Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 27, 2026

CVE-2026-56006: Interactive Content – H5P <= 1.17.6 Reflected Cross-Site Scripting PoC, Patch Analysis & Rule

CVE ID CVE-2026-56006

Plugin h5p

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.17.6

Patched Version 1.17.7

Disclosed June 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-56006:
This vulnerability is a Reflected Cross-Site Scripting (XSS) flaw in the Interactive Content – H5P plugin for WordPress, version 1.17.6 and earlier. It resides in the library admin functionality, specifically in the upgrade status message. The issue allows unauthenticated attackers to inject arbitrary web scripts via a crafted return URL parameter, which executes when a victim clicks a link. The CVSS score is 6.1 (Medium), with CWE-79 (Cross-Site Scripting).

The root cause is insufficient input sanitization and output escaping in the file `/h5p/admin/class-h5p-library-admin.php`, around line 448. The vulnerable code constructs a ‘done’ message string by appending an anchor tag (``) whose `href` attribute is directly derived from the `$return` variable. The `$return` variable comes from an HTTP request parameter (likely `_wp_http_referer` or a similar redirect-referrer) without validation. No check ensures the URL is a legitimate, safe internal URL before inserting it into the HTML output. The WordPress functions `sprintf` and translation are used for the message text, but the `$return` value is concatenated unsanitized, enabling an attacker to inject a full malicious URL (e.g., `javascript:alert(1)` or a link to an attacker-controlled domain with XSS payloads).

Exploitation requires tricking an authenticated administrator with H5P library upgrade privileges into clicking a crafted link. The attacker can craft a URL pointing to the H5P library admin page, such as `/wp-admin/admin.php?page=h5p_libraries&upgrade=1&token=…&return=javascript:alert(document.cookie)`. When the user triggers the upgrade action and the vulnerable code generates the success message (e.g., on the library management page), the browser renders the malicious `href` attribute. A victim clicking the ‘Return’ link executes the injected JavaScript in the context of the WordPress admin panel, potentially stealing session cookies, performing actions on behalf of the admin, or redirecting to phishing pages. The `$return` parameter is typically the `_wp_http_referer` but can be manipulated in the URL because the plugin does not enforce a nonce or URL whitelist on it.

The patch, visible in the diff, adds two security measures: (1) a call to `wp_http_validate_url($return)` to ensure the URL is a valid, safe HTTP or HTTPS URL, and (2) `sanitize_url($return)` to strip dangerous characters and protocols like `javascript:`. The patched code now only outputs the anchor tag if both conditions pass, and it sanitizes the URL before rendering. In the vulnerable version, the `$return` value was directly concatenated without checks. The patch also updates the plugin version from 1.17.6 to 1.17.7. This change eliminates the ability to inject arbitrary URLs and effectively neutralizes reflected XSS via this vector.

If exploited, the impact includes unauthorized data access (e.g., session tokens, cookies), privilege escalation (if an admin’s session is hijacked), or further compromise of the WordPress site (e.g., installing malicious plugins or defacing content). Since the attacker requires an authenticated admin to click the link, the risk is lower than unauthenticated stored XSS, but it still poses a significant phishing and social engineering threat.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/h5p/admin/class-h5p-library-admin.php
+++ b/h5p/admin/class-h5p-library-admin.php
@@ -445,7 +445,7 @@
         'errorLibrary' => __('Missing required library %lib.', $this->plugin_slug),
         'errorTooHighVersion' => __('Parameters contain %used while only %supported or earlier are supported.', $this->plugin_slug),
         'errorNotSupported' => __('Parameters contain %used which is not supported.', $this->plugin_slug),
-        'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return ? '<br/><a href="' . $return . '">' . __('Return', $this->plugin_slug) . '</a>' : ''),
+        'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return && wp_http_validate_url($return) ? '<br/><a href="' . sanitize_url($return) . '">' . __('Return', $this->plugin_slug) . '</a>' : ''),
         'library' => array(
           'name' => $library->name,
           'version' => $library->major_version . '.' . $library->minor_version,
--- a/h5p/h5p.php
+++ b/h5p/h5p.php
@@ -15,7 +15,7 @@
  * Plugin Name:       H5P
  * Plugin URI:        http://h5p.org/wordpress
  * Description:       Allows you to upload, create, share and use rich interactive content on your WordPress site.
- * Version:           1.17.6
+ * Version:           1.17.7
  * Author:            Joubel
  * Author URI:        http://joubel.com
  * Text Domain:       h5p
--- a/h5p/public/class-h5p-plugin.php
+++ b/h5p/public/class-h5p-plugin.php
@@ -24,7 +24,7 @@
    * @since 1.0.0
    * @var string
    */
-  const VERSION = '1.17.6';
+  const VERSION = '1.17.7';

   /**
    * The Unique identifier for this plugin.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-56006
SecRule REQUEST_URI "@rx /wp-admin/admin.php" 
  "id:202656006,phase:2,deny,status:403,chain,msg:'CVE-2026-56006 - H5P Reflected XSS via return parameter',severity:'CRITICAL',tag:'CVE-2026-56006'"
SecRule ARGS_GET:return "@rx (?:javascript:|data:|vbscript:|on[a-zA-Z]+=|script>)" 
  "chain"
SecRule ARGS_GET:page "@streq h5p_libraries" 
  "t:none,chain"

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations