[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftOS41g1M3XQ6ITKr24t4eJjpH--xdOD_wco2IxpiXms":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42659","afi-the-easiest-integration-plugin-missing-authorization","AFI – The Easiest Integration Plugin \u003C= 1.126.12 - Missing Authorization","The AFI – The Easiest Integration Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.126.12. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","advanced-form-integration",null,"\u003C=1.126.12","1.127.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-29 00:00:00","2026-05-04 13:55:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2009a0d7-ce42-46b5-986d-33e3d06a513d?source=api-prod",6,[22,23,24,25,26,27,28,29],"README.txt","advanced-form-integration.php","assets\u002Fjs\u002Fscript.js","freemius\u002Fassets\u002Fjs\u002Fpricing\u002Ffreemius-pricing.js","freemius\u002Fincludes\u002Fclass-freemius.php","freemius\u002Fincludes\u002Fclass-fs-plugin-updater.php","freemius\u002Fincludes\u002Ffs-essential-functions.php","freemius\u002Fincludes\u002Fmanagers\u002Fclass-fs-contact-form-manager.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-42659\n\n## 1. Vulnerability Summary\nThe **AFI – The Easiest Integration Plugin** (versions \u003C= 1.126.12) is vulnerable to **Missing Authorization**. While the plugin implements CSRF protection via WordPress nonces in its AJAX handlers, it fails to perform a capability check (e.g., `current_user_can('manage_options')`) on several sensitive functions. This allows any authenticated user, including those with **Subscriber** roles, to execute administrative actions such as resending or deleting integration logs.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Vulnerable Action**: `adfoin_resend_log` (or `adfoin_delete_log`)\n- **HTTP Method**: `POST`\n- **Authentication**: Required (Subscriber level or higher)\n- **Parameters**:\n    - `action`: `adfoin_resend_log`\n    - `_nonce`: A valid nonce for the `adfoin_nonce` action.\n    - `id`: The ID of the log entry to manipulate.\n\n## 3. Code Flow\n1. **Registration**: The plugin registers AJAX actions in its initialization routine (likely within a method called `init_actions` or `includes\u002Fclass-ajax-handlers.php`).\n2. **Entry Point**: A `POST` request is sent to `admin-ajax.php` with `action=adfoin_resend_log`.\n3. **Verification (CSRF)**: The handler calls `check_ajax_referer('adfoin_nonce', '_nonce')` or `wp_verify_nonce()`. This passes because the nonce is often localized in the admin context for all logged-in users.\n4. **Missing Check (Authorization)**: The handler proceeds to execute the logic (e.g., fetching a log from the database and triggering a re-submission to an external API like Mailchimp or Google Sheets) without checking if the `current_user_can('manage_options')`.\n5. **Sink**: The log data is retrieved using `$wpdb` and re-processed by the integration engine.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes the `adfoin` object containing the nonce for its admin scripts. \n\n- **Localization Key**: `adfoin`\n- **Nonce Key**: `nonce`\n- **Action String**: `adfoin_nonce`\n\n### Strategy:\n1. **Identify Script Loading**: The plugin enqueues its admin scripts (using `wp_enqueue_script`) in the `admin_enqueue_scripts` hook. In many versions, it fails to restrict this to only the plugin's settings pages, causing the `adfoin` object to be available on the standard WordPress Dashboard (`\u002Fwp-admin\u002Findex.php`) for all logged-in users.\n2. **Execution**:\n    - Log in as a **Subscriber**.\n    - Navigate to `\u002Fwp-admin\u002F`.\n    - Use `browser_eval` to extract the nonce:\n      ```javascript\n      window.adfoin?.nonce\n      ```\n\n## 5. Exploitation Strategy\n### Step 1: Pre-requisite Setup\nEnsure at least one integration log entry exists. This can be created by submitting any form integrated with AFI (e.g., a Contact Form 7 form) while logged in as admin.\n\n### Step 2: Extract Log ID\nAs an admin, view the logs at `\u002Fwp-admin\u002Fadmin.php?page=advanced-form-integration-logs` to find a valid `id`. (If testing blindly, iterate from ID 1 upwards).\n\n### Step 3: Extract Nonce (as Subscriber)\nAuthenticate as a Subscriber and fetch the nonce from the dashboard.\n\n### Step 4: Perform Unauthorized Action\nSend a POST request to resend a log entry.\n\n**HTTP Request (via `http_request`):**\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**:\n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n    - `Cookie`: [Subscriber Session Cookies]\n- **Body**:\n    ```text\n    action=adfoin_resend_log&id=[LOG_ID]&_nonce=[EXTRACTED_NONCE]\n    ```\n\n## 6. Test Data Setup\n1. **Plugin Configuration**: Activate \"AFI - The Easiest Integration Plugin\".\n2. **Create Integration**: Setup a simple \"Post-to-Webhook\" or \"Mailchimp\" integration.\n3. **Generate Log**: Submit a form to trigger the integration once, ensuring a record appears in `wp_adfoin_logs` (or similar table).\n4. **Attacker User**: Create a user with the `subscriber` role.