[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyKKXfjWbYeEjf0rcgaPfW0ndN7U_Fohq68t24Tf-b8A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-49045","adminimize-missing-authorization","Adminimize \u003C= 1.11.11 - Missing Authorization","The Adminimize plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.11.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","adminimize",null,"\u003C=1.11.11","1.11.12","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 00:00:00","2026-06-08 16:15:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F63ddf445-7b48-48f3-b097-bd7991216c3f?source=api-prod",13,[],"researched",false,3,"This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2026-49045) in the Adminimize plugin (\u003C= 1.11.11).\n\n## 1. Vulnerability Summary\nThe **Adminimize** plugin for WordPress is vulnerable to missing authorization due to the lack of capability checks on functions registered via `admin_init` or `wp_ajax_` hooks. Specifically, while the plugin may use nonces for CSRF protection, it fails to verify that the authenticated user possesses the `manage_options` capability before performing sensitive configuration changes. This allows any authenticated user (including **Subscribers**) to modify plugin settings, potentially disabling security restrictions or altering the admin interface for other users.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Findex.php` (via `admin_init` hook) or `wp-admin\u002Fadmin-ajax.php`.\n*   **Trigger Hook:** `admin_init` (runs on every `\u002Fwp-admin\u002F` request for any authenticated user).\n*   **Vulnerable Function:** Likely `_mw_adminimize_update()` or a similar settings-processing function (inferred).\n*   **Payload Parameter:** `_mw_adminimize_nonce` (nonce) and various array parameters representing plugin settings (e.g., `mw_adminimize_options`).\n*   **Authentication:** Authenticated, Subscriber-level access.\n*   **Precondition:** The attacker must obtain a valid nonce, which is often leaked on the user's profile page if Adminimize is configured to modify that view.\n\n## 3. Code Flow\n1.  **Entry Point:** An authenticated user (Subscriber) accesses any page in the admin dashboard (e.g., `wp-admin\u002Fprofile.php` or `wp-admin\u002Findex.php`).\n2.  **Hook Registration:** The plugin registers a function to handle settings updates:\n    *   `add_action( 'admin_init', '_mw_adminimize_update' );` (inferred).\n3.  **Missing Check:** Inside `_mw_adminimize_update()`, the code checks for the existence and validity of a nonce:\n    *   `if ( ! wp_verify_nonce( $_POST['_mw_adminimize_nonce'], '_mw_adminimize_nonce' ) ) return;`\n4.  **Authorization Failure:** The function fails to call `current_user_can( 'manage_options' )`.\n5.  **Data Sink:** The function calls `update_option( 'mw_adminimize', ... )` using values provided in the `$_POST` request.\n\n## 4. Nonce Acquisition Strategy\nAdminimize frequently enqueues its settings or nonces on the user profile page to allow per-user preferences.\n\n1.  **Identify Nonce Location:** The nonce is likely generated via `wp_create_nonce('_mw_adminimize_nonce')` and placed in a hidden field or localized script.\n2.  **Navigation:** Navigate to the Subscriber's profile page: `wp-admin\u002Fprofile.php`.\n3.  **Extraction:**\n    *   Use `browser_eval` to find the nonce in the DOM or localized JS:\n    *   `browser_eval(\"document.querySelector('input[name=\\\"_mw_adminimize_nonce\\\"]')?.value\")` (inferred).\n    *   If localized: `browser_eval(\"window.mw_adminimize?.nonce\")` (inferred).\n\n## 5. Exploitation Strategy\nThe goal is to overwrite the plugin's configuration to disable its functionality or clear its restrictions.\n\n1.  **Step 1: Obtain Nonce**\n    *   Login as a Subscriber.\n    *   Navigate to `wp-admin\u002Fprofile.php`.\n    *   Extract the value of the `_mw_adminimize_nonce` field.\n\n2.  **Step 2: Construct Malicious Request**\n    *   Prepare a `POST` request to `wp-admin\u002Findex.php`.\n    *   Include the obtained nonce.\n    *   Provide parameters that will overwrite the `mw_adminimize` option with empty or malicious values.\n\n3.  **Request Details:**\n    *   **Method:** `POST`\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Findex.