[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fI-oJtT0SZ5BbRuMKDjmSPWumpMbn3puRO2enmjja5z4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"source_links":41},"CVE-2026-1924","aruba-hispeed-cache-cross-site-request-forgery-to-plugin-settings-reset","Aruba HiSpeed Cache \u003C= 3.0.4 - Cross-Site Request Forgery to Plugin Settings Reset","The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","aruba-hispeed-cache",null,"\u003C=3.0.4","3.0.5","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-09 12:50:15","2026-04-10 01:24:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd2230151-fde2-43d6-8bff-0d2ffd559ab3?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fassets\u002Fcss\u002Foption-page.css","admin\u002Fassets\u002Findex.php","admin\u002Fassets\u002Fjs\u002Foption-page.js","admin\u002Findex.php","admin\u002Fpages\u002Findex.php","aruba-hispeed-cache.php","assets\u002Findex.php","assets\u002Fjs\u002Findex.php","researched",false,3,"# Exploitation Research Plan: Aruba HiSpeed Cache \u003C= 3.0.4 - CSRF to Plugin Settings Reset\n\n## 1. Vulnerability Summary\nThe **Aruba HiSpeed Cache** plugin for WordPress is vulnerable to **Cross-Site Request Forgery (CSRF)** in versions up to and including 3.0.4. The vulnerability exists because the AJAX handler responsible for resetting plugin settings, `ahsc_ajax_reset_options()`, does not perform any nonce verification (e.g., `check_ajax_referer`). An unauthenticated attacker can exploit this by tricking a logged-in administrator into visiting a malicious webpage, which then sends a forged request to the site's AJAX endpoint to reset all plugin configurations to their factory defaults.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Action:** `ahsc_reset_options` (defined in `admin\u002Fassets\u002Fjs\u002Foption-page.js`)\n- **Vulnerable Function:** `ahsc_ajax_reset_options()` (as specified in the vulnerability description)\n- **Authentication Required:** An administrator session (exploited via the victim's browser).\n- **Payload Parameter:** `action=ahsc_reset_options`\n- **Preconditions:** The victim must be a logged-in administrator with the `manage_options` capability.\n\n## 3. Code Flow\n1.  **Client-Side Trigger:** In `admin\u002Fassets\u002Fjs\u002Foption-page.js`, the class `AHSC_SETTINGS_PAGE` initializes several handlers, including `this.manageReset()`.\n2.  **JavaScript Implementation:** The `manageReset()` function attaches a listener to the element `#ahsc_reset_save`.\n    ```javascript\n    \u002F\u002F admin\u002Fassets\u002Fjs\u002Foption-page.js\n    async manageReset(){\n        document.querySelector(\".ahsc-actions-wrapper #ahsc_reset_save\").addEventListener(\"click\", async (e) => {\n            e.preventDefault();\n            if (confirm(this.configs.ahsc_reset_confirm) === true) {\n                \u002F\u002F ...\n                const data = new FormData();\n                data.append(\"action\", \"ahsc_reset_options\"); \u002F\u002F ONLY action is appended\n\n                const request = await fetch(this.configs.ahsc_ajax_url, {\n                    method: \"POST\",\n                    credentials: \"same-origin\",\n                    body: data,\n                })\n                \u002F\u002F ...\n            }\n        });\n    }\n    ```\n3.  **Missing Security Control:** Unlike the `purge()` function in the same file which appends `data.append(\"ahsc_nonce\", this.configs.ahsc_nonce);`, the `manageReset()` function sends **only** the `action`.\n4.  **Backend Sink:** The WordPress core processes the AJAX request. The plugin registers the action `ahsc_reset_options` to a PHP function (likely `ahsc_ajax_reset_options` inside `admin\u002FAHSC_Admin_Menu.php`, though that file isn't provided, the JS and description confirm the path).\n5.  **Execution:** The backend function executes the reset logic without verifying a security nonce or checking the referrer, leading to the deletion\u002Freset of settings stored in the `wp_options` table.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required for this exploit.**\nThe source code in `admin\u002Fassets\u002Fjs\u002Foption-page.js` explicitly shows that the \"Reset\" functionality does not include a nonce in the `FormData` object. The vulnerability description confirms that \"missing nonce verification\" is the root cause. Therefore, the exploit can be executed blindly as long as the victim administrator has an active session.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an external request can trigger the settings reset.\n\n1.  **Preparation:** Change a plugin setting to a non-default value (e.g., enable \"HTML Optimizer\").\n2.  **Forge Request:** Use the `http_request` tool to simulate the CSRF attack. Since the agent acts as the attacker, and the \"victim\" is the authenticated session in the browser environment, we will perform the request using the administrator's cookies.\n3.  **Payload:**\n    - **URL:** `{{TARGET_URL}}\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Method:** `POST`\n    - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    - **Body:** `action=ahsc_reset_options`\n4.  **Execution:**\n    ```javascript\n    \u002F\u002F Logical representation of the exploit request\n    http_request({\n        url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n        method: \"POST\",\n        body: \"action=ahsc_reset_options\",\n        headers: {\n            \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n        }\n    });\n    ```\n\n## 6. Test Data Setup\n1.  **Install & Activate:** Ensure `aruba-hispeed-cache` version 3.0.4 is active.\n2.  **Modify State:** Change a specific plugin setting to verify the reset later.\n    - Check the current state: `wp option get ahsc_html_optimizer_settings` (or similar, inferred from `src\u002FAHSC_HtmlOptimizer.php`).\n    - If the option is empty or default, set it: `wp option update ahsc_html_optimizer_settings '{\"enable_html_minification\":\"1\"}' --format=json`.\n3.  **Confirm Settings Menu:** Verify the plugin menu exists: `wp plugin get aruba-hispeed-cache`.\n\n## 7. Expected Results\n- **Response:** The server should return a JSON response (as suggested by the `.then((esit) => { ... })` block in `option-page.js`).\n- **Data State:** The options associated with the plugin (e.g., `ahsc_html_optimizer_settings`, `ahsc_cache_warmer_status`, etc.) should be deleted or reverted to their default\u002Finitial state.\n\n## 8. Verification Steps\n1.  **Immediate Verification:** Check the response body of the `http_request`. A successful reset often returns a success message in JSON format.\n2.  **Database Check (WP-CLI):**\n    - Run: `wp option get ahsc_html_optimizer_settings`\n    - **Success Criteria:** The command returns `false` (if deleted) or a default object (if reset), confirming the value set in Step 6.2 was removed.\n3.  **UI Check:** Navigate to the plugin settings page in the browser and verify the \"HTML Optimizer\" (or whichever setting was modified) is now disabled.\n\n## 9. Alternative Approaches\nIf the `action` name differs slightly in the specific environment:\n1.  Search for all AJAX registrations in the plugin directory: `grep -r \"wp_ajax_ahsc\" .`\n2.  Check for the specific option names used by the plugin to verify which ones were affected: `wp option list | grep ahsc`.\n3.  If a simple POST fails, attempt to trigger it via a GET request (sometimes `admin-ajax.php` handlers don't check `$_POST` specifically and accept `$_REQUEST`): `{{TARGET_URL}}\u002Fwp-admin\u002Fadmin-ajax.php?action=ahsc_reset_options`.","The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 3.0.4 due to missing nonce verification on the ahsc_ajax_reset_options() function. This allows attackers to trick an administrator into resetting all plugin settings to their default factory values.","\u002F\u002F admin\u002Fassets\u002Fjs\u002Foption-page.js lines ~126-143\nasync manageReset(){\n\n\t\tdocument.querySelector(\".ahsc-actions-wrapper #ahsc_reset_save\").addEventListener(\"click\", async (e) => {\n\t\t\te.preventDefault();\n\t\t\tif (confirm(this.configs.ahsc_reset_confirm) === true) {\n\t\t\t\tconst loader = document.createElement(\"div\");\n\t\t\t\tloader.setAttribute(\"id\", \"ahsc-loader-toolbar\");\n\t\t\t\tdocument.body.append(loader);\n\t\t\t\tloader.style.display = \"block\";\n\n\t\t\t\tconst data = new FormData();\n\t\t\t\tdata.append(\"action\", \"ahsc_reset_options\");\n\n\t\t\t\tconst request = await fetch(this.configs.ahsc_ajax_url, {\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tcredentials: \"same-origin\",\n\t\t\t\t\tbody: data,\n\t\t\t\t})","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faruba-hispeed-cache\u002F3.0.4\u002Fadmin\u002Fassets\u002Fjs\u002Foption-page.js\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faruba-hispeed-cache\u002F3.0.5\u002Fadmin\u002Fassets\u002Fjs\u002Foption-page.js\n@@ -134,6 +134,7 @@\n \n \t\t\t\t\t\tconst data = new FormData();\n \t\t\t\t\t\tdata.append(\"action\", \"ahsc_reset_options\");\n+\t\t\t\t\t\tdata.append(\"ahsc_nonce\", this.configs.ahsc_nonce);\n \n \t\t\t\t\t\tconst request = await fetch(this.configs.ahsc_ajax_url, {\n \t\t\t\t\t\t\tmethod: \"POST\",","The exploit targets the WordPress AJAX endpoint without requiring the attacker to obtain a valid security nonce. \n\n1. Target Endpoint: \u002Fwp-admin\u002Fadmin-ajax.php\n2. Method: POST\n3. Payload: A FormData object or urlencoded body containing 'action=ahsc_reset_options'.\n4. Victim Interaction: The attacker must trick a logged-in administrator into visiting a malicious site controlled by the attacker.\n5. Execution: The malicious site executes a background POST request (e.g., via fetch or an auto-submitting form) to the victim site. Since the browser includes the administrator's cookies and the plugin does not verify a nonce, the server processes the reset request, reverting all caching and optimization settings to default.","gemini-3-flash-preview","2026-04-16 16:14:34","2026-04-16 16:14:54",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.0.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faruba-hispeed-cache\u002Ftags\u002F3.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faruba-hispeed-cache.3.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faruba-hispeed-cache\u002Ftags\u002F3.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faruba-hispeed-cache.3.0.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faruba-hispeed-cache\u002Ftags"]