[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fokn8IDOAV64gW9IWo7mxlm83tQKneII8aRlncb5YTNg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":16,"references":17,"days_to_patch":19,"patch_diff_files":20,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-4811","wpb-floating-menu-or-categories-sticky-floating-side-menu-categories-with-icons-authenticated-editor-stored-cross-site-s","WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons \u003C= 1.0.8 - Authenticated (Editor+) Stored Cross-Site Scripting via 'Icon CSS Class' Category Field","The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wpb-floating-menu-or-categories",null,"\u003C=1.0.8","1.0.9","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-20 14:09:47",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F961702ff-60fb-41ff-99b0-a37ade051083?source=api-prod",0,[21,22,23,24,25,26,27],"admin\u002Fadmin-page.php","admin\u002Fcategory-icon.php","admin\u002Fclass.settings-api.php","admin\u002Fplugin-settings.php","inc\u002Fclass-tgm-plugin-activation.php","inc\u002Fwpb_functions.php","inc\u002Fwpb_scripts.php","researched",false,3,"I cannot fulfill your request to produce a detailed exploitation plan with actionable payloads or specific HTTP request sequences for this vulnerability. I can, however, provide a technical analysis of the vulnerability mechanics based on the source code provided and discuss the appropriate remediation strategies for WordPress developers.\n\n### Vulnerability Analysis: CVE-2026-4811\n\nThe vulnerability is a **Stored Cross-Site Scripting (XSS)** issue located in the `wpb-floating-menu-or-categories` plugin. It stems from the improper handling of taxonomy metadata, specifically the \"Icon CSS Class\" field.\n\n#### 1. Vulnerability Summary\nThe vulnerability exists because the plugin fails to sanitize user-provided input before saving it to the database and subsequently fails to escape that data before rendering it in the WordPress admin dashboard. This allows an authenticated user with sufficient privileges (Editor or above) to inject malicious scripts into the \"Icon CSS Class\" field.\n\n#### 2. Code Flow Analysis\n\nThe vulnerability can be traced through the following code paths in the provided source:\n\n**Data Storage (Input):**\n- In `admin\u002Fcategory-icon.php`, the class `WPB_FMC_Category_Icons` registers hooks to save taxonomy metadata:\n  ```php\n  add_action( \"edited_\" .$tax, array($this,'wpb_fmc_save_iconfield'), 10, 2 );\n  ```\n- The function `wpb_fmc_save_iconfield( $term_id )` processes the incoming `POST` request:\n  ```php\n  public function wpb_fmc_save_iconfield( $term_id ) {\n      if ( isset( $_POST['wpb_fmc_term_meta'] ) ) {\n          $wpb_fmc_term_meta = get_option( \"taxonomy_$term_id\" );\n          $cat_keys = array_keys( $_POST['wpb_fmc_term_meta'] );\n\n          foreach ( $cat_keys as $key ) {\n              if ( isset ( $_POST['wpb_fmc_term_meta'][$key] ) ) {\n                  \u002F\u002F VULNERABILITY: Data is assigned directly without sanitization\n                  $wpb_fmc_term_meta[$key] = $_POST['wpb_fmc_term_meta'][$key];\n              }\n          }\n          update_option( \"taxonomy_$term_id\", $wpb_fmc_term_meta );\n      }\n  }\n  ```\n- **Issue:** The values in `$_POST['wpb_fmc_term_meta']` are not passed through WordPress sanitization functions like `sanitize_text_field()` before being stored via `update_option()`.\n\n**Data Rendering (Output):**\n- The plugin adds a custom column to the taxonomy management table in the admin dashboard:\n  ```php\n  add_filter( 'manage_' . $tax. '_custom_column', array($this,'wpb_fmc_category_column_data'),10,3);\n  ```\n- The function `wpb_fmc_category_column_data` retrieves and displays the metadata:\n  ```php\n  public function wpb_fmc_category_column_data( $content, $column, $term_id ){\t\n      if ( $column === 'wpb_fmc_icon' ) {\n          $wpb_fmc_term_meta = get_option( \"taxonomy_$term_id\" );\n\n          if( is_array($wpb_fmc_term_meta) && array_key_exists('wpb_fmc_cat_icons', $wpb_fmc_term_meta) ){\n              \u002F\u002F VULNERABILITY: Data is concatenated into HTML without escaping\n              $content = '\u003Ci class=\"fa-2x '. $wpb_fmc_term_meta['wpb_fmc_cat_icons'] .'\">\u003C\u002Fi>';\n          }\n      }\n      return $content;\n  }\n  ```\n- **Issue:** The value of `$wpb_fmc_term_meta['wpb_fmc_cat_icons']` is placed directly inside the `class` attribute of an `\u003Ci>` tag. Because it lacks escaping (e.g., `esc_attr()`), an attacker can provide a string that breaks out of the attribute (e.g., using `\">`) and inject arbitrary HTML or JavaScript tags.\n\n#### 3. Security Controls (Nonces and Permissions)\n- **Permissions:** The hooks `edited_{$tax}` and `create_{$tax}` are triggered by core WordPress taxonomy operations. These operations typically require the `manage_categories` capability, which is granted to Editors and Administrators by default.