[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faMUIrfbO2EgShIp6yoEDP5MWbrM2M16ha5nxmtF4UXU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2025-22657","atarim-missing-authorization-to-unauthenticated-arbitrary-post-deletion","Atarim \u003C= 4.0.9 - Missing Authorization to Unauthenticated Arbitrary Post Deletion","The Atarim – Visual Feedback, Review & AI Collaboration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.0.9. This makes it possible for unauthenticated attackers to delete arbitrary posts.","atarim-visual-collaboration",null,"\u003C=4.0.9","4.1.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-03 00:00:00","2026-05-04 14:33:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6a3db653-c39f-4097-9d31-6d009a82c4a4?source=api-prod",91,[22,23,24],"atarim-visual-collaboration.php","inc\u002Fwpf_ajax_functions.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2025-22657\n\n## 1. Vulnerability Summary\nThe **Atarim – Visual Feedback, Review & AI Collaboration** plugin (versions \u003C= 4.0.9) is vulnerable to **Missing Authorization**, allowing unauthenticated attackers to delete arbitrary WordPress posts. The vulnerability exists because the AJAX handler responsible for post\u002Ftask deletion fails to perform a capability check (e.g., `current_user_can( 'delete_posts' )`) and is registered for unauthenticated users via the `wp_ajax_nopriv_` hook. While a nonce check may be present, the nonce is exposed to unauthenticated visitors when \"Guest Mode\" or general frontend collaboration features are active.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `wpfeedback_delete_post`\n- **HTTP Method**: `POST`\n- **Payload Parameters**:\n    - `action`: `wpfeedback_delete_post`\n    - `post_id`: The ID of the post, page, or media item to delete.\n    - `nonce`: A valid WordPress nonce for the `wpf_security_nonce` action.\n- **Authentication**: Unauthenticated (via `wp_ajax_nopriv_` registration).\n- **Preconditions**: The plugin must be active. \"Guest Mode\" or frontend script enqueuing must be active (typical for Atarim's visual feedback functionality).\n\n## 3. Code Flow\n1. **Entry Point**: An unauthenticated user sends a POST request to `admin-ajax.php` with the action `wpfeedback_delete_post`.\n2. **Hook Registration**: The plugin registers the action (likely in `inc\u002Fwpf_ajax_functions.php` or `wpfeedback.php`):\n   ```php\n   add_action( 'wp_ajax_nopriv_wpfeedback_delete_post', 'wpfeedback_delete_post_ajax' );\n   ```\n3. **Nonce Verification**: The function `wpfeedback_delete_post_ajax()` is called. It likely invokes `wpf_security_check()` or a direct `check_ajax_referer( 'wpf_security_nonce', 'nonce' )`.\n4. **Vulnerable Sink**: After the nonce check, the function retrieves `$_POST['post_id']` and calls:\n   ```php\n   wp_delete_post( $_POST['post_id'], true ); \u002F\u002F Or false to move to trash\n   ```\n5. **Missing Authorization**: There is no check to verify if the current user has the authority to delete the post identified by `post_id`.\n\n## 4. Nonce Acquisition Strategy\nThe Atarim plugin localizes security nonces for its frontend visual editor.\n- **Script Handle**: `wpf-script` (or similar).\n- **JS Variable**: `wpf_ajax_obj` (inferred from `inc\u002Fwpf_ajax_functions.php` usage).\n- **Nonce Key**: `nonce`.\n- **Extraction Method**:\n    1. Create a public post to ensure frontend scripts are loaded.\n    2. Navigate to the homepage or any public post.\n    3. Execute JavaScript to extract the nonce: `window.wpf_ajax_obj?.nonce`.\n\n## 5. Exploitation Strategy\n1. **Identify Target Post**: Determine the ID of a post to delete (e.g., ID 1 for the default \"Hello world!\" post).\n2. **Obtain Nonce**:\n    - Use `browser_navigate` to visit the site's frontend.\n    - Use `browser_eval` to grab `wpf_ajax_obj.nonce`.\n3. **Execute Deletion**:\n    - Use `http_request` to send the malicious payload to `admin-ajax.php`.