Share
## https://sploitus.com/exploit?id=82C2E905-C34D-52CE-AF62-DA2DEC5B4A33
# KIM-Guardian Pro

### CVE-2026-9271 β€” WordPress KeepInMind Stored XSS Assessment

[![Python](https://img.shields.io/badge/Python-3.8%2B-3776AB?logo=python&logoColor=white)](#installation)
[![Version](https://img.shields.io/badge/Version-1.0.0-orange)](#version-history)
[![CVE](https://img.shields.io/badge/CVE-2026--9271-red)](#vulnerability-details)
[![Plugin](https://img.shields.io/badge/KeepInMind-%E2%89%A4%200.8.4.2-critical)](#vulnerability-details)
[![License](https://img.shields.io/badge/License-Educational%20%2F%20Defensive-blue)](#license)
[![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20macOS%20%7C%20Windows-lightgrey)](#installation)

**Authorized security assessment tool for CVE-2026-9271**  
Author: **Sudeepa Wanigarathna** Β· Tool: **KIM-Guardian Pro v1.0**  
Main script: [`CVE-2026-9271.py`](./CVE-2026-9271.py)





---

> [!IMPORTANT]
> **Authorized use only.** This tool is for security research, education, and testing systems you own or have explicit written permission to assess. Unauthorized access to computer systems is illegal. The author assumes no liability for misuse.

---

## Table of Contents

- [Overview](#overview)
- [Vulnerability Details](#vulnerability-details)
- [Features](#features)
- [Installation](#installation)
- [Quick Start](#quick-start)
- [Usage Guide](#usage-guide)
- [Command Reference](#command-reference)
- [Output & Reporting](#output--reporting)
- [Troubleshooting](#troubleshooting)
- [Repository Layout](#repository-layout)
- [Version History](#version-history)
- [Disclaimer](#disclaimer)
- [Author & Credits](#author--credits)
- [License](#license)

---

## Overview

**CVE-2026-9271** is a **stored cross-site scripting (XSS)** issue in the WordPress **KeepInMind** (Dashboard Notes) plugin. Insufficient sanitization of note content allows a low-privileged authenticated user (Contributor+) to store HTML/JS that executes in an administrator’s browser, which can lead to **admin session compromise / account takeover**.

**KIM-Guardian Pro** (`CVE-2026-9271.py`) is a Python assessment tool for authorized testers to:

- Detect KeepInMind installs and version ranges
- Run a **safe test-mode** assessment (overlay marker, no credential capture)
- Bulk-scan URL lists for plugin presence and vulnerable versions
- Persist results in SQLite and text reports under `reports/`
- Optionally run a local capture / web UI for controlled lab simulations

---

## Vulnerability Details

| Attribute | Value |
|---|---|
| **CVE ID** | CVE-2026-9271 |
| **Attack Vector** | Authenticated (Contributor+) β†’ Stored XSS β†’ Admin impact |
| **Impact** | Admin browser XSS; potential account takeover in vulnerable installs |
| **Affected Product** | WordPress KeepInMind / KeepInMind Dashboard Notes |
| **Affected Versions** | ≀ **0.8.4.2** (patched in **0.8.4.3+**) |
| **Vulnerability Type** | Stored Cross-Site Scripting (XSS) |
| **CWE** | CWE-79 (Improper Neutralization of Input During Web Page Generation) |

### Relevant Surfaces

| Surface | Role |
|---|---|
| `/wp-json/keepinmind/v1/notes` | REST API used to create/read notes |
| `/wp-admin/` | Admin dashboard where stored notes may render |
| Plugin path | `/wp-content/plugins/keepinmind-dashboard-notes/` |

### Assessment Flow (high level)

1. Authenticate as a Contributor+ user (when credentials are provided)  
2. Confirm KeepInMind is installed and record WordPress / plugin versions  
3. Inject a **test** payload via the notes REST API (default)  
4. Verify the marker appears where notes render  
5. Clean up injected notes (unless `--no-cleanup`)  
6. Save assessment metadata to SQLite and a text report  

---

## Features

### Core Capabilities

| Capability | Description |
|---|---|
| Plugin detection | Checks KeepInMind install paths and version strings |
| WordPress version | Extracts generator / version metadata when available |
| Safe test mode | Default overlay marker proving XSS without capturing credentials |
| Authenticated assess | Logs in with Contributor+ credentials for full REST injection |
| Payload cleanup | Removes injected notes after assessment |
| Bulk scanning | Multi-threaded URL list scan for plugin + vulnerable version |
| SQLite history | Stores assessments in `kim_guardian.db` |
| Text reports | Writes timestamped reports under `reports/` |
| Capture server | Optional local HTTP listener for lab credential-capture drills |
| Web UI | Optional Flask dashboard (`web` mode) |

