[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPTNtFGX9jCfapG8GHabc8YLueCNW95y2XDkektq2Xfc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":9,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":35},"CVE-2025-9988","broadstreet-missing-authorization-to-authenticated-subscriber-advertiser-creation","Broadstreet \u003C= 1.53.1 - Missing Authorization to Authenticated (Subscriber+) Advertiser Creation","The Broadstreet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the create_advertiser AJAX action in all versions up to, and including, 1.53.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create advertisers.","broadstreet",null,"\u003C=1.53.1","1.53.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Authorization","2026-05-12 15:43:29","2026-05-13 04:26:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F480ab377-b979-4e1c-9c7a-cf63d69ad697?source=api-prod",1,[22,23,24],"Broadstreet\u002FConfig.php","broadstreet.php","readme.txt","researched",false,3,"This research plan focuses on exploiting CVE-2025-9988, a missing authorization vulnerability in the Broadstreet plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe Broadstreet plugin (up to version 1.53.1) fails to perform capability checks on its `create_advertiser` AJAX action. While intended for administrative use, the registration of the `wp_ajax_create_advertiser` hook without a `current_user_can()` check allows any authenticated user (starting from the Subscriber role) to trigger the advertiser creation logic.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `create_advertiser` (Inferred from title)\n- **HTTP Method:** `POST`\n- **Authentication:** Required (Subscriber role or higher)\n- **Vulnerable Hook:** `wp_ajax_create_advertiser`\n- **Preconditions:** The plugin must be active. The attacker must have a valid session cookie for a Subscriber-level account.\n\n## 3. Code Flow (Inferred)\n1. **Initialization:** In `broadstreet.php`, `Broadstreet_Core` is instantiated and `execute()` is called.\n2. **Registration:** Inside `Broadstreet\u002FCore.php` (file not provided, but inferred from standard WP patterns), a call exists: `add_action('wp_ajax_create_advertiser', array($this, 'create_advertiser_handler'))`.\n3. **Missing Check:** The `create_advertiser_handler` function likely lacks a `current_user_can('manage_options')` or similar check.\n4. **Execution:** The handler processes `$_POST` parameters to create a new advertiser record, potentially interacting with the Broadstreet API or local database.\n\n## 4. Nonce Acquisition Strategy\nBroadstreet typically localizes its settings for the admin dashboard. Since this is a `wp_ajax_` action (authenticated), a nonce is likely required by `check_ajax_referer()`.\n\n1. **Shortcode\u002FPage Check:** Broadstreet scripts are usually loaded on the Broadstreet settings page. \n2. **Action:** Create a Subscriber user and navigate to the WordPress dashboard.\n3. **Detection:** Search for the Broadstreet localization object in the DOM.\n4. **JavaScript Variable:** Look for `window.broadstreet_data` or similar.\n5. **Execution Command:**\n   ```javascript\n   \u002F\u002F Inferred based on typical Broadstreet naming conventions\n   browser_eval(\"window.broadstreet_data?.nonce || window.bs_admin_data?.nonce\")\n   ```\n\n*Note: If `grep` reveals that the handler does not call `check_ajax_referer` or `wp_verify_nonce`, this step can be skipped.*\n\n## 5. Exploitation Strategy\nThe goal is to successfully call the `create_advertiser` action as a Subscriber to create a dummy advertiser.\n\n**Step 1: Identify Parameters**\nSearch the codebase to find the expected POST parameters for the `create_advertiser` action:\n`grep -r \"function create_advertiser\" Broadstreet\u002F`\n\n**Step 2: Perform the Request**\nUsing the `http_request` tool:\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=create_advertiser&name=HackedAdvertiser&email=attacker@example.com&nonce=[EXTRACTED_NONCE]\n  ```\n\n## 6. Test Data Setup\n1. **Target Plugin:** Ensure `broadstreet` version 1.53.1 is installed and active.\n2. **Attacker User:**\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n   ```\n3. **Configuration:** The plugin may require an API key to function. Check `Broadstreet_Config::get()` usage. If an API key is required for the code path to reach the \"creation\" logic, it may need to be set:\n   ```bash\n   wp option update broadstreet_settings '{\"access_token\":\"dummy_token\"}' (inferred)\n   ```\n\n## 7. Expected Results\n- **Response Code:** 200 OK.