[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fr32IVfaAu3IVFxELGycB0DdLZ2TJ422ks6lJaKV0e-Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-2902","wp-meteor-website-speed-optimization-addon-unauthenticated-stored-cross-site-scripting-via-comment","WP Meteor Website Speed Optimization Addon \u003C= 3.4.16 - Unauthenticated Stored Cross-Site Scripting via Comment","The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-meteor",null,"\u003C=3.4.16","3.4.17","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-28 00:00:00","2026-04-29 11:17:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdc92b20a-fb9b-477c-8fe4-68897c1fd07e?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin\u002Fsettings.css.map","backend\u002FEnqueue.php","blocker\u002FFirstInteraction\u002FUltimateReorder.php","composer.json","composer.lock","readme.txt","vendor\u002Fautoload.php","vendor\u002Fcomposer\u002Fautoload_real.php","researched",false,3,"# Research Plan: WP Meteor Unauthenticated Stored XSS via Comment (CVE-2026-2902)\n\n## 1. Vulnerability Summary\nThe **WP Meteor Website Speed Optimization Addon** (versions \u003C= 3.4.16) is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS). The vulnerability exists in the `frontend_rewrite` function within the `UltimateReorder` class. The plugin processes the entire HTML output buffer to \"delay\" scripts by replacing their content with a placeholder string: `WPMETEOR[N]WPMETEOR`.\n\nThe core issue is that the plugin's regex-based parser identifies `\u003Cscript>` tags without verifying their context (e.g., whether they are inside a `\u003Ccode>` tag, a `\u003Ctextarea>`, or an HTML comment). An unauthenticated attacker can post a comment containing a payload that bypasses WordPress's standard `kses` filters (which usually strip `\u003Cscript>` tags) by using specific HTML structures that the plugin's regex misinterprets as a valid script tag. When the plugin \"restores\" or \"processes\" these placeholders, it injects malicious JavaScript into the page.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-comments-post.php` (Standard WordPress comment submission).\n- **Vulnerable Parameter:** `comment` (The body of the comment).\n- **Authentication:** Unauthenticated (PR:N).\n- **Precondition:** The \"Ultimate\" mode (Maximum available speed) must be enabled in WP Meteor","The WP Meteor plugin for WordPress is vulnerable to unauthenticated stored XSS because its script-optimization engine incorrectly identifies script tags inside HTML comments. An attacker can bypass standard comment sanitization by wrapping a malicious script in a comment block, which the plugin then extracts and executes as part of its 'delay' optimization process.","\u002F\u002F blocker\u002FFirstInteraction\u002FUltimateReorder.php lines 101-133\n\nwhile (preg_match('\u002F\u003Cscript\\b[^>]*?>\u002Fis', $buffer, $matches, PREG_OFFSET_CAPTURE, $searchOffset)) {\n    $offset = $matches[0][1];\n    $searchOffset = $offset + 1;\n    if (preg_match('\u002F\u003C\\\u002F\\s*script>\u002Fis', $buffer, $endMatches, PREG_OFFSET_CAPTURE, $matches[0][1])) {\n        $len = $endMatches[0][1] - $matches[0][1] + strlen($endMatches[0][0]);\n        \u002F\u002F $everything = substr($buffer, $matches[0][1], $len);\n        $tag = $matches[0][0];\n        $closingTag = $endMatches[0][0];\n\n        $hasSrc = preg_match('\u002F\\s+src=\u002Fi', $tag);\n        $hasType = preg_match('\u002F\\s+type=\u002Fi', $tag);\n        $shouldReplace = !$hasType || preg_match('\u002F\\s+type=([\\'\"])((application|text)\\\u002F(javascript|ecmascript|html|template)|module)\\1\u002Fi', $tag);\n        $noOptimize = preg_match('\u002Fdata-wpmeteor-nooptimize=\"true\"\u002Fi', $tag);\n        if ($shouldReplace && !$hasSrc) {\n            \u002F\u002F inline script\n            $content = substr($buffer, $matches[0][1] + strlen($matches[0][0]), $endMatches[0][1] - $matches[0][1] - strlen($matches[0][0]));\n            if (!