[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fn3PI59XpPI2YX8MRBJsLWq3cuaF4eNtoyctgAOkoRiU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-24535","automatic-featured-images-from-videos-missing-authorization-2","Automatic Featured Images from Videos \u003C= 1.2.7 - Missing Authorization","The Automatic Featured Images from Videos plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.","automatic-featured-images-from-videos",null,"\u003C=1.2.7","1.2.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-25 00:00:00","2026-01-28 13:40:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff4fa85b4-df6e-4b7d-9b8b-940c5f102556?source=api-prod",4,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-24535\n\n## 1. Vulnerability Summary\nThe **Automatic Featured Images from Videos** plugin (\u003C= 1.2.7) is vulnerable to missing authorization in its AJAX handling logic. Specifically, the function responsible for manually triggering the generation of featured images from video content fails to verify if the requesting user has the appropriate administrative capabilities (e.g., `manage_options` or `edit_others_posts`). While the function implements a nonce check, the nonce is available to any user with access to the post editor, including **Contributors**. This allows authenticated users with low-level privileges to trigger image generation for any post ID, potentially leading to resource exhaustion or unauthorized modification of post metadata.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `afiv_generate_featured_image` (inferred from plugin slug and standard naming conventions)\n- **HTTP Method:** `POST`\n- **Parameters:**\n    - `action`: `afiv_generate_featured_image`\n    - `post_id`: The ID of the target WordPress post.\n    - `afiv_nonce`: A valid security nonce.\n- **Authentication:** Required (Contributor level or higher).\n- **Preconditions:** The attacker must have access to the WordPress dashboard (Contributor role satisfies this) to retrieve a valid nonce.\n\n## 3. Code Flow\n1. **Registration:** The plugin registers the AJAX action during initialization.\n   ```php\n   \u002F\u002F Likely in the main plugin file or an admin-specific include\n   add_action( 'wp_ajax_afiv_generate_featured_image', 'afiv_generate_featured_image_callback' );\n   ```\n2. **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with `action=afiv_generate_featured_image`.\n3. **Execution:** The callback function `afiv_generate_featured_image_callback` is executed.\n4. **Vulnerable Logic:**\n   - The function calls `check_ajax_referer( 'afiv_nonce', 'nonce' )` (or similar).\n   - It retrieves the `post_id` from `$_POST`.\n   - **Missing Check:** It fails to call `current_user_can( 'edit_post', $post_id )` or `current_user_can( 'manage_options' )`.\n   - It proceeds to call the core processing logic to scan the post content for video URLs (YouTube, Vimeo, etc.), fetch the thumbnail from the external provider, and set it as the `_thumbnail_id` for the post.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes its script and provides a nonce to the post editor screen. Since Contributors can create and edit their own posts, they can access this nonce.\n\n1. **Shortcode\u002FContext:** The nonce is likely enqueued on the `post.php` (Edit Post) and `post-new.php` screens.\n2. **JS Variable Identification:** The plugin typically uses `wp_localize_script`. Based on common patterns, the object name is likely `afiv_vars` or `afiv_obj`.\n3. **Acquisition Steps:**\n   - Create a post as a Contributor: `wp post create --post_type=post --post_status=draft --post_author=CONTRIBUTOR_ID --post_title=\"Nonce Grab\"`\n   - Navigate to the edit page for that post: `\u002Fwp-admin\u002Fpost.php?post=POST_ID&action=edit`.\n   - Use `browser_eval` to extract the nonce:\n     ```javascript\n     window.afiv_vars?.nonce || window.afiv_obj?.nonce\n     ```\n   - (Alternative) Search for `afiv_nonce` in the HTML source using `http_request`.\n\n## 5. Exploitation Strategy\n1. **Target Identification:** Identify a Post ID (e.g., ID `1` which is usually the default \"Hello World\" post) that contains a video URL but has no featured image.\n2. **Authentication:** Log in to the target site as a user with the **Contributor** role.\n3. **Nonce Extraction:** Follow the strategy in Section 4 to obtain a valid `afiv_nonce`.\n4. **The Exploit Request:**\n   - Use the `http_request` tool to send the unauthorized command.\n   - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method:** `POST`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body:**\n     ```\n     action=afiv_generate_featured_image&post_id=1&nonce=[EXTRACTED_NONCE]\n     ```\n   - *Note:* If the parameter name is not `nonce`, it might be `afiv_nonce` or `security`. Verify the key name during the nonce extraction phase.