### Operational Controls

| Capability | Description |
|---|---|
| Verbose logging | File + console debug under `logs/` |
| Proxy support | Route traffic through Burp or other HTTP proxies |
| Configurable timeout | Per-request timeout (default 30s) |
| Worker pool | Tunable concurrency for bulk scans |

---

## Installation

### Prerequisites

- Python **3.8+**
- `pip`
- Network reachability to **authorized** target(s)

### Setup

```bash
cd /path/to/exploit

python3 -m venv venv
source venv/bin/activate          # Windows: venv\Scripts\activate

pip install -r requirements.txt
# Recommended extras used by this script:
pip install colorama beautifulsoup4 requests flask

python3 CVE-2026-9271.py --help
```

### Core Dependencies

```text
requests>=2.31.0
beautifulsoup4>=4.12.0
colorama>=0.4.6
flask>=3.0.0          # optional β€” web mode only
```

---

## Quick Start

> Replace `https://lab.example` with a **lab or authorized** target only.

```bash
# Help / modes
python3 CVE-2026-9271.py --help

# Safe single-target assessment (default: test payload)
python3 CVE-2026-9271.py assess https://lab.example \
  -u contributor -p 'password' -v

# Bulk version / plugin scan
python3 CVE-2026-9271.py bulk -f targets.txt -w 8 -o bulk_results.txt

# List recent assessments from SQLite
python3 CVE-2026-9271.py db --list --limit 20

# Local capture server (lab only)
python3 CVE-2026-9271.py capture --port 5000

# Optional web UI
python3 CVE-2026-9271.py web --host 127.0.0.1 --port 8080
```

---

## Usage Guide

### 1. Show help

```bash
python3 CVE-2026-9271.py --help
python3 CVE-2026-9271.py assess --help
```

### 2. Safe assessment (recommended)

Default mode uses a **non-capturing test overlay**. Provide Contributor+ credentials for injection via the REST API.

```bash
python3 CVE-2026-9271.py assess https://lab.example \
  -u contributor \
  -p 'password' \
  -v
```

Workflow:

1. Print banner and create a unique payload ID  
2. Authenticate (if `-u` / `-p` given)  
3. Detect KeepInMind + WordPress versions  
4. Inject and verify the safe test marker  
5. Clean up notes (unless `--no-cleanup`)  
6. Persist result to DB + `reports/kim_assessment_*.txt`  

### 3. Skip cleanup

```bash
python3 CVE-2026-9271.py assess https://lab.example \
  -u contributor -p 'password' --no-cleanup
```

### 4. Proxy + timeout

```bash
python3 CVE-2026-9271.py assess https://lab.example \
  -u contributor -p 'password' \
  --proxy http://127.0.0.1:8080 \
  --timeout 45 \
  -v
```

### 5. Lab attack simulation (authorized environments only)

Requires an attacker/capture base URL and `--real`. Prefer keeping capture on localhost for labs.

```bash
# Terminal 1 β€” capture listener
python3 CVE-2026-9271.py capture --port 5000

# Terminal 2 β€” assessment with capture endpoint
python3 CVE-2026-9271.py assess https://lab.example \
  -u contributor -p 'password' \
  -a http://127.0.0.1:5000 \
  --real \
  -v
```

Capture UI (when server is running):

| Path | Purpose |
|---|---|
| `/` | Capture server status page |
| `/capture` | POST endpoint for form submissions |
| `/captured` | Recent captured entries (lab review) |

### 6. Bulk scan

```bash
# targets.txt β€” one URL per line
python3 CVE-2026-9271.py bulk -f targets.txt -w 5 -o bulk_scan_results.txt

# Or comma-separated URLs
python3 CVE-2026-9271.py bulk -u "https://a.example,https://b.example" -w 3
```

Bulk checks typically include WordPress hints, KeepInMind version, REST reachability, and `wp-login.php` presence.

### 7. Database history

```bash
python3 CVE-2026-9271.py db --list
python3 CVE-2026-9271.py db --list --limit 50
```

### 8. Web interface

```bash
python3 CVE-2026-9271.py web --host 127.0.0.1 --port 8080
```

Bind to localhost by default for safety.