$noOptimize && apply_filters('wpmeteor_exclude', false, $content)) {\n                $tag = preg_replace('\u002F^\u003Cscript\\b\u002Fi', \"\u003Cscript {$EXTRA} data-wpmeteor-nooptimize=\\\"true\\\"\", $tag);\n            }\n            $replacement = $tag . \"WPMETEOR[\" . count($REPLACEMENTS) . \"]WPMETEOR\" . $closingTag;\n            $REPLACEMENTS[] = $content;\n            $buffer = substr_replace($buffer, $replacement, $offset, $len);\n            continue;\n        }\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-meteor\u002F3.4.16\u002Fassets\u002Fcss\u002Fadmin\u002Fsettings.css.map \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-meteor\u002F3.4.17\u002Fassets\u002Fcss\u002Fadmin\u002Fsettings.css.map\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-meteor\u002F3.4.16\u002Fassets\u002Fcss\u002Fadmin\u002Fsettings.css.map\t2025-04-08 17:54:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-meteor\u002F3.4.17\u002Fassets\u002Fcss\u002Fadmin\u002Fsettings.css.map\t2026-02-21 17:46:48.000000000 +0000\n@@ -1,6 +1,6 @@\n {\n   \"version\": 3,\n-  \"sources\": [\"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fvendor\u002Fsettings.css\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002FUsers\u002Fag\u002Fdevelopment\u002Ffastpixel-servers\u002Fpackages\u002Fwp-meteor\u002Fsrc\u002Fcss\u002Fadmin\u002Fsettings.scss\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002F%3Cinput%20css%201RoP21%3E\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002FUsers\u002Fag\u002Fdevelopment\u002Ffastpixel-servers\u002Fpackages\u002Fwp-meteor\u002Fsrc\u002Fcss\u002Fadmin\u002Fcomponents\u002Fultimate.scss\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002FUsers\u002Fag\u002Fdevelopment\u002Ffastpixel-servers\u002Fpackages\u002Fwp-meteor\u002Fsrc\u002Fcss\u002Fadmin\u002Fcomponents\u002Fsimple.scss\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002FUsers\u002Fag\u002Fdevelopment\u002Ffastpixel-servers\u002Fpackages\u002Fwp-meteor\u002Fsrc\u002Fcss\u002Fadmin\u002Fcomponents\u002Ftextarea.scss\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002FUsers\u002Fag\u002Fdevelopment\u002Ffastpixel-servers\u002Fpackages\u002Fwp-meteor\u002Fsrc\u002Fcss\u002Fadmin\u002Fcomponents\u002Fregexp-textarea.scss\"],\n+  \"sources\": [\"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fvendor\u002Fsettings.css\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002FUsers\u002Fag\u002Fdevelopment\u002Ffastpixel-servers\u002Fpackages\u002Fwp-meteor\u002Fsrc\u002Fcss\u002Fadmin\u002Fsettings.scss\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002F%3Cinput%20css%20l6ll68%3E\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002FUsers\u002Fag\u002Fdevelopment\u002Ffastpixel-servers\u002Fpackages\u002Fwp-meteor\u002Fsrc\u002Fcss\u002Fadmin\u002Fcomponents\u002Fultimate.scss\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002FUsers\u002Fag\u002Fdevelopment\u002Ffastpixel-servers\u002Fpackages\u002Fwp-meteor\u002Fsrc\u002Fcss\u002Fadmin\u002Fcomponents\u002Fsimple.scss\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002FUsers\u002Fag\u002Fdevelopment\u002Ffastpixel-servers\u002Fpackages\u002Fwp-meteor\u002Fsrc\u002Fcss\u002Fadmin\u002Fcomponents\u002Ftextarea.scss\", \"..\u002F..\u002F..\u002Fsrc\u002Fcss\u002Fadmin\u002FUsers\u002Fag\u002Fdevelopment\u002Ffastpixel-servers\u002Fpackages\u002Fwp-meteor\u002Fsrc\u002Fcss\u002Fadmin\u002Fcomponents\u002Fregexp-textarea.scss\"],\n   \"sourcesContent\": [\".ui-state-default{display:inline;border-color:#ccc;border-width:1px;border-style:solid;border-bottom-width:0px;padding:12px 0px;background:none repeat scroll 0% 0% #e4e4e4}.ui-tabs-nav{padding-bottom:9px;padding-left:10px;border-bottom:1px solid #ccc}.ui-tabs-anchor,.ui-tabs-anchor:focus{text-decoration:none;font-weight:600;font-size:15px;line-height:24px;color:#7f7f7f;padding:10px;box-shadow:none}.ui-tabs-anchor:hover,.ui-state-active a{color:black}.ui-tabs-active,.ui-tabs-active:hover,.ui-tabs-active:active{color:#000;background:#efefef !important}.metabox-holder .postbox{max-width:100%}.metabox-holder .postbox h3{padding-left:10px}.settings-tab{float:left}.right-column-settings-page{max-width:270px;float:right}\\n\", \"\\n@import '..