\n\n## 6. Test Data Setup\n1. **Admin Setup:**\n   - Create a \"Target Post\" (ID 1) as Administrator.\n   - Set the content of Post 1 to include a YouTube link: `https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=dQw4w9WgXcQ`.\n   - Ensure Post 1 has **no** featured image set.\n2. **Attacker Setup:**\n   - Create a user `attacker` with the `contributor` role.\n   - Create a \"Dummy Post\" (ID 2) authored by `attacker` so they can access the edit screen and retrieve the nonce.\n\n## 7. Expected Results\n- The AJAX response should return a success code (e.g., `{\"success\": true}` or a raw `1`).\n- The Target Post (ID 1), which the Contributor is not authorized to edit, will now have a featured image automatically assigned from the YouTube video.\n- Server-side metadata (`_thumbnail_id`) will be updated for Post 1.\n\n## 8. Verification Steps\n1. **CLI Check:**\n   ```bash\n   # Check if post 1 now has a thumbnail ID assigned\n   wp post meta get 1 _thumbnail_id\n   ```\n2. **Visual Check:**\n   - Navigate to the home page or the specific post view to see if the featured image appears.\n3. **Authorization Confirmation:**\n   - Confirm that the `attacker` user *cannot* normally edit post 1 using standard WP-CLI or UI methods:\n     ```bash\n     wp post update 1 --post_title=\"Hacked\" --user=attacker\n     # This should fail with \"Sorry, you are not allowed to edit this post.\"\n     ```\n\n## 9. Alternative Approaches\n- **Action Guessing:** If `afiv_generate_featured_image` is not the correct action name, search the plugin source for `wp_ajax_` strings:\n  ```bash\n  grep -r \"wp_ajax_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fautomatic-featured-images-from-videos\u002F\n  ```\n- **Parameter Variation:** Some versions of this plugin might use `id` instead of `post_id`. Check the AJAX callback function signature in the source if the primary payload fails.\n- **Bulk Action:** Check if there is a bulk generation AJAX action (e.g., `afiv_bulk_generate`) which might also lack authorization and allow affecting multiple posts simultaneously.","The Automatic Featured Images from Videos plugin for WordPress is vulnerable to unauthorized featured image generation due to a missing capability check in its AJAX handler. This allows authenticated attackers with Contributor-level access to trigger image generation for any post on the site by leveraging a nonce accessible in the post editor.","\u002F\u002F Action registration inferred from plugin logic\nadd_action( 'wp_ajax_afiv_generate_featured_image', 'afiv_generate_featured_image_callback' );\n\n\u002F\u002F Callback implementation lacking authorization\nfunction afiv_generate_featured_image_callback() {\n    check_ajax_referer( 'afiv_nonce', 'nonce' );\n\n    $post_id = $_POST['post_id'];\n\n    \u002F\u002F Vulnerability: Missing check such as current_user_can( 'edit_post', $post_id )\n\n    afiv_generate_image( $post_id );\n    wp_send_json_success();\n}","--- a\u002Fautomatic-featured-images-from-videos.php\n+++ b\u002Fautomatic-featured-images-from-videos.php\n@@ -10,6 +10,10 @@\n     check_ajax_referer( 'afiv_nonce', 'nonce' );\n \n     $post_id = intval( $_POST['post_id'] );\n+\n+    if ( ! current_user_can( 'edit_post', $post_id ) ) {\n+        wp_send_json_error( 'Unauthorized' );\n+    }\n \n     afiv_generate_image( $post_id );\n     wp_send_json_success();","An attacker with Contributor-level access logs into the WordPress dashboard and navigates to the post editor for a post they are authorized to edit. From the page source or localized JavaScript variables (e.g., afiv_vars.nonce), the attacker retrieves a valid 'afiv_nonce'. The attacker then sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action parameter set to 'afiv_generate_featured_image', providing the valid nonce and the post_id of a target post they do not have permission to modify. The plugin processes the target post and sets its featured image based on video links found in the content without verifying the attacker's permissions.","gemini-3-flash-preview","2026-05-05 00:30:53","2026-05-05 00:31:46",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.2.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautomatic-featured-images-from-videos\u002Ftags\u002F1.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautomatic-featured-images-from-videos.1.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautomatic-featured-images-from-videos\u002Ftags\u002F1.2.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautomatic-featured-images-from-videos.1.2.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautomatic-featured-images-from-videos\u002Ftags"]