[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFa1v0H5xb7GaOnYEN6LFVhIaobOtwTsXli7Y4hEPLVU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-32447","atarim-missing-authorization-4","Atarim \u003C= 4.3.2 - Missing Authorization","The Atarim plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","atarim-visual-collaboration",null,"\u003C=4.3.2","4.3.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-08 00:00:00","2026-04-15 21:06:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F379a7767-bb88-446f-806b-7a8e5c0584a6?source=api-prod",39,[22,23,24,25,26,27,28],"admin\u002Fclass-avc-settings.php","admin\u002Fclass-user-meta.php","assets\u002Fbuild\u002Findex.js","assets\u002Fcss\u002Fglobal.css","assets\u002Fjs\u002Fadmin.js","assets\u002Fjs\u002Fglobal.js","assets\u002Fpackage-lock.json","researched",false,3,"# Exploitation Research Plan - CVE-2026-32447\n\n## 1. Vulnerability Summary\nThe **Atarim – Visual Feedback, Review & AI Collaboration** plugin (v4.3.2 and below) contains a **Missing Authorization** vulnerability. The vulnerability exists because certain sensitive functions, specifically those related to license activation and settings updates, fail to perform sufficient capability checks. While the code includes checks like `is_user_logged_in()` and a custom `avc_allowed_user_role()` check, these do not properly restrict access to administrative users (e.g., those with `manage_options`). This allows authenticated users with low privileges, such as **Subscribers**, to trigger administrative actions like updating the plugin's license, changing site settings, or elevating their own plugin-specific user role to \"webmaster.\"\n\n## 2. Attack Vector Analysis\n- **Vulnerable Hook:** `init`\n- **Vulnerable Function:** `AVC_Settings::avc_license_activation()`\n- **HTTP Parameter(s):** \n    - `atarim_response` (The new license key, base64 encoded)\n    - `page` (A base64 encoded string containing the nonce in `atarim_state`)\n    - `site_id` (The site ID)\n- **Authentication Level:** Subscriber (Authenticated)\n- **Preconditions:** The attacker must obtain a valid nonce for the action `avc_new_license_activation`. In Atarim, this nonce is often","The Atarim plugin (\u003C= 4.3.2) fails to perform a capability check in the avc_license_activation function, which is triggered via the init hook. This allows authenticated users with subscriber-level permissions to update sensitive plugin options, such as the license key and site ID, and elevate their own plugin-specific status to 'webmaster'.","\u002F\u002F admin\u002Fclass-avc-settings.php lines 73-125\n\n    public function avc_license_activation() {\n        if (! isset($_GET['atarim_response'])) {\n            return;\n        }\n\n        if (\n            ! is_admin() ||\n            ! is_user_logged_in() ||\n            ! $this->function->avc_allowed_user_role() ||\n            ! isset($_GET['page'])\n        ) {\n            wp_safe_redirect(AVC_HOME_URL);\n            exit;\n        }\n\n        $page_raw = sanitize_text_field(wp_unslash($_GET['page']));\n        $page_decoded = base64_decode($page_raw, true);\n\n        if (false === $page_decoded) {\n            wp_safe_redirect(AVC_HOME_URL);\n            exit;\n        }\n\n        $parsed = [];\n        parse_str('page=' . $page_decoded, $parsed);\n\n        $page_slug = isset($parsed['page']) ? $parsed['page'] : '';\n        $atarim_state = isset($parsed['atarim_state']) ? $parsed['atarim_state'] : '';\n\n        if ('atarim-visual-collaboration' !== $page_slug) {\n            wp_safe_redirect(AVC_HOME_URL);\n            exit;\n        }\n\n        \u002F\u002F Verify nonce \u002F state.\n        if ( empty( $atarim_state ) || ! wp_verify_nonce( $atarim_state, 'avc_new_license_activation' ) ) {\n            wp_safe_redirect(AVC_HOME_URL);\n            exit;\n        }\n\n        if (strpos($_GET['atarim_response'], '%3D') !== false) {\n            $atarim_response = substr($_GET['atarim_response'], -1, 3);\n        } else {\n            $atarim_response = $_GET['atarim_response'];\n        }\n\n        $user_id = $this->function->avc_get_user_detail('id');\n        $this->function->avc_update_settings('avc_license', base64_decode(sanitize_text_field($atarim_response)));\n        $avc_site_id = sanitize_text_field($_GET['site_id']);\n        $this->function->avc_update_settings('avc_site_id', $avc_site_id);\n        $this->function->avc_update_settings('avc_initial_setup_complete', 'yes');\n        $this->function->avc_update_settings('avc_collab_active', 'yes');\n        update_user_meta($user_id, 'avc_user_type', 'webmaster', false);\n        $this->function->avc_get_whitelabel();\n        wp_safe_redirect(AVC_HOME_URL);\n        exit();\n    }","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.3.3\u002Fadmin: class-avcf-settings.php\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.3.2\u002Fadmin: class-avc-settings.php\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.3.2\u002Fadmin\u002Fclass-user-meta.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.3.3\u002Fadmin\u002Fclass-user-meta.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.3.2\u002Fadmin\u002Fclass-user-meta.php\t2026-01-12 07:04:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.3.3\u002Fadmin\u002Fclass-user-meta.php\t2026-02-25 06:47:24.000000000 +0000\n@@ -3,7 +3,7 @@\n     exit;\n }\n \n-class AVC_User_Meta {\n+class AVCF_User_Meta {\n     public function __construct() {\n         \u002F\u002F Display checkbox\n         add_action('show_user_profile', [$this, 'add_webmaster_checkbox']);\n@@ -51,7 +51,7 @@\n             return;\n         }\n \n-        if (isset($_POST['avc_user_type']) && $_POST['avc_user_type'] === 'webmaster') {\n+        if (isset($_POST['avc_user_type']) &&  sanitize_text_field(wp_unslash($_POST['avc_user_type'])) === 'webmaster') {\n             update_user_meta($user_id, 'avc_user_type', 'webmaster');\n         } else {\n             delete_user_meta($user_id, 'avc_user_type');\n@@ -59,4 +59,4 @@\n     }\n }\n \n-new AVC_User_Meta();\n\\ No newline at end of file\n+new AVCF_User_Meta();","To exploit this vulnerability, an attacker first authenticates as a Subscriber and retrieves a valid nonce for the 'avc_new_license_activation' action. The attacker then constructs a GET request targeting an administrative path (satisfying is_admin()) with specific parameters: 'atarim_response' (a base64-encoded dummy license), 'site_id', and a base64-encoded 'page' parameter containing the valid nonce and the slug 'atarim-visual-collaboration'. Because the plugin relies on is_admin() and a weak custom role check (avc_allowed_user_role) instead of current_user_can('manage_options'), the server-side logic in avc_license_activation() will execute, updating global plugin settings and setting the attacker's 'avc_user_type' meta to 'webmaster'.","gemini-3-flash-preview","2026-04-18 05:19:57","2026-04-18 05:21:00",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.3.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fatarim-visual-collaboration\u002Ftags\u002F4.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fatarim-visual-collaboration.4.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fatarim-visual-collaboration\u002Ftags\u002F4.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fatarim-visual-collaboration.4.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fatarim-visual-collaboration\u002Ftags"]