[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvQqIiUv6AB-GXP9y9ARnlt9Yh30S5EbOZwY2deXNzy8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-7522","advanced-database-cleaner-premium-authenticated-subscriber-local-file-inclusion-via-template","Advanced Database Cleaner – Premium \u003C= 4.1.0 - Authenticated (Subscriber+) Local File Inclusion via 'template'","The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.","advanced-database-cleaner-premium",null,"\u003C=4.1.0","4.1.1","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2026-05-19 16:25:52","2026-05-20 04:27:51",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F77e4e516-8a12-48ee-9124-27f941b68b13?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-7522 (Advanced Database Cleaner – Premium LFI)\n\n## 1. Vulnerability Summary\nThe **Advanced Database Cleaner – Premium** plugin (versions \u003C= 4.1.0) contains a Local File Inclusion (LFI) vulnerability. The flaw exists because the plugin fails to properly sanitize or validate a user-supplied file path provided via the `template` parameter before passing it to a PHP `include()` or `require()` statement. Authenticated users with Subscriber-level permissions can exploit this to include and execute arbitrary PHP files located on the server.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Likely an AJAX action or an admin page handler. (Inferred: `wp-admin\u002Fadmin-ajax.php` or `wp-admin\u002Fadmin.php`)\n*   **Action\u002FHook:** Research indicates the plugin uses various admin views. The vulnerability is tied to how the plugin loads these views\u002Ftemplates.\n*   **Vulnerable Parameter:** `template`\n*   **Authentication:** Subscriber level or higher (Authenticated).\n*   **Preconditions:** The attacker must be logged in. To achieve Remote Code Execution (RCE), they must find a way to upload a `.php` file (e.g., via a different plugin or media upload) or include an existing sensitive file.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An authenticated request is made to an admin-related endpoint (e.g., `admin-ajax.php` or `admin.php?page=advanced-db-cleaner...`).\n2.  **Processing:** The plugin identifies a request to load a specific \"template\" or \"view.\"\n3.  **Vulnerable Code:**\n    ```php\n    \u002F\u002F Example of a likely vulnerable pattern in the plugin\n    $template = $_REQUEST['template']; \n    \u002F\u002F ... missing or insufficient sanitization (e.g., no realpath check or whitelist) ...\n    include( $plugin_path . '\u002Fincludes\u002F' . $template ); \n    ```\n4.  **Sink:** The `include()` function executes the file pointed to by the manipulated `template` parameter. By using path traversal (`..\u002F`), an attacker can move outside the intended directory.\n\n## 4. Nonce Acquisition Strategy\nIf the vulnerable action is an AJAX handler, it likely requires a nonce.\n1.  **Identify Nonce Location:** Premium versions of this plugin often localize nonces in the admin dashboard.\n2.  **Login as Subscriber:** Use `wp user create` and `wp user password` to set up a subscriber.\n3.  **Locate JS Variable:** Search the dashboard source for `wp_localize_script`.\n    *   *Grep Suggestion:* `grep -r \"wp_localize_script\" .`\n4.  **Extraction via Browser:**\n    *   Navigate to the WordPress dashboard as the subscriber.\n    *   Use `browser_eval` to find the nonce.\n    *   *Target Variables (Inferred):* `window.adbc_vars?.nonce` or `window.a_db_c_vars?.nonce`.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate LFI by including a file that produces observable output or by including `wp-config.php` (which will execute but usually return a blank screen, though it confirms the file was found).\n\n### Step 1: Discover the Action and Nonce\nIf the LFI is in an AJAX handler:\n*   Identify the `wp_ajax_` action string (e.g., `a_db_c_load_template`).\n*   Extract the associated nonce.\n\n### Step 2: Formulate the LFI Payload\nSince the plugin likely appends `.php`, the payload should target existing `.php` files.\n*   **Payload:** `..\u002F..\u002F..\u002F..\u002Fwp-config.php` (The `.php` extension may be automatically appended by the plugin, so the payload would be `..\u002F..\u002F..\u002F..\u002Fwp-config`).\n\n### Step 3: Execute the Request\nUse the `http_request` tool.