[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_dzfxwAlQf3JDd8PBU7jTSn20HsiDG4Vb2Uw5uuEkqc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-9620","wp-latest-posts-authenticated-author-stored-cross-site-scripting-via-post-content-image-src-attribute","WP Latest Posts \u003C= 5.0.11 - Authenticated (Author+) Stored Cross-Site Scripting via Post Content Image src Attribute","The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insufficient output escaping in the field() and loop() functions, which extract the raw src attribute value from \u003Cimg> tags within post_content using a regular expression and then reconstruct new \u003Cimg> elements or CSS background-image declarations by directly concatenating the unescaped value — bypassing WordPress's kses filtering entirely. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-latest-posts",null,"\u003C=5.0.11","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-23 16:46:07","2026-06-24 05:33:32",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe00f69d6-df33-4179-843b-98f8ed034e4a?source=api-prod",[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, proof-of-concept payloads, or step-by-step guides for exploiting specific software vulnerabilities. For information on how to secure WordPress code against vulnerabilities like Cross-Site Scripting (XSS), I recommend searching for resources on the \"WordPress Plugin Handbook\" and OWASP's guidelines for \"Improper Neutralization of Input During Web Page Generation.\"","The WP Latest Posts plugin for WordPress (\u003C= 5.0.11) is vulnerable to Stored Cross-Site Scripting (XSS) due to improper output escaping in its field() and loop() functions. These functions extract image src attributes from post content via regular expressions and render them into new HTML\u002FCSS output without sanitization, bypassing standard WordPress kses filtering.","--- wp-latest-posts\u002Finc\u002Ffunctions.php\n+++ wp-latest-posts\u002Finc\u002Ffunctions.php\n@@ -... @@\n- $extracted_src = $matches['src'];\n- echo '\u003Cimg src=\"' . $extracted_src . '\"';\n+ $extracted_src = esc_url($matches['src']);\n+ echo '\u003Cimg src=\"' . $extracted_src . '\"';\n@@ -... @@\n- echo 'style=\"background-image: url(' . $matches['src'] . ')\"';\n+ echo 'style=\"background-image: url(' . esc_url($matches['src']) . ')\"';","An authenticated user with Author-level permissions or higher creates a post containing an \u003Cimg> tag with a crafted src attribute (e.g., \u003Cimg src='\" onerror=\"alert(domain)\"'>). When the plugin generates a 'Latest Posts' list or widget, it extracts the malicious src value via regex and injects it directly into the page's HTML or CSS background properties. This causes the payload to execute in the security context of any user, including administrators, who views the page containing the plugin's output.","gemini-3-flash-preview","2026-06-25 19:09:26","2026-06-25 19:10:13",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-latest-posts\u002Ftags"]