---

## Command Reference

### Global

| Mode | Description |
|---|---|
| `assess` | Single-target KeepInMind assessment |
| `bulk` | Multi-target plugin / version scan |
| `capture` | Local credential-capture HTTP server |
| `web` | Optional Flask web UI |
| `db` | List stored assessments |

### `assess`

| Argument | Default | Description |
|---|---|---|
| `url` | required | Target WordPress URL |
| `-u`, `--username` | β€” | WordPress username (Contributor+) |
| `-p`, `--password` | β€” | WordPress password |
| `-a`, `--attacker` | β€” | Capture server base URL (lab simulation) |
| `-t`, `--test` | on | Prefer safe test payload |
| `-r`, `--real` | off | Enable lab attack payload (needs `--attacker`) |
| `--no-cleanup` | off | Leave injected notes in place |
| `-v`, `--verbose` | off | Verbose / debug logging |
| `--timeout` | `30` | Request timeout (seconds) |
| `--proxy` | β€” | Proxy URL (e.g. `http://127.0.0.1:8080`) |

### `bulk`

| Argument | Default | Description |
|---|---|---|
| `-f`, `--file` | β€” | File of URLs (one per line) |
| `-u`, `--urls` | β€” | Comma-separated URLs |
| `-w`, `--workers` | `5` | Thread pool size |
| `-o`, `--output` | `bulk_scan_results.txt` | Report path |

### `capture`

| Argument | Default | Description |
|---|---|---|
| `--port` | `5000` | Listen port |

### `web`

| Argument | Default | Description |
|---|---|---|
| `--host` | `127.0.0.1` | Bind address |
| `--port` | `8080` | Listen port |

### `db`

| Argument | Default | Description |
|---|---|---|
| `--list` | off | List recent assessments |
| `--limit` | `10` | Max rows to show |

---

## Output & Reporting

### Console

Colorized status for authentication, plugin detection, injection, verification, and cleanup.

### Text reports

Successful `assess` runs write files like:

```text
reports/kim_assessment_YYYYMMDD_HHMMSS.txt
```

### SQLite

| File | Purpose |
|---|---|
| `kim_guardian.db` | Assessment history (target, versions, vuln flag, risk, duration) |

### Logs

| Path | Purpose |
|---|---|
| `logs/kim_pro_*.log` | Per-run application logs |

### Bulk report fields

- URL  
- WordPress version  
- Plugin version  
- Vulnerable (yes/no by version heuristic)  
- REST accessible  
- WP-Login reachable  

---

## Troubleshooting

| Symptom | What to try |
|---|---|
| Authentication failed | Confirm Contributor+ creds; check `/wp-login.php`; use `-v` |
| Plugin not detected | Verify KeepInMind path/name; try verbose mode |
| REST inject fails | Confirm auth + nonce; inspect with `--proxy` through Burp |
| Timeout / connection errors | Raise `--timeout`; check network / TLS / proxy |
| No vulnerability in test mode | Confirm version ≀ 0.8.4.2; ensure notes render for admin |
| Flask missing in `web` mode | `pip install flask` |
| BeautifulSoup missing | `pip install beautifulsoup4` |

### Debug workflow

```bash
python3 CVE-2026-9271.py assess https://lab.example \
  -u contributor -p 'password' \
  --proxy http://127.0.0.1:8080 \
  -v
```

---

## Repository Layout

```text
exploit/
β”œβ”€β”€ CVE-2026-9271.py      # KIM-Guardian Pro (v1.0)
β”œβ”€β”€ requirements.txt      # Python dependencies
β”œβ”€β”€ README.md             # This file
β”œβ”€β”€ kim_guardian.db       # SQLite assessment history (generated)
β”œβ”€β”€ logs/                 # Runtime logs (generated)
β”œβ”€β”€ reports/              # Assessment text reports (generated)
└── venv/                 # Local virtualenv (optional)
```

---

## Version History

### v1.0.0 β€” Initial Release

- Single-target KeepInMind assessment for CVE-2026-9271  
- Safe test payload (default) and optional lab capture simulation  
- Plugin / WordPress version detection  
- REST note inject, verify, and cleanup  
- Bulk multi-threaded scanning  
- SQLite persistence + text reports  
- Capture server and optional Flask web UI  
- Proxy, timeout, and verbose logging support  

---

## Disclaimer

This project is provided **as-is** for **defensive security research** and **authorized penetration testing**.

By using this software you agree that:

1. You will only target systems you own or are explicitly authorized to test.  
2. You understand applicable computer-abuse and data-protection laws.  
3. The author and contributors are **not responsible** for damage, data loss, or legal consequences from misuse.  

If you find this issue in production systems you do not own, follow responsible disclosure with the site owner and the plugin maintainer.

**Unauthorized access to computer systems is illegal.**

---

## Author & Credits

| Role | Name |
|---|---|
| **Tool Author** | Sudeepa Wanigarathna |
| **CVE** | CVE-2026-9271 |
| **Tool** | KIM-Guardian Pro v1.0 |
| **Main Script** | `CVE-2026-9271.py` |
| **License** | Educational / Defensive Use |

---

## License

```
Educational / Defensive Use Only

Copyright (c) 2026 Sudeepa Wanigarathna

Permission is granted to use this software for authorized security research,
education, and defensive assessment only.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
```

---



**For authorized security testing only.**