[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2V4SqVFVE98h9XPrU5YDljAinjRJjH27NO-88DZO04U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32423","admin-and-site-enhancements-ase-missing-authorization-3","Admin and Site Enhancements (ASE) \u003C= 8.4.0 - Missing Authorization","The Admin and Site Enhancements (ASE) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.4.0. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","admin-site-enhancements",null,"\u003C=8.4.0","8.4.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-27 00:00:00","2026-04-15 21:02:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc380b630-7378-43a9-8b8d-85d27b904ad4?source=api-prod",48,[22,23,24,25,26,27,28,29],"CHANGELOG.md","README.md","admin-site-enhancements.php","assets\u002Fcss\u002Fadmin-page.css","assets\u002Fcss\u002Fcontent-order.css","classes\u002Fclass-content-duplication.php","classes\u002Fclass-content-order.php","classes\u002Fclass-redirect-after-logout.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32423\n\n## 1. Vulnerability Summary\nThe **Admin and Site Enhancements (ASE)** plugin for WordPress (versions \u003C= 8.4.0) contains a missing authorization vulnerability in its **Content Duplication** module (and potentially other modules like Content Order). The `ASENHA\\Classes\\Content_Duplication::duplicate_content()` function performs a capability check using `current_user_can( 'edit_posts' )`. \n\nIn WordPress, the `edit_posts` capability is granted to **Contributor** roles and above. However, this function is used to duplicate any post type, including `page`, which typically requires the `edit_pages` or `edit_others_pages` capability. Furthermore, the function does not verify if the current user has permission to read or edit the specific post being duplicated. This allows a Contributor-level attacker to duplicate pages or posts authored by others (including Administrators) that they should not have permission to manipulate.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Function**: `ASENHA\\Classes\\Content_Duplication::duplicate_content()`\n- **Trigger**: An `admin_init` hook (or similar listener) that responds to a request containing specific query parameters.\n- **Endpoint**: `\u002Fwp-admin\u002Fedit.php` or `\u002Fwp-admin\u002Fadmin.php`\n- **Required Parameters**:\n - `post`: The ID of the post or page to duplicate.\n - `nonce`: A WordPress nonce for the action `asenha-duplicate-[ID]`.\n - `asenha_duplicate`: (Inferred trigger parameter) A flag to trigger the duplication logic.\n- **Authentication**: Authenticated, **Contributor** role or higher.\n- **Precondition**: The \"Content Duplication\" module must be enabled in the ASE settings.\n\n## 3. Code Flow\n1. **Registration**: The plugin initializes its modules in `bootstrap.php`. The `Content_Duplication` class is instantiated.\n2. **Hook**: The `duplicate_content()` method is likely hooked to `admin_init`.\n3. **Execution**:\n - `duplicate_content()` is called.\n - It retrieves the post ID: `$original_post_id = intval( sanitize_text_field( $_REQUEST['post'] ) );` (line 125).\n - It retrieves the nonce: `$nonce = sanitize_text_field( $_REQUEST['nonce'] );` (line 126).\n - **Authorization Check**: `if ( wp_verify_nonce( $nonce, 'asenha-duplicate-' . $original_post_id ) && $allow_duplication )` (line 127).\n - **Flaw**: `$allow_duplication` is set to `true` if `current_user_can( 'edit_posts' )` (line 123-124).\n4. **Sink**: `wp_insert_post($args)` is called (line 151) to create a new draft of the target post, effectively allowing the Contributor to \"own\" a copy of restricted content.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is generated using `wp_create_nonce( 'asenha-duplicate-' . $post->ID )`. These nonces are injected into the \"Row Actions\" (the links that appear when hovering over a post title) in the WordPress admin list tables for any post type where duplication is enabled.\n\n### Procedure for Contributor:\n1. **Navigate**: Go to the Pages list (`\u002Fwp-admin\u002Fedit.php?post_type=page`). By default, Contributors can view the titles of all pages in the admin area.