[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fq7uksyRViNJKFYOYSYwRpj40ucojPEQ8GNh0civb4m8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-42411","cloudsecure-wp-security-two-factor-authentication-bypass","CloudSecure WP Security \u003C= 1.4.7 - Two-Factor Authentication Bypass","The CloudSecure WP Security plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in all versions up to, and including, 1.4.7. This makes it possible for unauthenticated attackers to bypass two-factor authentication.","cloudsecure-wp-security",null,"\u003C=1.4.7","1.4.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authentication Bypass by Alternate Name","2026-05-28 00:00:00","2026-06-02 11:29:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Faf01cba6-40df-4eb9-beec-4716909a671b?source=api-prod",5,[22,23,24,25,26,27,28,29],"cloudsecure-wp.php","modules\u002Fadmin\u002Ftwo-factor-authentication.php","modules\u002Fcli\u002FREADME.md","modules\u002Fcli\u002Fcommands\u002Fclass-cloudsecure-wp-cli-enable.php","modules\u002Fcloudsecure-wp.php","modules\u002Fdisable-login.php","modules\u002Fdisable-restapi.php","modules\u002Flogin-log.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-42411 (CloudSecure WP Security)\n\n## 1. Vulnerability Summary\nThe **CloudSecure WP Security** plugin (up to 1.4.7) is vulnerable to a **Two-Factor Authentication (2FA) Bypass** due to an \"Authentication Bypass by Alternate Name\" flaw. In WordPress contexts, this typically occurs when a security plugin performs a case-sensitive check on the username to determine if 2FA should be enforced, while the WordPress core authentication mechanism is case-insensitive. \n\nAn attacker who has obtained a user's password can bypass the 2FA requirement by logging in with a variation of the username (e.g., using different casing or the user's email address) that does not match the plugin's internal 2FA-enabled user list but is still accepted by WordPress core as a valid identifier for the target account.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-login.php` (Standard WordPress login).\n- **Attack Type:** Logic Bypass \u002F Case Sensitivity Manipulation.\n- **Authentication Required:** None (unauthenticated attacker with a known password).\n- **Vulnerable Parameter:** `log` (the username\u002Femail field).\n- **Preconditions:** \n    - The target user must have 2FA enabled within the CloudSecure WP settings.\n    - The attacker must have the target user's password.\n\n## 3. Code Flow\nThe vulnerability likely resides in `modules\u002Ftwo-factor-authentication.php` (referenced in `modules\u002Fcloudsecure-wp.php`).\n\n1. **Initialization:** `CloudSecureWP` (in `modules\u002Fcloudsecure-wp.php`) instantiates `CloudSecureWP_Two_Factor_Authentication`.\n2. **Hook:** The 2FA module likely hooks into `wp_login` or `authenticate`.\n3. **Logic Gap:** \n    - When a user logs in, the plugin retrieves the username from the request (`$_POST['log']`).\n    - It checks if 2FA is active for that specific username string by querying its settings or a custom database table.\n    - If the lookup is case-sensitive (e.g., `isset($enabled_users['admin'])`), providing an alternate name like `Admin` returns `false`.\n4. **Bypass:** The plugin permits the login to proceed without redirecting to the 2FA verification screen.\n5. **Core Success:** WordPress core receives `Admin`, finds the user `admin`, and completes the authentication.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability exploits the **primary login flow**, which does not require a WordPress nonce for the initial `wp-login.php` POST request. No nonce acquisition is required for the exploit.\n\n## 5. Exploitation Strategy\n\n### Step 1: Baseline Verification\nAttempt a normal login with the correct casing to confirm 2FA is active.\n- **Request:** `POST \u002Fwp-login.php`\n- **Body:** `log=admin&pwd=Password123!&wp-submit=Log+In`\n- **Expected Response:** Redirect to a 2FA prompt or a 200 OK with a 2FA input field.\n\n### Step 2: Exploitation via Alternate Name (Casing)\nAttempt login using an alternate casing for the username.\n- **Request:** `POST \u002Fwp-login.php`\n- **Body:** `log=AdMiN&pwd=Password123!&wp-submit=Log+In`\n- **Expected Response:** A `302 Found` redirect directly to `\u002Fwp-admin\u002F`, setting authentication cookies and skipping the 2FA screen.\n\n### Step 3: Exploitation via Alternate Name (Email)\nAttempt login using the user's email address (if known).\n- **Request:** `POST \u002Fwp-login.php`\n- **Body:** `log=admin@example.com&pwd=Password123!&wp-submit=Log+In`\n- **Expected Response:** Redirect to `\u002Fwp-admin\u002F`, skipping 2FA.\n\n## 6. Test Data Setup\nTo verify this in an automated environment:\n\n1. **Create User:**\n   ```bash\n   wp user create victim victim@example.com --role=administrator --user_pass=password123\n   ```\n2. **Enable 2FA Globally:**\n   The plugin's CLI can be used to enable the feature:\n   ```bash\n   wp cldsec-wp-security enable two-factor-authentication --enabled_roles=administrator\n   ```\n3. **Register User for 2FA:**\n   Ensure the user `victim` is marked as registered. If the plugin uses user meta:\n   ```bash\n   # (Example meta key, adjust based on actual discovery)\n   wp usermeta update victim _cloudsecurewp_2fa_enabled 't'\n   ```\n   *Note: If the registration requires a TOTP secret, navigate to `admin.php?page=cloudsecurewp_two_factor_authentication_registration` as the victim to complete setup.*\n\n## 7. Expected Results\n- **Failure Condition (Secured):** Both `victim` and `VICTIM` logins lead to the 2FA verification page.\n- **Success Condition (Vulnerable):** `victim` prompts for 2FA, but `VICTIM` logs directly into the dashboard.\n\n## 8. Verification Steps\nAfter performing the HTTP POST request with the alternate name:\n1. **Check Cookies:** Ensure the response contains `wordpress_logged_in_...` cookies.\n2. **Check Redirect:** The `Location` header should point to `...\u002Fwp-admin\u002F` and NOT a 2FA-specific URL.\n3. **Validate Session:** Use the obtained cookies to request `wp-admin\u002Findex.php` and verify the content contains \"Dashboard\".\n   ```bash\n   # Using wp-cli to verify the user state\n   wp user get victim --field=user_login\n   ```\n\n## 9. Alternative Approaches\nIf case-insensitivity is handled but email login is not, focus on the email bypass. If neither works, check for **Parameter Pollution**:\n- **Payload:** `log=admin&log=nonexistent_user&pwd=password123`\n- If the plugin's 2FA check picks the *last* `log` parameter (empty\u002Finvalid) but WordPress core picks the *first*, 2FA may be skipped.\n\nIf the \"Alternate Name\" refers to the `wp_signon` logic, try providing the username via the `user_login` parameter instead of `log` (some plugins check one but not both).","gemini-3-flash-preview","2026-06-04 16:28:20","2026-06-04 16:29:46",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.4.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcloudsecure-wp-security\u002Ftags\u002F1.4.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcloudsecure-wp-security.1.4.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcloudsecure-wp-security\u002Ftags\u002F1.4.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcloudsecure-wp-security.1.4.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcloudsecure-wp-security\u002Ftags"]