[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flMdLsmjBIvHu1ZzQUtJQEUSyBr7rdPE6EL70AJ-jLQg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39606","bizreview-missing-authorization","BizReview \u003C= 1.5.14 - Missing Authorization","The BizReview plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.5.14. This makes it possible for unauthenticated attackers to perform an unauthorized action.","bizreview",null,"\u003C=1.5.14","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-03 00:00:00","2026-04-15 21:31:39",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F013ff32d-b3ea-4d36-87c3-a31de447e699?source=api-prod",[],"researched",false,3,"This research plan focuses on identifying and exploiting a Missing Authorization vulnerability in the **BizReview** plugin (\u003C= 1.5.14). The vulnerability allows unauthenticated attackers to perform actions that should be restricted to administrators, typically through unprotected AJAX handlers.\n\n### 1. Vulnerability Summary\nThe BizReview plugin fails to implement proper capability checks (e.g., `current_user_can( 'manage_options' )`) in one or more of its AJAX handler functions. While it may or may not implement a nonce check, the lack of a server-side authorization check allows any user (or unauthenticated visitor, if `wp_ajax_nopriv_` is used) to execute the function's logic. Based on the plugin's purpose, this likely involves modifying plugin settings, managing reviews, or interacting with Google Place API configurations.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Actions (Inferred):** \n    *   `bizreview_save_settings`\n    *   `bizreview_update_options`\n    *   `bizreview_import_reviews`\n*   **Parameters:** `action`, `security`\u002F`nonce` (if required), and configuration arrays (e.g., `options`, `settings`).\n*   **Authentication:** Unauthenticated (via `wp_ajax_nopriv_` hooks) or Subscriber-level (via `wp_ajax_` hooks if registration is open).\n*   **Preconditions:** The plugin must be active. If a nonce is required, it must be extractable from the frontend or a specific shortcode-enabled page.\n\n### 3. Code Flow (Inferred Trace)\n1.  **Entry Point:** An AJAX request is sent to `admin-ajax.php` with a specific `action` parameter (e.g., `action=bizreview_save_settings`).\n2.  **Hook Registration:** The plugin registers the action in its main file or an admin\u002Fajax class:\n    `add_action( 'wp_ajax_nopriv_bizreview_save_settings', 'bizreview_save_settings_callback' );` (or similar).\n3.  **Vulnerable Function:** The callback function (e.g., `bizreview_save_settings_callback`) is invoked.\n4.  **Authorization Failure:** The function performs logic (like `update_option()`) without calling `current_user_can()`.\n5.  **Sink:** WordPress database options are updated or sensitive actions are performed.\n\n### 4. Nonce Acquisition Strategy\nIf the AJAX handler uses `check_ajax_referer` or `wp_verify_nonce`, we must obtain a valid nonce.\n\n1.  **Identify Shortcode:** Search for shortcodes in the plugin:\n    `grep -r \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbizreview\u002F`\n2.  **Locate Localization:** Find where the plugin passes data to JS:\n    `grep -r \"wp_localize_script\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbizreview\u002F`\n    *Look for variable names like `bizreview_vars`, `bizreview_ajax`, or `br_ajax_obj`.*\n3.  **Setup Page:**\n    Create a post containing the identified shortcode:\n    `wp post create --post_type=page --post_status=publish --post_content='[bizreview_shortcode]'` (Replace with actual shortcode).\n4.  **Extraction:**\n    Navigate to the newly created page and use `browser_eval` to extract the nonce:\n    `browser_eval(\"window.bizreview_vars?.nonce\")` (Replace `bizreview_vars` and `nonce` with actual keys found in the source).\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate unauthorized configuration change (e.g., changing the Google API key or internal plugin settings).\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    action=bizreview_save_settings&security=[NONCE]&bizreview_options[google_api_key]=EXPLOITED_API_KEY&bizreview_options[some_critical_setting]=1\n    ```\n    *(Note: Parameter names like `bizreview_options` are inferred and must be confirmed via grep)*.\n\n**Grep commands to confirm parameters:**\n```bash\n# Find the callback function for AJAX actions\ngrep -r \"wp_ajax_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbizreview\u002F\n\n# Examine the callback for the logic and parameter names\n# Example: if action is bizreview_save_settings, find:\n# function bizreview_save_settings() { ... }\n```\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `bizreview` version 1.5.14 is installed and activated.\n2.  **Discovery:** Run a grep to find the specific vulnerable action:\n    `grep -r \"update_option\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbizreview\u002F | grep -v \"install\"`\n    This helps identify which AJAX handlers are actually writing to the database.\n\n### 7. Expected Results\n*   **HTTP Response:** A `200 OK` response, often containing `{\"success\":true}` or `1`.\n*   **Database Change:** The plugin's settings in the `wp_options` table will be updated with the attacker-supplied values.\n\n### 8. Verification Steps\nAfter the `http_request`, verify the state change using WP-CLI:\n```bash\n# Check if the targeted option was changed\nwp option get bizreview_options --format=json\n```\nIf the output contains `EXPLOITED_API_KEY`, the Missing Authorization is confirmed.\n\n### 9. Alternative Approaches\n*   **If `wp_ajax_nopriv` is not present:** Attempt the exploit as a **Subscriber** user. If `wp_ajax_` is used without `current_user_can`, any logged-in user can exploit it.\n*   **Endpoint Hunting:** If `admin-ajax.php` is not the vector, check for custom REST API routes:\n    `grep -r \"register_rest_route\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbizreview\u002F`\n    Check the `permission_callback` for `__return_true`.\n*   **Direct Option Update:** Some plugins use a pattern where they hook into `init` or `admin_init` and check for specific `$_POST` keys.\n    `grep -r \"add_action.*admin_init\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbizreview\u002F`\n    *Note: `admin_init` triggers for any user visiting `\u002Fwp-admin\u002Fadmin-ajax.php`, making it a common source of authorization bypasses.*","The BizReview plugin for WordPress is vulnerable to unauthorized modification of settings due to a missing capability check on its AJAX handler functions. This allows unauthenticated or low-privileged attackers to perform administrative actions, such as updating plugin configurations or changing API keys, by sending requests to admin-ajax.php.","1. Identify the vulnerable AJAX action registered via wp_ajax_ or wp_ajax_nopriv_ hooks (e.g., bizreview_save_settings).\n2. If the handler requires a nonce, locate where the plugin localizes script variables (e.g., using wp_localize_script) and extract the nonce from a page where the plugin is active.\n3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to the target function and 'security' or 'nonce' set to the extracted value.\n4. Include payload parameters representing the settings to be changed (e.g., bizreview_options[google_api_key]=EXPLOITED).\n5. Verify the configuration change via a public page or WP-CLI, confirming that the lack of current_user_can() allowed the unauthorized update.","gemini-3-flash-preview","2026-04-27 16:33:37","2026-04-27 16:33:57",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbizreview\u002Ftags"]