[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0_cX2aGvMidzjcDWUO-rOmeCf4-qosud9j5_LZ_A9-I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-25311","autoshare-for-twitter-missing-authorization","Autoshare for Twitter \u003C= 2.3.1 - Missing Authorization","The Autopost for X (formerly Autoshare for Twitter) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","autoshare-for-twitter",null,"\u003C=2.3.1","2.3.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-22 00:00:00","2026-05-04 15:18:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fac05441d-137e-433a-86bd-a702ec664db0?source=api-prod",103,[22,23,24,25,26,27,28,29],"autoshare-for-twitter.php","dist\u002Fautoshare-for-twitter.asset.php","dist\u002Fautoshare-for-twitter.js","includes\u002Fadmin\u002Fpost-transition.php","readme.txt","vendor\u002Fautoload.php","vendor\u002Fcomposer\u002Fautoload_real.php","vendor\u002Fcomposer\u002Fautoload_static.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-25311 (Autoshare for Twitter \u003C= 2.3.1)\n\n## 1. Vulnerability Summary\nThe **Autopost for X (formerly Autoshare for Twitter)** plugin for WordPress is vulnerable to **Missing Authorization** in the `retweet` function located in `includes\u002Fadmin\u002Fpost-transition.php`. \n\nThe function is registered as an AJAX action `wp_ajax_tenup_autoshare_retweet`. While it correctly verifies a WordPress nonce, it uses the generic `'wp_rest'` action string and fails to perform any capability check (e.g., `current_user_can( 'edit_posts' )`). This allows any authenticated user, including those with **Subscriber-level permissions**, to trigger a tweet for any arbitrary post ID, effectively hijacking the site's Twitter\u002FX connection to publish content.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `tenup_autoshare_retweet`\n- **HTTP Method**: POST\n- **Authentication**: Authenticated (Subscriber and above)\n- **Vulnerable Parameter**: `post_id`\n- **Nonce Parameter**: `nonce` (Action: `'wp_rest'`)\n- **Preconditions**: \n    - The plugin must have a connected Twitter\u002FX account (or the attacker triggers the failure logs).\n    - The target `post_id` must belong to a post type that supports autosharing (default: `post`, `page`).\n    - The site must not be detected as a staging site (checked via `AST_Staging::is_production_site()`).\n\n## 3. Code Flow\n1. **Entry Point**: A Subscriber user sends a POST request to `admin-ajax.php` with `action=tenup_autoshare_retweet`.\n2. **Hook Registration**: `includes\u002Fadmin\u002Fpost-transition.php` defines:\n   ```php\n   add_action( 'wp_ajax_tenup_autoshare_retweet', __NAMESPACE__ . '\\retweet', 10, 3 );\n   ```\n3. **Nonce Verification**: The `retweet()` function verifies the nonce:\n   ```php\n   if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wp_rest' ) ) {\n       wp_send_json_error( __( 'Nonce verification failed.', 'autoshare-for-twitter' ) );\n   }\n   ```\n   *Note: Any logged-in user can obtain a `wp_rest` nonce as it is used by the core WordPress REST API.*\n4. **Missing Authorization**: There is no call to `current_user_can()`.\n5. **Execution Sink**: The code calls `publish_tweet($post_id, true)`:\n   ```php\n   $is_retweeted = publish_tweet( $post_id, true );\n   ```\n   The `true` argument forces the tweet to be sent even if autoshare was disabled for that specific post.\n6. **Side Effects**: `publish_tweet` attempts to compose a tweet and send it via the `Publish_Tweet` class, eventually calling `update_autoshare_for_twitter_meta_from_response()`, which modifies post metadata.\n\n## 4. Nonce Acquisition Strategy\nThe nonce used is `'wp_rest'`. This nonce is standard for the WordPress REST API and is automatically exposed to logged-in users.\n\n1. **Access Level**: Login as a Subscriber user.\n2. **Navigate**: Go to any page in the WordPress admin dashboard (e.g., `\u002Fwp-admin\u002Fprofile.php`).\n3. **Extract**: Use the `browser_eval` tool to extract the nonce from the global WordPress JavaScript objects.\n   - **Target Variable**: `window.wpApiSettings.nonce`\n   - **Alternative**: If `wpApiSettings` is not available, look for any `wp_localize_script` output in the page source containing a `nonce` key.\n4. **Command**: `browser_eval(\"window.wpApiSettings?.nonce\")`\n\n## 5. Exploitation Strategy\n### Step-by-Step Plan\n1. **Create Target Content**: Create a post with ID `X` as an Administrator.\n2. **Setup Attacker**: Create a Subscriber-level user.\n3. **Obtain Nonce**: Log in as the Subscriber and use `browser_eval` to grab the `wp_rest` nonce.\n4. **Trigger Unauthorized Action**: Use the `http_request` tool to send the malicious AJAX request.\n\n### HTTP Request Payload\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Subscriber Cookies]\n\naction=tenup_autoshare_retweet&post_id=[TARGET_POST_ID]&nonce=[WP_REST_NONCE]\n```\n\n## 6. Test Data Setup\n- **Plugin Config**: Ensure the plugin is active.