[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fytEqNMuxdilGaFkZ8_R509lOYQJq3Gr_pR50fCuTn6Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-24579","ai-image-alt-text-generator-for-wp-missing-authorization-3","Ai Image Alt Text Generator for WP \u003C= 1.1.9 - Missing Authorization","The Ai Image Alt Text Generator for WP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","ai-image-alt-text-generator-for-wp",null,"\u003C=1.1.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-20 00:00:00","2026-01-27 19:18:08",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7a9e129c-05e2-46b8-9bdd-2e986977591a?source=api-prod",[],"researched",false,3,"This exploitation research plan targets CVE-2026-24579, a missing authorization vulnerability in the \"Ai Image Alt Text Generator for WP\" plugin.\n\n### 1. Vulnerability Summary\nThe \"Ai Image Alt Text Generator for WP\" plugin (versions \u003C= 1.1.9) fails to implement proper capability checks on one or more of its AJAX handlers registered via `wp_ajax_*`. While these handlers are protected against unauthenticated users (by lack of `wp_ajax_nopriv_*`), they do not verify if the logged-in user has the administrative privileges required to generate AI content or modify media metadata. This allows any authenticated user, including those with the `subscriber` role, to trigger unauthorized actions.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **HTTP Method:** `POST`\n*   **Authentication:** Subscriber-level credentials (required).\n*   **Vulnerable Action (Inferred):** Likely `ai_image_alt_text_generator_generate`, `ai_alt_text_process`, or similar.\n*   **Parameters:**\n    *   `action`: The specific AJAX action (to be identified in Step 1 of the strategy).\n    *   `nonce`: A CSRF token (usually verified, but accessible to subscribers).\n    *   `image_id` \u002F `attachment_id`: The ID of the image to process.\n*   **Preconditions:**\n    *   The plugin must be active.\n    *   A subscriber account must be created.\n    *   (Optional) An API key for the AI service might need to be configured in the plugin settings for the action to succeed, although the vulnerability exists regardless of the backend response.\n\n### 3. Code Flow\n1.  **Registration:** The plugin registers an AJAX action during `init` or `admin_init`.\n    *   *Code Pattern:* `add_action( 'wp_ajax_IMAGE_ACTION_NAME', [ $this, 'vulnerable_callback' ] );`\n2.  **Trigger:** A subscriber sends a POST request to `admin-ajax.php` with `action=IMAGE_ACTION_NAME`.\n3.  **Authentication:** WordPress core verifies the user is logged in.\n4.  **Verification (Weak):** The callback likely calls `check_ajax_referer( 'nonce_name', 'nonce_param' )`. Because the nonce is often localized for all admin users (including subscribers accessing `admin-ajax.php` context), the subscriber can provide a valid nonce.\n5.  **Missing Authorization:** The callback function fails to call `current_user_can( 'manage_options' )` or `current_user_can( 'edit_posts' )`.\n6.  **Execution:** The plugin proceeds to call an external AI API and updates the `_wp_attachment_image_alt` metadata for the specified attachment.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely enqueues a script that localizes the nonce for use in the Media Library or the plugin's own settings page.\n\n1.  **Identify Nonce Source:** Search the plugin code for `wp_localize_script`.\n    *   *Search Pattern:* `grep -r \"wp_localize_script\" .`\n2.  **Target Variable:** Look for the object name and key (e.g., `ai_alt_text_obj.nonce` (inferred)).\n3.  **Extraction:**\n    *   Create a page or navigate to an admin area where the plugin's script is loaded.\n    *   Use `browser_navigate` to go to `\u002Fwp-admin\u002Fupload.php` (Media Library) as the subscriber.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Example (adjust based on real variable name found in grep)\n        window.ai_image_alt_text_params?.nonce || window.ai_alt_text_data?.nonce\n        ```\n\n### 5. Exploitation Strategy\n1.  **Discovery:** Use `grep` on the plugin source to find all `wp_ajax_` registrations.\n    ```bash\n    grep -rn \"wp_ajax_\" .\n    ```\n2.  **Analyze Callback:** Examine the identified callback function for the absence of `current_user_can()`.\n3.  **Prepare Payload:**\n    *   `action`: The identifier found in step 1.\n    *   `nonce`: Extracted via `browser_eval`.\n    *   `attachment_id`: An existing image ID.\n4.  **Execute Attack:** Use `http_request` to send the unauthorized command.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** `action=IDENTIFIED_ACTION&nonce=EXTRACTED_NONCE&attachment_id=IMAGE_ID`\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `ai-image-alt-text-generator-for-wp` v1.1.9 is installed and active.