\u002Fvendor\u002Fsettings.css';\\n\\n@keyframes opacity {\\n  0% {\\n    opacity: 0;\\n  }\\n\\n  50% {\\n    opacity: 1\\n  }\\n\\n  100% {\\n    opacity: 0;\\n  }\\n}\\n\\n#tabs .ui-state-disabled {\\n  opacity: 0.1;\\n}\\n\\n#tabs {\\n  .ui-tabs-nav {\\n    display: flex;\\n    padding-bottom: 0px;\\n\\n    .ui-tabs-tab {\\n      margin-bottom: 0px;\\n    }\\n\\n    .ui-tabs-anchor, .ui-tabs-anchor:focus {\\n      display: block;\\n      width: 100%;\\n      height: 100%;\\n    }\\n\\n  }\\n\\n  .tab { \\n    display: none; \\n    padding: 0 20px;\\n  }\\n\\n  ul.content {\\n    padding-inline-start: 40px;\\n    li {\\n      list-style-type: circle;\\n      margin-left: 8px;\\n    }\\n  }\\n\\n  .answer {\\n    padding-left: 20px;\\n  }\\n\\n}\\n\\n.settings-tab {\\n  float: none;\\n  [dir=\\\"rtl\\\"] & {\\n    direction: ltr;\\n  }\\n}\\n\\n#author {\\n  .row {\\n    display: flex;\\n    flex-direction: row;\\n  }\\n  .author-image img {\\n    width: 20vw;\\n    height: auto;\\n  }\\n  .author-bio {\\n    padding-left: 10px;\\n    width: 70vw;\\n    button {\\n      padding: 2px;\\n    }\\n  }\\n  ul {\\n    padding-inline-start: 1em;\\n    li {\\n      list-style-type: circle;\\n      margin-left: 1em;\\n    }\\n  }\\n}\\n\\n@media screen and (max-width: 414px) {\\n  #tabs {\\n    .ui-tabs-nav {\\n      display: flex;\\n  \\n      .ui-tabs-tab {\\n        writing-mode: vertical-lr;\\n        flex-grow: 1;\\n      }\\n\\n    }\\n  }\\n  #author {\\n    h1 {\\n      text-align: center;\\n    }\\n    .row {\\n      flex-direction: column;\\n    }\\n    .author-image img {\\n      width: 100%;\\n    }\\n  }\\n}\\n\\n.tooltip {\\n  &.__react_component_tooltip {\\n    z-index: 9999;\\n  }\\n  line-height: 1.4em;\\n}\\n\\nsection.banner {\\n  width: 100%;\\n  background-color: #fff;\\n  display: flex;\\n  align-items: center;\\n  border: 1px solid #ccc;\\n  margin-top: 35px;\\n  margin-bottom: 45px;\\n  position: relative;\\n\\n  .image, .line, .button-wrap {\\n    padding: 2px 4px;\\n  }\\n\\n  .image img {\\n    width: 120px;\\n  }\\n\\n  .line {\\n    font-weight: 600;\\n    font-size: 15px;\\n  }\\n}\\n\\n\\n@import '.\u002Fcomponents\u002Fultimate.scss';\\n@import '.\u002Fcomponents\u002Fsimple.scss';\\n@import '.\u002Fcomponents\u002Ftextarea.scss';\\n@import '.\u002Fcomponents\u002Fregexp-textarea.scss';\", ... (truncated)","To exploit this vulnerability, an unauthenticated attacker needs the plugin to be configured in 'Ultimate' (Maximum available speed) mode. The attacker submits a public WordPress comment using a payload like '\u003C!-- \u003Cscript>alert(1)\u003C\u002Fscript> -->'. Because WordPress allows HTML comments, this bypasses standard script-stripping filters (kses). When the plugin generates the page for a visitor, the 'frontend_rewrite' function parses the entire HTML buffer using a regular expression that matches script tags regardless of their context (e.g., within comments). The plugin extracts the JavaScript inside the comment, stores it in an internal execution queue ('REPLACEMENTS'), and replaces the tag with a placeholder. The plugin's frontend JavaScript engine then restores and executes the stored scripts, causing the malicious payload to run in the victim's browser context.","gemini-3-flash-preview","2026-05-04 18:11:58","2026-05-04 18:12:53",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.4.16","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-meteor\u002Ftags\u002F3.4.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-meteor.3.4.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-meteor\u002Ftags\u002F3.4.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-meteor.3.4.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-meteor\u002Ftags"]