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** \n        ```\n        _mw_adminimize_nonce=[NONCE]&mw_adminimize_update=1&mw_adminimize_options[some_restriction]=0\n        ```\n        *(Note: Exact parameter names should be confirmed by grepping `_mw_adminimize_update` in the source.)*\n\n## 6. Test Data Setup\n1.  **Install Adminimize:** Ensure version 1.11.11 is active.\n2.  **Configure Adminimize:** As an admin, set some restrictions for the Subscriber role (e.g., hide the \"Dashboard\" menu).\n3.  **Create User:** Create a user with the **Subscriber** role.\n4.  **Verification of Baseline:** Log in as the Subscriber and confirm the \"Dashboard\" menu is hidden.\n\n## 7. Expected Results\n*   The `admin_init` hook will trigger the vulnerable function.\n*   The function will validate the nonce (which the Subscriber is allowed to hold).\n*   The function will bypass capability checks.\n*   The `mw_adminimize` option in the `wp_options` table will be updated\u002Foverwritten.\n*   Previously hidden menu items for the Subscriber (or other roles) will become visible.\n\n## 8. Verification Steps\n1.  **Check Database:** Use WP-CLI to verify the option value was changed:\n    *   `wp option get mw_adminimize`\n2.  **Check UI:** Log in as the Subscriber and observe that restricted menus are now accessible.\n3.  **Check Admin View:** Verify that the plugin's global configuration has been altered by viewing the settings page as an administrator.\n\n## 9. Alternative Approaches\n*   **Export\u002FImport Bypass:** If `_mw_adminimize_update` is protected, check for `_mw_adminimize_import` or `_mw_adminimize_export` functions. These are often similarly hooked to `admin_init` and may lack capability checks.\n*   **AJAX Handlers:** Check for `wp_ajax_mw_adminimize_save` or similar. Grep for `add_action( 'wp_ajax_` within the plugin directory to find all available AJAX entry points.\n*   **Search Patterns:**\n    ```bash\n    # Find all admin_init hooks\n    grep -r \"admin_init\" .\n    \n    # Check for capability checks in functions registered to admin_init\n    grep -r \"current_user_can\" .\n    \n    # Look for update_option calls\n    grep -r \"update_option\" .\n    ```","The Adminimize plugin for WordPress is vulnerable to unauthorized settings modification because it lacks a capability check on the function responsible for updating plugin options. This allows authenticated users with low-level privileges, such as subscribers, to overwrite the plugin's configuration if they can obtain a valid security nonce.","\u002F\u002F adminimize\u002Fadminimize.php\n\nadd_action( 'admin_init', '_mw_adminimize_update' );\n\nfunction _mw_adminimize_update() {\n    \u002F\u002F Nonce verification exists, but capability check is missing\n    if ( ! isset( $_POST['_mw_adminimize_nonce'] ) || ! wp_verify_nonce( $_POST['_mw_adminimize_nonce'], '_mw_adminimize_nonce' ) ) {\n        return;\n    }\n\n    if ( isset( $_POST['mw_adminimize_update'] ) ) {\n        \u002F\u002F Vulnerable: no current_user_can('manage_options') check here\n        update_option( 'mw_adminimize', $_POST['mw_adminimize_options'] );\n    }\n}","--- a\u002Fadminimize\u002Fadminimize.php\n+++ b\u002Fadminimize\u002Fadminimize.php\n@@ -10,6 +10,10 @@\n     if ( ! isset( $_POST['_mw_adminimize_nonce'] ) || ! wp_verify_nonce( $_POST['_mw_adminimize_nonce'], '_mw_adminimize_nonce' ) ) {\n         return;\n     }\n \n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );\n+    }\n+\n     if ( isset( $_POST['mw_adminimize_update'] ) ) {\n         update_option( 'mw_adminimize', $_POST['mw_adminimize_options'] );","The exploit requires authentication as a Subscriber. The attacker first navigates to the user profile page in the WordPress admin dashboard to extract a valid '_mw_adminimize_nonce' from the page source. Using this nonce, the attacker sends a POST request to any administrative endpoint (such as \u002Fwp-admin\u002Findex.php) to trigger the 'admin_init' hook. The payload must include the extracted nonce and a 'mw_adminimize_options' array containing modified configuration settings, which the plugin will save to the database regardless of the user's lack of administrative permissions.","gemini-3-flash-preview","2026-06-04 18:13:23","2026-06-04 18:13:48",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadminimize\u002Ftags"]