\n2.  **Create Image:** Upload a sample image and note its Attachment ID.\n    ```bash\n    wp media import \u002Fpath\u002Fto\u002Fimage.jpg --title=\"Test Image\"\n    ```\n3.  **Create Subscriber:**\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n4.  **Set \"Alt Text\" to empty:** Ensure the image currently has no alt text.\n    ```bash\n    wp post term set \u003CID> \"\" --field=alt\n    ```\n\n### 7. Expected Results\n*   The `admin-ajax.php` request returns a `200 OK` status with a success message (e.g., `{\"success\":true,\"data\":\"Alt text updated\"}`).\n*   The plugin interacts with its AI provider or local logic to generate text, despite the requester being only a subscriber.\n*   The database record for the attachment's alt text is modified.\n\n### 8. Verification Steps\n1.  **Check Meta:** Use WP-CLI to verify the `_wp_attachment_image_alt` meta key has been updated for the target image.\n    ```bash\n    wp post meta get \u003CIMAGE_ID> _wp_attachment_image_alt\n    ```\n2.  **Confirm Change:** Compare the value before and after the exploit. If the value changed from empty (or the previous value) to a new AI-generated string, the authorization bypass is confirmed.\n\n### 9. Alternative Approaches\n*   **Bulk Action Endpoint:** If the single image generation is secure, check for bulk processing handlers (e.g., `ai_bulk_generate`). These often reside in separate admin-only logic that might also miss capability checks.\n*   **Settings Modification:** Check if there's an AJAX action to save the AI API key or other plugin settings. If `current_user_can` is missing there, a subscriber could potentially change the API key to their own or delete it, causing a Denial of Service.\n*   **Referer Bypass:** If `check_ajax_referer` is used with the third parameter set to `false` and the result isn't checked:\n    ```php\n    check_ajax_referer( 'action', 'nonce', false ); \u002F\u002F Returns false on failure but continues\n    ```\n    In this case, the exploit can be performed without any nonce at all.","The Ai Image Alt Text Generator for WP plugin for WordPress is vulnerable to unauthorized access because it lacks capability checks on its AJAX handlers. This allows authenticated attackers with subscriber-level access to trigger AI-powered alt text generation and modify media attachment metadata without the necessary administrative privileges.","\u002F\u002F Registration of AJAX handler without restricting to specific capabilities\nadd_action( 'wp_ajax_ai_image_alt_text_generator_generate', array( $this, 'generate_alt_text' ) );\n\n---\n\n\u002F\u002F The callback function typically lacks a current_user_can() check\npublic function generate_alt_text() {\n    \u002F\u002F Verifies the nonce, but nonces are often accessible to all authenticated users\n    check_ajax_referer( 'ai_alt_text_nonce', 'security' );\n\n    \u002F\u002F Missing authorization check: if ( ! current_user_can( 'manage_options' ) )\n\n    $attachment_id = isset( $_POST['attachment_id'] ) ? intval( $_POST['attachment_id'] ) : 0;\n    \n    \u002F\u002F Plugin proceeds to perform AI API calls and update database\n    \u002F\u002F ...\n    update_post_meta( $attachment_id, '_wp_attachment_image_alt', $ai_generated_text );\n    wp_send_json_success( array( 'message' => 'Alt text updated' ) );\n}","--- a\u002Fincludes\u002Fclass-ai-image-alt-text-generator.php\n+++ b\u002Fincludes\u002Fclass-ai-image-alt-text-generator.php\n@@ -XX,XX +XX,XX @@\n public function generate_alt_text() {\n     check_ajax_referer( 'ai_alt_text_nonce', 'security' );\n \n+    if ( ! current_user_can( 'edit_posts' ) ) {\n+        wp_send_json_error( array( 'message' => 'Permission denied' ), 403 );\n+    }\n+\n     $attachment_id = isset( $_POST['attachment_id'] ) ? intval( $_POST['attachment_id'] ) : 0;","The exploit targets the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint. An attacker with subscriber-level credentials must first obtain a valid AJAX nonce, which is typically exposed in the WordPress admin area (e.g., via localized scripts in the Media Library). The attacker then sends a POST request with the 'action' parameter set to the vulnerable callback (e.g., 'ai_image_alt_text_generator_generate'), the 'security' parameter containing the nonce, and an 'attachment_id' identifying the target image. Because the plugin does not verify if the user has permissions like 'edit_posts' or 'manage_options', it processes the request and updates the image's alt text metadata using the AI service.","gemini-3-flash-preview","2026-05-05 05:21:45","2026-05-05 05:22:03",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fai-image-alt-text-generator-for-wp\u002Ftags"]