\n2. **Inspect**: ASE adds a \"Duplicate\"","The Admin and Site Enhancements (ASE) plugin is vulnerable to unauthorized access because the Content Duplication module uses a generic capability check ('edit_posts') instead of item-specific permissions. This allows authenticated users with Contributor-level access to duplicate and subsequently view restricted content, such as password-protected posts or private pages authored by administrators.","\u002F\u002F classes\u002Fclass-content-duplication.php lines 122-132\npublic function duplicate_content() {\n $allow_duplication = false;\n if ( current_user_can( 'edit_posts' ) ) {\n $allow_duplication = true;\n }\n $original_post_id = intval( sanitize_text_field( $_REQUEST['post'] ) );\n $nonce = sanitize_text_field( $_REQUEST['nonce'] );\n if ( wp_verify_nonce( $nonce, 'asenha-duplicate-' . $original_post_id ) && $allow_duplication ) {\n $original_post = get_post( $original_post_id );\n\n---\n\n\u002F\u002F classes\u002Fclass-content-duplication.php lines 291-297\npublic function is_user_allowed_to_duplicate_content() {\n $allow_duplication = false;\n if ( current_user_can( 'edit_posts' ) ) {\n $allow_duplication = true;\n }\n return $allow_duplication;\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadmin-site-enhancements\u002F8.4.0\u002Fclasses\u002Fclass-content-duplication.php\t2026-02-16 01:05:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadmin-site-enhancements\u002F8.4.1\u002Fclasses\u002Fclass-content-duplication.php\t2026-02-23 01:27:46.000000000 +0000\n@@ -120,11 +120,11 @@\n * @since 1.0.0\n *\u002F\n public function duplicate_content() {\n+ $original_post_id = intval( sanitize_text_field( $_REQUEST['post'] ) );\n $allow_duplication = false;\n- if ( current_user_can( 'edit_posts' ) ) {\n+ if ( current_user_can( 'edit_post', $original_post_id ) ) {\n $allow_duplication = true;\n }\n- $original_post_id = intval( sanitize_text_field( $_REQUEST['post'] ) );\n $nonce = sanitize_text_field( $_REQUEST['nonce'] );\n if ( wp_verify_nonce( $nonce, 'asenha-duplicate-' . $original_post_id ) && $allow_duplication ) {\n $original_post = get_post( $original_post_id );\n@@ -229,9 +229,9 @@\n * @since 6.3.0\n *\u002F\n public function add_admin_bar_duplication_link( WP_Admin_Bar $wp_admin_bar ) {\n- $duplication_link_locations = $this->get_duplication_link_locations();\n- $allow_duplication = $this->is_user_allowed_to_duplicate_content();\n global $pagenow, $post;\n+ $duplication_link_locations = $this->get_duplication_link_locations();\n+ $allow_duplication = $this->is_user_allowed_to_duplicate_content( $post );\n if ( is_object( $post ) ) {\n if ( property_exists( $post, 'post_type' ) ) {\n $post_type = $post->post_type;\n@@ -288,10 +288,14 @@\n * \n * @since 6.9.3\n *\u002F\n- public function is_user_allowed_to_duplicate_content() {\n+ public function is_user_allowed_to_duplicate_content( $post = null ) {\n $allow_duplication = false;\n- if ( current_user_can( 'edit_posts' ) ) {\n- $allow_duplication = true;\n+ if ( is_object( $post ) ) {\n+ if ( property_exists( $post, 'ID' ) ) {\n+ if ( current_user_can( 'edit_post', $post->ID ) ) {\n+ $allow_duplication = true;\n+ }\n+ }\n }\n return $allow_duplication;\n }","The exploit requires a user authenticated with at least the Contributor role and the 'Content Duplication' module enabled. An attacker identifies the ID of a target post (such as a restricted Page or another user's password-protected content) and obtains a valid duplication nonce, which the plugin exposes in the WordPress admin list tables or the frontend admin bar to users with the 'edit_posts' capability. The attacker then sends a request to the duplication handler (likely hooked to 'admin_init') with the 'post' ID and 'nonce' parameters. Because the plugin only checks if the user has the 'edit_posts' permission rather than permission to edit that specific post ID, it creates a new draft copy of the restricted content with the attacker set as the author, granting them full access to the target content's details.","gemini-3-flash-preview","2026-04-18 22:54:11","2026-04-18 22:54:57",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","8.4.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadmin-site-enhancements\u002Ftags\u002F8.4.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadmin-site-enhancements.8.4.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadmin-site-enhancements\u002Ftags\u002F8.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadmin-site-enhancements.8.4.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadmin-site-enhancements\u002Ftags"]