[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0RJn8TSAdVDvJv4Y3zxkaOil93dV8177rTdvwKogZJI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":16,"references":17,"days_to_patch":19,"patch_diff_files":20,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":9,"research_fix_diff":29,"research_exploit_outline":30,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":34},"CVE-2026-1881","broadstreet-authenticated-subscriber-private-post-meta-disclosure-via-getsponsoredmeta","Broadstreet \u003C= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta","The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata.","broadstreet",null,"\u003C=1.52.2","1.53.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-05-20 13:15:10",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F328ccf8f-797b-4b1a-b0f1-afd8e44f41e6?source=api-prod",0,[21,22,23],"Broadstreet\u002FConfig.php","broadstreet.php","readme.txt","researched",false,3,"This research plan targets a **Post Meta Disclosure (IDOR)** vulnerability in the Broadstreet plugin. While the full source of the AJAX handler is not provided in the snippet, the vulnerability description and common WordPress plugin patterns allow for a precise reconstruction of the exploitation path.\n\n---\n\n### 1. Vulnerability Summary\nThe Broadstreet plugin registers an AJAX action `get_sponsored_meta` that lacks proper authorization and input validation. Specifically, it allows a user to provide an arbitrary `key` parameter which is passed directly to `get_post_meta()`. Because WordPress does not inherently protect \"private\" meta keys (those starting with an underscore) from `get_post_meta` calls when the key name is known, any authenticated user can bypass intended visibility restrictions to leak sensitive internal data.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `get_sponsored_meta`\n*   **Vulnerable Parameter:** `key` (User-controlled meta key name)\n*   **Identifier Parameter:** `post_id` (The ID of the post to query)\n*   **Authentication:** Subscriber level or higher.\n*   **Preconditions:** The attacker must have a valid `nonce` if the plugin implements `check_ajax_referer` (likely), and the target meta key must exist for the specified `post_id`.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** `Broadstreet_Core::execute()` (in `Broadstreet\u002FCore.php`) likely calls a method that registers the AJAX handler:\n    `add_action('wp_ajax_get_sponsored_meta', array($this, 'get_sponsored_meta'));`\n2.  **Handler Execution:** The handler (presumably `get_sponsored_meta`) retrieves input:\n    ```php\n    $post_id = $_POST['post_id'];\n    $meta_key = $_POST['key'];\n    ```\n3.  **The Sink:** The code calls the native WordPress function without verifying if the key is public:\n    ```php\n    $value = get_post_meta($post_id, $meta_key, true);\n    echo $value;\n    wp_die();\n    ```\n4.  **The Bypass:** By providing a key like `_wp_attached_file` or a custom secret key (e.g., `_bs_metadata`), the attacker receives data they shouldn't see.\n\n### 4. Nonce Acquisition Strategy\nBroadstreet typically localizes its configuration and nonces for its dashboard and widgets.\n\n1.  **Identify Script Localization:** The plugin likely uses `wp_localize_script` to pass a nonce to the frontend. Based on common Broadstreet patterns, the object name is likely `BroadstreetConfig` or `broadstreet_vars`.\n2.  **Creation of Environment:**\n    *   Since Broadstreet is an ad-management plugin, its scripts usually load on the WordPress dashboard for all authenticated users.\n3.  **Extraction Steps:**\n    *   Log in as a Subscriber.\n    *   Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002Findex.php`).\n    *   Use `browser_eval` to search for the nonce:\n        `browser_eval(\"window.BroadstreetConfig?.nonce || window.broadstreet_vars?.nonce\")`\n    *   If not found, search the HTML source for `check_ajax_referer` action strings like `broadstreet_nonce` or `get_sponsored_meta`.\n\n### 5. Test Data Setup\nTo prove the vulnerability, we need a \"private\" meta key attached to a post.\n1.  **Create a target post:**\n    `wp post create --post_type=post --post_title=\"Target Post\" --post_status=publish` (Note the ID, e.g., `123`).\n2.  **Add private metadata:**\n    `wp post meta add 123 _secret_internal_key \"CONFIDENTIAL_AD_REVENUE_DATA\"`\n3.  **Create a Subscriber user:**\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n\n### 6. Exploitation Strategy\n1.  **Authentication:** Authenticate as the Subscriber user and obtain session cookies.\n2.  **Nonce Retrieval:**\n    *   Navigate to `\u002Fwp-admin\u002F` using `browser_navigate`.\n    *   Execute `browser_eval` to extract the `nonce` and the `ajax_url`.\n3.  **Exploit Request:**\n    *   Use the `http_request` tool to send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        ```\n        action=get_sponsored_meta&post_id=123&key=_secret_internal_key&_wpnonce=[NONCE]\n        ```\n        *(Note: The parameter name for the nonce might be `nonce` or `_wpnonce`; this should be verified during the extraction step.)*\n\n### 7. Expected Results\n*   **Success:** The HTTP response body contains the string `CONFIDENTIAL_AD_REVENUE_DATA`.\n*   **Response Code:** `200 OK`.\n*   **Security Failure:** The plugin returns the value of a meta key prefixed with an underscore, which is the standard WordPress convention for protected\u002Fhidden metadata.\n\n### 8. Verification Steps\n1.  **Verify Payload:** Compare the HTTP response content with the output of:\n    `wp post meta get 123 _secret_internal_key`\n2.  **Check Scope:** Attempt to retrieve a core WordPress private key to show impact:\n    `action=get_sponsored_meta&post_id=123&key=_edit_last`\n    If it returns a User ID, the disclosure is confirmed.\n\n### 9. Alternative Approaches\n*   **If Nonce is not found in Admin:** Some Broadstreet features are intended for the frontend. Create a page with a Broadstreet widget\u002Fshortcode (if identified via `grep -r \"add_shortcode\"`) and extract the nonce from the public-facing page.\n*   **Blind Disclosure:** If the plugin does not `echo` the result but uses it in a way that affects the UI, observe changes in the response length or specific HTML elements returned.\n*   **Key Enumeration:** If the specific key name is unknown, common WordPress keys to test include:\n    *   `_wp_attached_file`\n    *   `_wp_page_template`\n    *   `_edit_lock`\n    *   `_edit_last`","The Broadstreet plugin for WordPress is vulnerable to an authorization bypass via the `get_sponsored_meta` AJAX action due to missing validation on the user-controlled `key` parameter. This allows authenticated attackers with Subscriber-level access or higher to disclose any private post metadata by requesting keys that are typically hidden (prefixed with an underscore).","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002FBroadstreet\u002FConfig.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002FBroadstreet\u002FConfig.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002FBroadstreet\u002FConfig.php\t2026-05-06 11:03:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002FBroadstreet\u002FConfig.php\t2026-05-06 11:03:36.000000000 +0000\n@@ -140,4 +140,4 @@\n     }\n }\n \n-define('BROADSTREET_VERSION', '1.53.1');\n+define('BROADSTREET_VERSION', '1.53.2');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Fbroadstreet.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Fbroadstreet.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Fbroadstreet.php\t2026-05-06 11:03:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Fbroadstreet.php\t2026-05-06 11:03:36.000000000 +0000\n@@ -3,7 +3,7 @@\n Plugin Name: Broadstreet\n Plugin URI: http:\u002F\u002Fbroadstreetads.com\n Description: Integrate Broadstreet business directory and adserving power into your site\n-Version: 1.53.1\n+Version: 1.53.2\n Tested up to: 6.9\n Author: Broadstreet\n Author URI: http:\u002F\u002Fbroadstreetads.com\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Freadme.txt\t2026-05-06 11:03:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Freadme.txt\t2026-05-06 11:03:36.000000000 +0000\n@@ -3,7 +3,7 @@\n Tags: broadstreet,local,publishers,hyperlocal,independent,news,business,directory\n Requires at least: 3.0\n Tested up to: 6.9\n-Stable tag: 1.53.1\n+Stable tag: 1.53.2\n \n Integrate Broadstreet adserving power into your site.\n \nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2: trunk","1. Authenticate as a Subscriber-level user to obtain valid session cookies.\n2. Locate the AJAX nonce by extracting it from localized JavaScript variables on the WordPress dashboard (likely within 'broadstreet_vars' or 'BroadstreetConfig' objects).\n3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'get_sponsored_meta'.\n4. Include the target post ID in the 'post_id' parameter and the desired private metadata key in the 'key' parameter (e.g., '_wp_attached_file' or '_edit_last').\n5. Observe that the server returns the value of the requested private meta key, bypassing the standard WordPress protection for keys prefixed with an underscore.","gemini-3-flash-preview","2026-05-20 16:27:32","2026-05-20 16:28:03",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","1.53.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbroadstreet\u002Ftags\u002F1.53.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbroadstreet.1.53.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbroadstreet\u002Ftags\u002F1.53.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbroadstreet.1.53.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbroadstreet\u002Ftags"]