[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPnHyZWjHVQ_8117_mWjTOMNW09CNbafsp2-ObqQc8ko":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2025-15463","advanced-custom-fields-extended-unauthenticated-arbitrary-shortcode-execution","Advanced Custom Fields: Extended \u003C= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution","The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.","acf-extended",null,"\u003C=0.9.2.3","0.9.2.4","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Improper Control of Generation of Code ('Code Injection')","2026-05-12 09:54:49","2026-05-12 22:24:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff8544784-1994-47e2-be39-568d0ab9ee00?source=api-prod",1,[22,23,24,25,26,27,28,29],"acf-extended.php","assets\u002Fcss\u002Facfe-field-group.css","assets\u002Fcss\u002Facfe-field-group.min.css","assets\u002Fcss\u002Facfe-input.css","assets\u002Fcss\u002Facfe-input.min.css","assets\u002Fjs\u002Facfe-input.js","assets\u002Fjs\u002Facfe-input.min.js","includes\u002Facfe-form-functions.php","researched",false,3,"This research plan targets **CVE-2025-15463**, an unauthenticated arbitrary shortcode execution vulnerability in the **Advanced Custom Fields: Extended (ACFE)** plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin registers an AJAX action accessible to unauthenticated users (`wp_ajax_nopriv_*`) that accepts a `shortcode` parameter and passes it directly to the WordPress `do_shortcode()` function without adequate validation or capability checks. This allows an attacker to execute any registered shortcode on the site, potentially leading to information disclosure (e.g., via `[contact-form-7]`, `[gallery]`, or sensitive plugin-specific shortcodes) or further exploitation depending on available shortcodes.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method**: `POST`\n*   **Action**: `acfe\u002Fshortcode\u002Frender` (inferred from ACFE field type naming conventions) or `acfe\u002Fajax\u002Fshortcode_render`.\n*   **Vulnerable Parameter**: `shortcode`\n*   **Authentication**: Unauthenticated (`wp_ajax_nopriv` hook).\n*   **Preconditions**: The plugin must be active. A valid WordPress nonce may be required if `check_ajax_referer` is used.\n\n### 3. Code Flow\n1.  **Entry Point**: The user sends a `POST` request to `admin-ajax.php` with `action=acfe\u002Fshortcode\u002Frender`.\n2.  **Hook Registration**: The plugin registers the action: \n    `add_action('wp_ajax_nopriv_acfe\u002Fshortcode\u002Frender', 'acfe_ajax_shortcode_render');`\n3.  **Vulnerable Function**: The callback (likely `acfe_ajax_shortcode_render`) retrieves the `shortcode` parameter from `$_POST`.\n4.  **Processing**: It calls `do_shortcode($_POST['shortcode'])`.\n5.  **Sink**: The output of the shortcode is echoed back to the user.\n\n### 4. Nonce Acquisition Strategy\nACFE typically localizes nonces for its AJAX handlers. If the endpoint requires a nonce, it is likely tied to the `acfe` or `acf` JavaScript objects.\n\n1.  **Identify Trigger**: ACFE's \"Shortcode\" field or \"Form\" module triggers the loading of these nonces.\n2.  **Setup Page**: Create a page with an ACFE shortcode to ensure scripts are enqueued:\n    `wp post create --post_type=page --post_status=publish --post_title=\"Exploit\" --post_content='[acfe_form]'`\n3.  **Navigate**: Use `browser_navigate` to the newly created page.\n4.  **Extract Nonce**: Use `browser_eval` to extract the nonce from the global state.\n    *   Target: `window.acfe?.nonce` or `window.acf?.get('nonce')`.\n    *   Alternative: Search page source for `acfe` localization: `grep -oP '\"nonce\":\"\\K[a-f0-9]{10}'`.\n\n### 5. Exploitation Strategy\n1.  **Confirmation of Action Name**:\n    Grep the plugin directory for the vulnerable sink:\n    `grep -rn \"do_shortcode\" includes\u002F`\n    Look for a function associated with a `wp_ajax_nopriv` action.\n2.  **Nonce Retrieval**: (Follow strategy in Section 4).\n3.  **Payload Crafting**:\n    Prepare a `POST` request to `admin-ajax.php`.\n    *   `action`: (Identified action name, e.g., `acfe\u002Fshortcode\u002Frender`)\n    *   `nonce`: (Extracted nonce)\n    *   `shortcode`: `[archives]` or `[recent_posts]` (Standard WP shortcodes) or `[acf_search]` (ACFE specific).\n4.  **HTTP Request (Playwright)**:\n    ```json\n    {\n      \"method\": \"POST\",\n      \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n      \"headers\": {\n        \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n      },\n      \"data\": \"action=acfe\u002Fshortcode\u002Frender&nonce=VALUE&shortcode=[archives]\"\n    }\n    ```\n\n### 6. Test Data Setup\n*   **Shortcode Verification**: Ensure the `[archives]` or `[recent_posts]` shortcodes are available (they are standard in WP).\n*   **ACFE Content**: Create an ACFE Form if needed to trigger the nonce leakage.\n    ```bash\n    # (Optional) Use ACFE functions if available via CLI to create a dummy form\n    wp eval \"acfe_import_form('{\\\"title\\\":\\\"Test Form\\\",\\\"name\\\":\\\"test_form\\\"}');\"\n    wp post create --post_type=page --post_status=publish --post_content='[acfe_form name=\"test_form\"]'\n    ```\n\n### 7. Expected Results\n*   The HTTP response should have a `200 OK` status.\n*   The response body should contain the rendered HTML of the shortcode (e.g., a list of monthly archives or recent posts).\n*   If `[wp_version]` (a common test shortcode) is executed, it should return the current WordPress version string.\n\n### 8. Verification Steps\n1.  **Response Analysis**: Check the output of the `http_request` tool. If HTML lists (like archives) appear where they shouldn't, the execution is confirmed.\n2.  **Blind Verification**: If the output is not returned directly, try a shortcode that performs an action, then verify with `wp post list` or `wp option get`.\n\n### 9. Alternative Approaches\n*   **Action Name Search**: If `acfe\u002Fshortcode\u002Frender` fails, search for other AJAX actions:\n    `grep -r \"wp_ajax_nopriv\" .`\n*   **Nonce Bypass**: Check if `check_ajax_referer` is called with `die=false`. If so, the nonce can be omitted or be invalid.\n*   **Nested Shortcodes**: Try `[[shortcode]]` if the plugin uses a custom parsing wrapper.\n*   **Common ACFE Hooks**: Check `includes\u002Ffields\u002Ffield-shortcode.php` (if it exists) to see how the \"Shortcode\" field renders its preview.","The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to unauthenticated arbitrary shortcode execution. This occurs because the plugin registers an AJAX action that accepts a user-provided shortcode string and passes it directly to the WordPress do_shortcode function without sufficient validation or authorization checks.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-extended\u002F0.9.2.3\u002Facf-extended.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-extended\u002F0.9.2.4\u002Facf-extended.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-extended\u002F0.9.2.3\u002Facf-extended.php\t2026-01-15 03:36:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-extended\u002F0.9.2.4\u002Facf-extended.php\t2026-04-27 01:34:34.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F**\n  * Plugin Name: Advanced Custom Fields: Extended\n  * Description: All-in-one enhancement suite that improves WordPress & Advanced Custom Fields.\n- * Version:     0.9.2.3\n+ * Version:     0.9.2.4\n  * Author:      ACF Extended\n  * Plugin URI:  https:\u002F\u002Fwww.acf-extended.com\n  * Author URI:  https:\u002F\u002Fwww.acf-extended.com\n@@ -19,7 +19,7 @@\n class ACFE{\n     \n     \u002F\u002F vars\n-    var $version = '0.9.2.3';\n+    var $version = '0.9.2.4';","The exploit targets the WordPress AJAX endpoint to execute arbitrary shortcodes without authentication. An attacker first retrieves a valid AJAX nonce, which is typically localized in the page source within the 'acfe' or 'acf' JavaScript objects (e.g., window.acfe.nonce). Once the nonce is obtained, the attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to the vulnerable AJAX handler (likely acfe\u002Fajax\u002Fshortcode_render) and the 'shortcode' parameter containing the target payload, such as [wp_version] or other sensitive shortcodes registered on the site. The server then returns the rendered output of the shortcode in the HTTP response.","gemini-3-flash-preview","2026-05-14 18:10:26","2026-05-14 18:11:03",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","0.9.2.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-extended\u002Ftags\u002F0.9.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-extended.0.9.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-extended\u002Ftags\u002F0.9.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-extended.0.9.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-extended\u002Ftags"]