\n\n## 7. Expected Results\n- **Response**: The server should return a JSON success message (e.g., `{\"success\":true,\"data\":\"...\"}`).\n- **Effect**: The plugin will attempt to re-send the data to the configured integration destination. Even though the subscriber should not have permission to view or manage logs, the request is processed.\n\n## 8. Verification Steps\n1. **DB Check**: Run `wp db query \"SELECT * FROM wp_adfoin_logs WHERE id=[ID]\"` and check if the status or \"retries\" count has changed.\n2. **Plugin UI**: Log in as admin and check the \"Activity Logs\" page to see if the log entry shows evidence of being resent at the time of the exploit.\n\n## 9. Alternative Approaches\nIf `adfoin_resend_log` is patched or restricted, try other AJAX actions found in `assets\u002Fjs\u002Fscript.js` that modify state:\n- `adfoin_delete_log`: `action=adfoin_delete_log&id=[ID]&_nonce=[NONCE]`\n- `adfoin_clear_logs`: `action=adfoin_clear_logs&_nonce=[NONCE]`\n\nIf the nonce is NOT localized on the dashboard, check if the subscriber can access the plugin's \"Documentation\" or \"Help\" pages within the admin area, which may also enqueue the script. Otherwise, try fetching the nonce from the REST API if the plugin registers a custom endpoint.","The AFI – The Easiest Integration Plugin for WordPress is vulnerable to unauthorized access because it lacks capability checks in several AJAX handlers. This allow authenticated attackers, including those with subscriber-level permissions, to perform administrative actions such as resending or deleting integration logs or fetching credentials from third-party services.","\u002F\u002F From assets\u002Fjs\u002Fscript.js - AJAX actions triggering administrative functions without backend capability checks\n\n\u002F\u002F Action: adfoin_get_mailchimp_list\nvar listRequestData = {\n    'action': 'adfoin_get_mailchimp_list',\n    'credId': this.fielddata.credId,\n    '_nonce': adfoin.nonce\n};\n\njQuery.post(ajaxurl, listRequestData, function (response) {\n    that.fielddata.list = response.data;\n    that.listLoading = false;\n});\n\n---\n\n\u002F\u002F From advanced-form-integration.php @ 1.126.3 - Registration of hooks leading to vulnerable handlers\n\npublic function init_plugin() {\n    \u002F* Define constants *\u002F\n    $this->define_constants();\n    \u002F* Include files *\u002F\n    $this->includes();\n    \u002F* Instantiate classes *\u002F\n    $this->init_classes();\n    \u002F* Initialize the action hooks *\u002F\n    $this->init_actions();\n    \u002F* Initialize the filter hooks *\u002F\n    $this->init_filters();\n}","diff -ru advanced-form-integration\u002F1.126.3\u002Fadvanced-form-integration.php advanced-form-integration\u002F1.127.0\u002Fadvanced-form-integration.php\n--- advanced-form-integration\u002F1.126.3\u002Fadvanced-form-integration.php\t2026-02-05 05:09:14.000000000 +0000\n+++ advanced-form-integration\u002F1.127.0\u002Fadvanced-form-integration.php\t2026-04-15 11:07:08.000000000 +0000\n@@ -6,7 +6,7 @@\n  * Description: Sends WooCommerce and Contact Form 7 to Google Sheets and many other platforms.\n  * Author: nasirahmed\n  * Author URI: https:\u002F\u002Fadvancedformintegration.com\u002F\n- * Version: 1.126.3\n+ * Version: 1.127.0\n  * License: GPL2\n  * Text Domain: advanced-form-integration\n  * Domain Path: languages\n@@ -83,7 +83,7 @@\n          *\n          * @var  string\n          *\u002F\n-        public $version = '1.126.3';\n+        public $version = '1.127.0';","1. **Authenticate as a Subscriber**: Log into the WordPress site with a low-privileged account (Subscriber or above).\n2. **Retrieve the Nonce**: Navigate to the WordPress Dashboard (\u002Fwp-admin\u002Findex.php). The plugin localizes the `adfoin` JavaScript object, which contains a security nonce (`adfoin.nonce`) for the `adfoin_nonce` action. Extract this nonce from the page source or browser console.\n3. **Identify Target Action**: Determine the administrative action to perform, such as `adfoin_resend_log` or `adfoin_delete_log`.\n4. **Execute Unauthorized Action**: Send an HTTP POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`. The payload should include the `action` parameter (e.g., `adfoin_resend_log`), the `_nonce` parameter with the extracted value, and any required identifiers like `id` for a specific log entry.\n5. **Verification**: The server will process the request and perform the sensitive action because it only verifies the CSRF nonce but fails to check if the current user has the 'manage_options' capability.","gemini-3-flash-preview","2026-05-04 18:03:49","2026-05-04 18:04:30",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.126.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-form-integration\u002Ftags\u002F1.126.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-form-integration.1.126.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-form-integration\u002Ftags\u002F1.127.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-form-integration.1.127.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-form-integration\u002Ftags"]