[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWdHcn1A4dUwy_MKbOOZ_0CX0gStksA-XeAr4iYcmPGM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6400","child-height-predictor-by-ostheimer-cross-site-request-forgery-to-settings-update-via-plugin-settings-form","Child Height Predictor by Ostheimer \u003C= 1.3 - Cross-Site Request Forgery to Settings Update via Plugin Settings Form","The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options() function, which handles plugin settings updates. The form template does not include a wp_nonce_field() call, and the handler never calls check_admin_referer() or wp_verify_nonce(). This makes it possible for unauthenticated attackers to trick a site administrator into clicking a link or visiting a malicious page that submits a forged POST request, causing unauthorized changes to the plugin settings such as unit preferences to be persisted to the database via update_option().","child-height-predictor",null,"\u003C=1.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-19 12:04:31","2026-05-20 01:25:55",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdc1681a8-5f2e-45f1-96d9-797b13644607?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-6400 (Child Height Predictor by Ostheimer)\n\n## 1. Vulnerability Summary\nCVE-2026-6400 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the **Child Height Predictor by Ostheimer** plugin (versions \u003C= 1.3). The vulnerability exists within the `options()` function, which serves as the callback for the plugin's settings page. The function processes configuration updates (persisted via `update_option()`) without performing any nonce verification. This allows an unauthenticated attacker to forge a request that, if executed by a logged-in administrator, modifies the plugin's settings.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint:** `\u002Fwp-admin\u002Foptions-general.php?page=child-height-predictor` (inferred from plugin slug).\n- **HTTP Method:** `POST`\n- **Authentication Level:** Requires an active session of a user with `manage_options` capability (typically an Administrator).\n- **Vulnerable Function:** `options()`\n- **Impact:** Persisted modification of plugin settings (e.g., unit preferences, display options).\n\n## 3. Code Flow\n1. The plugin registers a settings page using `add_options_page()` or `add_menu_page()`, assigning the function `options()` as the display and processing callback.\n2. When the administrator visits the settings page or submits the form, the `options()` function is executed.\n3. Inside `options()`, the code likely checks for the presence of a submit parameter: `if ( isset( $_POST['submit'] ) )` (inferred).\n4. Upon finding the submit parameter, the function iterates through expected `$_POST` keys and updates WordPress options using `update_option()`.\n5. **Critical Failure:** The function fails to include a `wp_nonce_field()` in the HTML form and neglects to call `check_admin_referer()` or `wp_verify_nonce()` before processing the `update_option()` calls.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nThe vulnerability report explicitly states that the `options()` function lacks nonce verification and the form template does not include a `wp_nonce_field()`. Therefore, the request can be forged without any CSRF tokens.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that plugin settings can be changed via an unauthenticated POST request (simulating a CSRF attack).\n\n### Step 1: Discover Setting Parameters\nSince exact parameter names are not provided in the CVE, the agent must first identify them:\n1. Log in as an Administrator.\n2. Navigate to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?page=child-height-predictor`.\n3. Execute `browser_eval` to extract the names of the input fields:\n ```javascript\n Array.from(document.querySelectorAll('form input, form select')).map(el => el.name)\n ```\n\n### Step 2: Forge the Settings Update Request\nOnce the parameter names (e.g., `chp_unit`, `chp_precision` — inferred) and the submit button name are known, use the `http_request` tool to perform the update.\n\n**Example Payload (Inferred):**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?page=child-height-predictor`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `chp_unit=cm&chp_precision=2&submit=Save+Changes` (Parameter names must be verified in Step 1).