\n- **Response Body:** A JSON object or string indicating success, e.g., `{\"success\": true, \"id\": ...}` or a raw ID.\n- **Side Effect:** A new advertiser entry is created in the system.\n\n## 8. Verification Steps\n1. **Database Check:** Check if the advertiser was created.\n   ```bash\n   # Search for the name used in the payload\n   wp db query \"SELECT * FROM wp_options WHERE option_name LIKE '%broadstreet%'\"\n   # OR, if it uses a custom table (inferred):\n   wp db query \"SELECT * FROM wp_broadstreet_advertisers\"\n   ```\n2. **Log Check:** If the plugin logs actions (see `Broadstreet_Config::setConfig` logs), check the log directory defined in `Config.php`:\n   ```bash\n   ls wp-content\u002Fplugins\u002Fbroadstreet\u002FBroadstreet\u002FLogs\u002F\n   ```\n\n## 9. Alternative Approaches\nIf the `create_advertiser` action requires a valid API connection to the Broadstreet server, the exploit might return an error even if the authorization bypass is successful. In this case:\n1. **Intercept Errors:** Look for \"Unauthorized\" (403) vs \"API Error\" (500\u002F200 with error message). A \"Subscriber\" receiving an \"API Error\" instead of \"Unauthorized\" confirms the missing capability check.\n2. **Check other actions:** Search for other `wp_ajax_` actions registered in `Core.php` that lack capability checks, such as `get_advertisers` or `update_settings`.","The Broadstreet plugin for WordPress is vulnerable to unauthorized advertiser creation because it lacks a capability check on the `create_advertiser` AJAX action in versions up to 1.53.1. This allows authenticated attackers with Subscriber-level access or higher to create new advertisers by sending a crafted request to the site's AJAX endpoint.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002FBroadstreet\u002FConfig.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002FBroadstreet\u002FConfig.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002FBroadstreet\u002FConfig.php\t2026-05-06 11:03:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002FBroadstreet\u002FConfig.php\t2026-05-06 11:03:36.000000000 +0000\n@@ -140,4 +140,4 @@\n     }\n }\n \n-define('BROADSTREET_VERSION', '1.53.1');\n+define('BROADSTREET_VERSION', '1.53.2');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Fbroadstreet.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Fbroadstreet.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Fbroadstreet.php\t2026-05-06 11:03:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Fbroadstreet.php\t2026-05-06 11:03:36.000000000 +0000\n@@ -3,7 +3,7 @@\n Plugin Name: Broadstreet\n Plugin URI: http:\u002F\u002Fbroadstreetads.com\n Description: Integrate Broadstreet business directory and adserving power into your site\n-Version: 1.53.1\n+Version: 1.53.2\n Tested up to: 6.9\n Author: Broadstreet\n Author URI: http:\u002F\u002Fbroadstreetads.com\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Freadme.txt\t2026-05-06 11:03:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Freadme.txt\t2026-05-06 11:03:36.000000000 +0000\n@@ -3,7 +3,7 @@\n Tags: broadstreet,local,publishers,hyperlocal,independent,news,business,directory\n Requires at least: 3.0\n Tested up to: 6.9\n-Stable tag: 1.53.1\n+Stable tag: 1.53.2\n \n Integrate Broadstreet adserving power into your site.","1. Authenticate to the WordPress site as a user with at least Subscriber-level privileges.\n2. Obtain the required AJAX nonce from the WordPress dashboard, typically found within the `window.broadstreet_data` or similar localized JavaScript objects.\n3. Construct a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the parameter `action` set to `create_advertiser`.\n4. Include desired advertiser details (such as `name` and `email`) and the extracted nonce in the request body.\n5. Send the request; the server will process the creation logic because it lacks a `current_user_can()` capability check to ensure only administrators can perform this action.","gemini-3-flash-preview","2026-05-14 17:58:46","2026-05-14 17:59:38",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.53.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbroadstreet\u002Ftags\u002F1.53.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbroadstreet.1.53.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbroadstreet\u002Ftags\u002F1.53.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbroadstreet.1.53.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbroadstreet\u002Ftags"]