\n- **Production Check**: If the plugin thinks the site is staging, it will exit. You may need to define `define('WP_ENVIRONMENT_TYPE', 'production');` in `wp-config.php` or ensure the site URL does not contain \"staging\" or \"test\".\n- **Target Post**: Create a standard post:\n  `wp post create --post_type=post --post_title=\"Unauthorized Tweet\" --post_status=publish`\n  Capture the ID of this post.\n\n## 7. Expected Results\n- **Success Response**: The server returns a JSON success object: `{\"success\":true,\"data\":{...}}`.\n- **Action Taken**: The plugin attempts to contact the Twitter API. Even if the API credentials are dummy\u002Fmissing, the plugin will attempt to log the failure to the post's metadata.\n\n## 8. Verification Steps\n1. **Metadata Check**: Check if the post metadata has been updated to reflect a \"retweet\" attempt.\n   `wp post meta get [POST_ID] autoshare_for_twitter_status`\n2. **Log Verification**: If the Twitter API was not configured, look for an error log in the post meta:\n   `wp post meta get [POST_ID] autoshare_for_twitter_logs`\n3. **Response Validation**: Confirm the AJAX response contains `'is_retweeted' => true` (if it worked) or an error message that isn't \"Nonce verification failed\" or a 403 Forbidden.\n\n## 9. Alternative Approaches\nIf the `wp_rest` nonce is not easily found via `wpApiSettings`, navigate to the Block Editor (if the Subscriber has access to a post type) or check the source code of the dashboard for `rest-nonce` or similar identifiers. If `AST_Staging::is_production_site()` blocks the exploit, the researcher should verify if the test environment can be forced into production mode.","The Autopost for X (formerly Autoshare for Twitter) plugin for WordPress is vulnerable to unauthorized access because the AJAX action 'tenup_autoshare_retweet' fails to perform a capability check. This allow authenticated attackers, including those with Subscriber-level permissions, to trigger the publication of tweets for arbitrary post IDs on the site's connected X (Twitter) account.","\u002F\u002F includes\u002Fadmin\u002Fpost-transition.php @ line 31\nadd_action( 'wp_ajax_tenup_autoshare_retweet', __NAMESPACE__ . '\\retweet', 10, 3 );\n\n--- \n\n\u002F\u002F includes\u002Fadmin\u002Fpost-transition.php @ line 174\nfunction retweet() {\n\tif ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wp_rest' ) ) {\n\t\twp_send_json_error( __( 'Nonce verification failed.', 'autoshare-for-twitter' ) );\n\t}\n\n\t$post_id      = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;\n\t$is_retweeted = publish_tweet( $post_id, true );\n\n\t\u002F\u002F Send status logs markup for classic editor.\n\tif ( isset( $_POST['is_classic'] ) && ! empty( $_POST['is_classic'] ) ) {\n\t\t$message = [ 'message' => get_tweet_status_logs( $post_id ) ];\n\t} else {\n\t\t$message = get_tweet_status_message( $post_id );\n\t}\n\t$message['is_retweeted'] = $is_retweeted;\n\n\tif ( $is_retweeted ) {\n\t\twp_send_json_success( $message );\n\t} else {\n\t\twp_send_json_error( $message );\n\t}\n}","--- includes\u002Fadmin\u002Fpost-transition.php\n+++ includes\u002Fadmin\u002Fpost-transition.php\n@@ -178,6 +178,10 @@\n \t\twp_send_json_error( __( 'Nonce verification failed.', 'autoshare-for-twitter' ) );\n \t}\n \n+\tif ( ! current_user_can( 'edit_posts' ) ) {\n+\t\twp_send_json_error( __( 'You do not have permission to perform this action.', 'autoshare-for-twitter' ) );\n+\t}\n+\n \t$post_id      = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;\n \t$is_retweeted = publish_tweet( $post_id, true );","The vulnerability is exploited by abusing the 'tenup_autoshare_retweet' AJAX action. An authenticated attacker, such as a Subscriber, first retrieves a valid WordPress REST API nonce (commonly available via the 'wpApiSettings' JavaScript object on the dashboard). The attacker then sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'tenup_autoshare_retweet', a 'post_id' parameter targeting a specific post, and the 'nonce' parameter. Because the plugin does not verify if the user has permissions to edit posts or perform shares, the 'publish_tweet' function is called with the 'force' flag set to true, causing the plugin to send a status update for that post to the configured Twitter\u002FX account.","gemini-3-flash-preview","2026-05-05 03:18:43","2026-05-05 03:19:05",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.3.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautoshare-for-twitter\u002Ftags\u002F2.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautoshare-for-twitter.2.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautoshare-for-twitter\u002Ftags\u002F2.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautoshare-for-twitter.2.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautoshare-for-twitter\u002Ftags"]