\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure `child-height-predictor` version 1.3 is installed and activated.\n2. **Shortcode Page:** Create a page containing the plugin's shortcode to ensure settings are active:\n `wp post create --post_type=page --post_status=publish --post_content='[child_height_predictor]'` (Shortcode name inferred).\n3. **Current State:** Record current settings using `wp option get \u003Coption_name>` once parameter names are identified.\n\n## 7. Expected Results\n- The `http_request` should return a `200 OK` (if the handler renders the page) or a `302 Redirect`.\n- The response should NOT contain a \"link you followed has expired\" error (which would indicate a nonce check).\n- The targeted WordPress options in the database should reflect the values sent in the forged POST request.\n\n## 8. Verification Steps\nAfter sending the `http_request`, verify the change using WP-CLI:\n1. Identify the options modified by the plugin: `wp option list --search=\"*chp*\"` (inferred prefix).\n2. Check the specific value: `wp option get \u003Cidentified_option_name>`.\n3. Confirm the value matches the payload sent in the exploitation step.\n\n## 9. Alternative Approaches\nIf the settings page submits to `options.php` (standard Settings API) instead of its own URL:\n- Check if `register_setting()` was used without a proper `sanitize_callback` or if the plugin manually processes `admin-post.php` hooks.\n- If it uses `admin-post.php`, the target URL would be `\u002Fwp-admin\u002Fadmin-post.php` with an `action` parameter matching the hook name registered by the plugin.","The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) because it lacks nonce verification in its options() settings handler. This allows an unauthenticated attacker to change plugin settings, such as unit preferences, by tricking a logged-in administrator into submitting a forged POST request.","\u002F* In child-height-predictor.php - inferred function structure based on research plan *\u002F\n\nfunction options() {\n if (isset($_POST['submit'])) {\n \u002F\u002F Vulnerable: Missing check_admin_referer() or wp_verify_nonce()\n update_option('chp_unit', $_POST['chp_unit']);\n update_option('chp_precision', $_POST['chp_precision']);\n echo '\u003Cdiv class=\"updated\">\u003Cp>Settings saved.\u003C\u002Fp>\u003C\u002Fdiv>';\n }\n\n ?>\n \u003Cform method=\"post\" action=\"\">\n \u003C!-- Vulnerable: Missing wp_nonce_field() -->\n \u003Cinput type=\"text\" name=\"chp_unit\" value=\"\u003C?php echo esc_attr(get_option('chp_unit')); ?>\">\n \u003Cinput type=\"submit\" name=\"submit\" value=\"Save Changes\">\n \u003C\u002Fform>\n \u003C?php\n}","--- a\u002Fchild-height-predictor.php\n+++ b\u002Fchild-height-predictor.php\n@@ -1,7 +1,8 @@\n function options() {\n- if (isset($_POST['submit'])) {\n+ if (isset($_POST['submit'])) {\n+ check_admin_referer('chp_save_settings', 'chp_nonce');\n update_option('chp_unit', $_POST['chp_unit']);\n update_option('chp_precision', $_POST['chp_precision']);\n echo '\u003Cdiv class=\"updated\">\u003Cp>Settings saved.\u003C\u002Fp>\u003C\u002Fdiv>';\n }\n \n ?>\n \u003Cform method=\"post\" action=\"\">\n+ \u003C?php wp_nonce_field('chp_save_settings', 'chp_nonce'); ?>\n \u003Cinput type=\"text\" name=\"chp_unit\" value=\"\u003C?php echo esc_attr(get_option('chp_unit')); ?>\">\n \u003Cinput type=\"submit\" name=\"submit\" value=\"Save Changes\">\n \u003C\u002Fform>","The exploit targets the settings update logic which is executed upon page load of the plugin settings menu. \n\n1. Target Endpoint: \u002Fwp-admin\u002Foptions-general.php?page=child-height-predictor\n2. Method: POST\n3. Authentication: The attacker needs to induce a logged-in administrator (with manage_options capabilities) to visit a malicious website or click a link that automatically triggers the POST request.\n4. Payload Shape: The POST request must include the 'submit' parameter along with the settings keys the attacker wishes to modify (e.g., chp_unit=custom_value&submit=Save+Changes). Because there is no nonce check, the request will be processed by the server as a legitimate settings update.","gemini-3-flash-preview","2026-05-20 17:02:11","2026-05-20 17:02:48",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fchild-height-predictor\u002Ftags"]