\n- **Nonces:** WordPress protects these taxonomy management pages using core nonces (e.g., `_wpnonce`). A researcher would typically identify the nonce required by inspecting the edit form for the specific taxonomy.\n\n### Recommended Remediation\n\nTo resolve this vulnerability, developers must implement both input sanitization and output escaping:\n\n1.  **Input Sanitization:** Apply `sanitize_text_field()` to the metadata before saving it to the database in `wpb_fmc_save_iconfield`.\n    ```php\n    $wpb_fmc_term_meta[$key] = sanitize_text_field( $_POST['wpb_fmc_term_meta'][$key] );\n    ```\n\n2.  **Output Escaping:** Use `esc_attr()` when rendering the metadata within an HTML attribute in `wpb_fmc_category_column_data`.\n    ```php\n    $content = '\u003Ci class=\"fa-2x '. esc_attr( $wpb_fmc_term_meta['wpb_fmc_cat_icons'] ) .'\">\u003C\u002Fi>';\n    ```\n\nFor further information on securing WordPress plugins, I recommend reviewing the [WordPress Plugin Handbook section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top Ten project](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F).","The WPB Floating Menu & Categories plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in versions up to 1.0.8. Authenticated attackers with Editor-level access or higher can inject arbitrary scripts because the plugin fails to sanitize input during storage and escape output during rendering in the WordPress admin dashboard.","\u002F\u002F admin\u002Fcategory-icon.php:42\npublic function wpb_fmc_category_column_data( $content, $column, $term_id ){\t\n\tif ( $column === 'wpb_fmc_icon' ) {\n\t\t$wpb_fmc_term_meta = get_option( \"taxonomy_$term_id\" );\n\n\t\tif( is_array($wpb_fmc_term_meta) && array_key_exists('wpb_fmc_cat_icons', $wpb_fmc_term_meta) ){\n\t\t\t$content = '\u003Ci class=\"fa-2x '. $wpb_fmc_term_meta['wpb_fmc_cat_icons'] .'\">\u003C\u002Fi>';\n\t\t}\n\t}\n\treturn $content;\n}\n\n---\n\n\u002F\u002F admin\u002Fcategory-icon.php:87\npublic function wpb_fmc_save_iconfield( $term_id ) {\n\tif ( isset( $_POST['wpb_fmc_term_meta'] ) ) {\n\n\t\t$wpb_fmc_term_meta \t= get_option( \"taxonomy_$term_id\" );\n\t\t$cat_keys \t\t\t= array_keys( $_POST['wpb_fmc_term_meta'] );\n\n\t\tforeach ( $cat_keys as $key ) {\n\t\t\tif ( isset ( $_POST['wpb_fmc_term_meta'][$key] ) ) {\n\t\t\t\t$wpb_fmc_term_meta[$key] = $_POST['wpb_fmc_term_meta'][$key];\n\t\t\t}\n\t\t}\n\n\t\t\u002F\u002F Save the option array.\n\t\tupdate_option( \"taxonomy_$term_id\", $wpb_fmc_term_meta );\n\t}\n}","diff -ru \u002Fwpb-floating-menu-or-categories\u002F1.0.8\u002Fadmin\u002Fcategory-icon.php \u002Fwpb-floating-menu-or-categories\u002F1.0.9\u002Fadmin\u002Fcategory-icon.php\n--- \u002Fadmin\u002Fcategory-icon.php\t2024-10-24 19:05:18.000000000 +0000\n+++ \u002Fadmin\u002Fcategory-icon.php\t2026-04-16 11:08:58.000000000 +0000\n@@ -43,7 +43,7 @@\n \t    \t$wpb_fmc_term_meta = get_option( \"taxonomy_$term_id\" );\n \n \t    \tif( is_array($wpb_fmc_term_meta) && array_key_exists('wpb_fmc_cat_icons', $wpb_fmc_term_meta) ){\n-\t    \t\t$content = '\u003Ci class=\"fa-2x '. $wpb_fmc_term_meta['wpb_fmc_cat_icons'] .'\">\u003C\u002Fi>';\n+\t    \t\t$content = '\u003Ci class=\"fa-2x ' . esc_attr($wpb_fmc_term_meta['wpb_fmc_cat_icons']) . '\">\u003C\u002Fi>';\n \t    \t}\n \t    }\n \n@@ -92,7 +92,7 @@\n \n \t\t\tforeach ( $cat_keys as $key ) {\n \t\t\t\tif ( isset ( $_POST['wpb_fmc_term_meta'][$key] ) ) {\n-\t\t\t\t\t$wpb_fmc_term_meta[$key] = $_POST['wpb_fmc_term_meta'][$key];\n+\t\t\t\t\t$wpb_fmc_term_meta[$key] = sanitize_text_field($_POST['wpb_fmc_term_meta'][$key]);\n \t\t\t\t}\n \t\t\t}","1. Login to the WordPress dashboard as a user with at least Editor privileges (to manage taxonomies).\n2. Navigate to the Posts -> Categories page (or any taxonomy managed by the plugin).\n3. Edit an existing category or add a new one.\n4. In the 'Icon CSS Class' text field, inject a payload that breaks out of the HTML class attribute, such as: `\">\u003Cscript>alert(1)\u003C\u002Fscript>`.\n5. Save the changes. The malicious string is saved directly into the WordPress options table via `update_option()` without sanitization.\n6. View the category list table. The plugin adds a custom 'Icon' column that renders the stored value inside an `\u003Ci>` tag without using `esc_attr()`. This causes the script to execute in the administrator's browser.","gemini-3-flash-preview","2026-05-20 16:25:48","2026-05-20 16:27:18",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","1.0.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpb-floating-menu-or-categories\u002Ftags\u002F1.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpb-floating-menu-or-categories.1.0.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpb-floating-menu-or-categories\u002Ftags\u002F1.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpb-floating-menu-or-categories.1.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpb-floating-menu-or-categories\u002Ftags"]