\n4. **Request Details**:\n    - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Method**: `POST`\n    - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n    - **Body**: `action=wpfeedback_delete_post&nonce=[EXTRACTED_NONCE]&post_id=[TARGET_POST_ID]`\n\n## 6. Test Data Setup\n1. **Create Victim Post**:\n   ```bash\n   wp post create --post_type=post --post_title=\"Victim Post\" --post_status=publish\n   ```\n   *Note the resulting ID (e.g., 123).*\n2. **Configure Plugin**: Ensure the plugin is active. No special configuration is usually required as Atarim typically enqueues its scripts on the frontend for visual feedback.\n3. **Create Nonce Page**: If the nonce variable is not present on the homepage, create a page with a potential shortcode:\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_content='[wpf_collaboration]'\n   ```\n\n## 7. Expected Results\n- **Response**: The server should return a successful status (likely `200 OK`) and a response body indicating success (or just `0` \u002F `1` if standard WordPress AJAX response).\n- **Effect**: The post with the specified `post_id` will be permanently deleted (or trashed).\n\n## 8. Verification Steps\n1. **Check Database via WP-CLI**:\n   ```bash\n   wp post exists [ID]\n   ```\n   *Expected result: No output or an error indicating the post does not exist.*\n2. **Verify Post Type Irrelevance**: Try deleting a Page or an Attachment using the same method to confirm \"arbitrary\" post deletion.\n\n## 9. Alternative Approaches\n- **Different Nonce Names**: If `wpf_ajax_obj.nonce` is not found, search the HTML source for any string matching `[a-f0-9]{10}` inside script tags or variables like `wpf_ajax_functions_vars`.\n- **Trash vs. Delete**: If the post is not permanently deleted, check the trash:\n  ```bash\n  wp post list --post_status=trash\n  ```\n- **Other Actions**: If `wpfeedback_delete_post` is not the exact action, check for similar actions in `inc\u002Fwpf_ajax_functions.php` such as `wpfeedback_remove_task` or `wpf_delete_post`.","The Atarim plugin for WordPress (versions \u003C= 4.0.9) contains a vulnerability that allows unauthenticated attackers to delete arbitrary posts. This is due to a missing authorization check and a lack of nonce verification in the plugin's AJAX handlers when 'Guest Mode' is enabled.","\u002F\u002F inc\u002Fwpf_ajax_functions.php (approx line 2517)\nfunction wpfeedback_delete_post_ajax() {\n    global $current_user;\n    $selected_roles = get_site_data_by_key( 'wpf_selcted_role' );\n    $selected_roles = explode( ',', $selected_roles );\n    if ( ! is_user_logged_in() || ( is_user_logged_in() && ! array_intersect( $current_user->roles, $selected_roles ) ) ) {\n        echo '403';\n        exit;\n    }\n    \n    \u002F\u002F ... (truncated) ...\n\n    if ( isset( $_POST['post_id'] ) ) {\n        wp_delete_post( $_POST['post_id'], true );\n    }\n}\n\n\u002F\u002F ---\n\n\u002F\u002F Registered handlers (inferred from research plan)\nadd_action( 'wp_ajax_wpfeedback_delete_post', 'wpfeedback_delete_post_ajax' );\nadd_action( 'wp_ajax_nopriv_wpfeedback_delete_post', 'wpfeedback_delete_post_ajax' );","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.0.9\u002Fatarim-visual-collaboration.php\t2025-01-14 06:47:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.1.0\u002Fatarim-visual-collaboration.php\t2025-01-20 07:24:06.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F*\n  * Plugin Name: Atarim: Visual Website Collaboration, Feedback & Workflow Management\n  * Description: Atarim Visual Collaboration makes it easy and efficient to collaborate on websites with your clients, internal team, contractors…anyone! It’s used by nearly 10,000 agencies and freelancers worldwide on over 120,000 websites.