\n\n**Example Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=[INFERRED_ACTION]&nonce=[EXTRACTED_NONCE]&template=..\u002F..\u002F..\u002F..\u002Fwp-config\n```\n*Note: If the include is via a GET request on an admin page:*\n```http\nGET \u002Fwp-admin\u002Fadmin.php?page=advanced-db-cleaner&template=..\u002F..\u002F..\u002F..\u002Fwp-config HTTP\u002F1.1\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `advanced-database-cleaner-premium` v4.1.0 is installed and active.\n2.  **Create Subscriber:**\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n3.  **Create a Canary File:** To prove RCE\u002FLFI definitively, create a dummy PHP file in the uploads directory:\n    ```bash\n    echo \"\u003C?php echo 'LFI_SUCCESS'; ?>\" > \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fcanary.php\n    ```\n\n## 7. Expected Results\n*   **Success (Canary):** The HTTP response body contains `LFI_SUCCESS`.\n*   **Success (wp-config):** If including `wp-config.php`, the response may be a 200 OK with an empty body (since `wp-config.php` defines constants but doesn't produce output), whereas an invalid path would result in a PHP warning\u002Ferror or a 404.\n*   **Error Indicators:** Look for \"Failed to open stream\" or \"No such file or directory\" in the response if `WP_DEBUG` is on.\n\n## 8. Verification Steps\n1.  **Check PHP Error Logs:** If the request returns a 500 error, check the logs to see the full path the plugin attempted to include:\n    ```bash\n    tail -n 20 \u002Fvar\u002Flog\u002Fapache2\u002Ferror.log\n    ```\n2.  **Audit Source:** Use the agent to find the exact line in the plugin:\n    ```bash\n    grep -rn \"include\" . | grep \"template\"\n    ```\n\n## 9. Alternative Approaches\n*   **Log File Inclusion:** If the attacker can control the User-Agent or other logged data, they can target `\u002Fvar\u002Flog\u002Fapache2\u002Faccess.log` to achieve RCE.\n*   **Null Byte Injection:** If the WordPress environment is running an ancient version of PHP (\u003C 5.3.4), a null byte `%00` might be used to bypass forced extensions, but this is unlikely in modern environments.\n*   **Wrapper Inclusion:** Try PHP wrappers like `php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=..\u002F..\u002F..\u002F..\u002Fwp-config.php` to read the contents of files instead of executing them.","The Advanced Database Cleaner – Premium plugin for WordPress (\u003C= 4.1.0) is vulnerable to Local File Inclusion due to insufficient validation of the 'template' parameter. Authenticated users with Subscriber-level permissions or higher can exploit this to include and execute arbitrary PHP files on the server using path traversal sequences.","\u002F\u002F Inferred code pattern based on research flow\n\u002F\u002F File: advanced-database-cleaner-premium\u002Fincludes\u002Fadmin-loader.php (inferred)\n\n$template = $_REQUEST['template']; \n\u002F\u002F ... missing or insufficient sanitization (e.g., no realpath check or whitelist) ...\ninclude( $plugin_path . '\u002Fincludes\u002F' . $template );","--- a\u002Fadvanced-database-cleaner-premium\u002Fincludes\u002Fadmin-loader.php\n+++ b\u002Fadvanced-database-cleaner-premium\u002Fincludes\u002Fadmin-loader.php\n@@ -1,3 +1,3 @@\n-$template = $_REQUEST['template']; \n+$template = basename($_REQUEST['template']); \n \u002F\u002F ... missing or insufficient sanitization (e.g., no realpath check or whitelist) ...\n include( $plugin_path . '\u002Fincludes\u002F' . $template );","The exploit requires authentication as a Subscriber. The attacker first identifies the specific AJAX action (e.g., potentially 'a_db_c_load_template') or admin page parameter that triggers template loading. They extract the necessary security nonce from the WordPress dashboard, often found in localized JS variables like 'adbc_vars'. Finally, a GET or POST request is sent to wp-admin\u002Fadmin-ajax.php or wp-admin\u002Fadmin.php with the 'template' parameter set to a traversal payload targeting a PHP file, such as '..\u002F..\u002F..\u002F..\u002Fwp-config'. The server then includes and executes the targeted file.","gemini-3-flash-preview","2026-05-20 16:36:24","2026-05-20 16:37:12",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-database-cleaner-premium\u002Ftags"]