\n- * Version: 4.0.9\n+ * Version: 4.1.0\n  * Requires at least: 5.0\n  * Require PHP: 7.4\n  * Author: Atarim\n@@ -29,7 +29,7 @@\n     define( 'WPF_PLUGIN_URL', plugin_dir_url( __FILE__ ) );\n }\n if ( ! defined( 'WPF_VERSION' ) ) {\n-    define( 'WPF_VERSION', '4.0.9' );\n+    define( 'WPF_VERSION', '4.1.0' );\n }\n \n define( 'SCOPER_ALL_UPLOADS_EDITABLE ', true );\n@@ -358,7 +358,8 @@\n     array_push( $options, ['name' => 'wpfeedback_color', 'value' => '002157'] );\n     array_push( $options, ['name' => 'wpf_selcted_role', 'value' => 'administrator'] );\n     array_push( $options, ['name' => 'wpf_website_developer', 'value' => get_current_user_id()] );\n-    array_push( $options, ['name' => 'wpf_allow_guest', 'value' => 'yes'] );\n+    array_push( $options, ['name' => 'wpf_allow_guest', 'value' => 'no'] );\n+    array_push( $options, ['name' => 'wpf_allow_backend_commenting', 'value' => 'no'] );\n     array_push( $options, ['name' => 'wpf_every_new_task', 'value' => 'yes'] );\n     array_push( $options, ['name' => 'wpf_every_new_comment', 'value' => 'yes'] );\n     array_push( $options, ['name' => 'wpf_every_new_complete', 'value' => 'yes'] );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.0.9\u002Finc\u002Fwpf_ajax_functions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.1.0\u002Finc\u002Fwpf_ajax_functions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.0.9\u002Finc\u002Fwpf_ajax_functions.php\t2025-01-14 06:47:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fatarim-visual-collaboration\u002F4.1.0\u002Finc\u002Fwpf_ajax_functions.php\t2025-01-20 07:24:06.000000000 +0000\n@@ -2517,7 +2517,7 @@\n     global $current_user;\n     $selected_roles = get_site_data_by_key( 'wpf_selcted_role' );\n     $selected_roles = explode( ',', $selected_roles );\n-    if ( ! is_user_logged_in() || ( is_user_logged_in() && ! array_intersect( $current_user->roles, $selected_roles ) ) ) {\n+    if ( ! wpf_validate_nonce() || ! is_user_logged_in() || ( is_user_logged_in() && ! array_intersect( $current_user->roles, $selected_roles ) ) ) {\n         echo '403';\n         exit;\n     }\n@@ -2543,7 +2543,7 @@\n     global $current_user;\n     $selected_roles = get_site_data_by_key( 'wpf_selcted_role' );\n     $selected_roles = explode( ',', $selected_roles );\n-    if ( ! is_user_logged_in() || ( is_user_logged_in() && ! array_intersect( $current_user->roles, $selected_roles ) ) ) {\n+    if ( ! wpf_validate_nonce() || ! is_user_logged_in() || ( is_user_logged_in() && ! array_intersect( $current_user->roles, $selected_roles ) ) ) {\n         echo '403';\n         exit;\n     }","The exploit involves exploiting the unauthenticated access granted by 'Guest Mode' and a lack of capability checks in AJAX handlers. \n\n1. **Identify Target**: Determine the ID of the post, page, or media attachment to be deleted.\n2. **Obtain Nonce**: Access the frontend of the target WordPress site. The plugin enqueues a security nonce (typically `wpf_security_nonce`) in a global JavaScript object (e.g., `wpf_ajax_obj.nonce`) for use by the visual collaboration scripts. Extract this nonce.\n3. **Send Request**: Perform an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n   - `action`: `wpfeedback_delete_post` (or other identified vulnerable deletion actions).\n   - `nonce`: The extracted nonce value.\n   - `post_id`: The ID of the target post.\n4. **Outcome**: The server, failing to verify if the requester has the 'delete_posts' capability, will execute `wp_delete_post()` on the specified ID, resulting in the permanent deletion or trashing of the content.","gemini-3-flash-preview","2026-05-04 20:17:04","2026-05-04 20:17:39",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","4.0.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fatarim-visual-collaboration\u002Ftags\u002F4.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fatarim-visual-collaboration.4.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fatarim-visual-collaboration\u002Ftags\u002F4.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fatarim-visual-collaboration.4.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fatarim-visual-collaboration\u002Ftags"]