[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3A2pX0os4s0ChrimtPktMohu7CJZz8Vd6sMtOFrMl-g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-24525","clp-varnish-cache-missing-authorization","CLP Varnish Cache \u003C= 1.0.2 - Missing Authorization","The CLP Varnish Cache plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","clp-varnish-cache",null,"\u003C=1.0.2","1.0.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-26 00:00:00","2026-02-17 15:21:14",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9edd869c-c1b2-4d56-92c1-bdf76b01a5ce?source=api-prod",23,[],"researched",false,3,"This research plan focuses on identifying and exploiting a missing authorization vulnerability in the **CLP Varnish Cache** plugin (\u003C= 1.0.2). The vulnerability allows unauthenticated attackers to trigger cache purging, which is an administrative action.\n\n---\n\n### 1. Vulnerability Summary\n*   **ID:** CVE-2026-24525\n*   **Plugin:** CLP Varnish Cache (slug: `clp-varnish-cache`)\n*   **Vulnerable Version:** \u003C= 1.0.2\n*   **Vulnerability Type:** Missing Authorization\n*   **Description:** The plugin registers a function responsible for purging the Varnish cache via WordPress hooks (likely AJAX or `admin_init`). This function fails to implement `current_user_can()` checks, and either intentionally or accidentally permits unauthenticated access (via `wp_ajax_nopriv_` or by using a hook that fires for all users).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (most likely) or `\u002Fwp-admin\u002Fadmin-post.php`.\n*   **Action Name:** Likely `clp_varnish_purge_all` or `clp_purge_cache` (inferred from plugin name).\n*   **Parameters:** `action=clp_varnish_purge_all` (POST\u002FGET).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active and configured with a Varnish server (though the purge command will likely be attempted regardless of successful connection).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX action in the main plugin file or an includes file:\n    `add_action( 'wp_ajax_nopriv_clp_varnish_purge_all', 'clp_varnish_purge_all_callback' );`\n2.  **Vulnerable Function:** The callback (e.g., `clp_varnish_purge_all_callback`) is executed.\n3.  **Missing Check:** The function performs logic (e.g., sending a `PURGE` request to a local Varnish instance or calling a system command) without verifying the requester's capabilities via `current_user_can( 'manage_options' )`.\n4.  **Sink:** The cache is purged or a purge command is sent.\n\n### 4. Nonce Acquisition Strategy\nIf the plugin implements a nonce check (`check_ajax_referer`) but fails the authorization check, the nonce must be retrieved.\n\n1.  **Search for Nonce Registration:**\n    Identify where the nonce is created and localized using:\n    `grep -rn \"wp_create_nonce\" .`\n2.  **Identify Localization Key:**\n    Look for `wp_localize_script` calls. For example:\n    `wp_localize_script( 'clp-js', 'clp_obj', array( 'nonce' => wp_create_nonce('clp_purge_nonce') ) );`\n3.  **Trigger Script Loading:**\n    Identify if the script loads only on specific pages (e.g., the plugin settings page).\n4.  **Extraction:**\n    - If the nonce is exposed on the frontend, navigate to the site.\n    - If it's only in the admin, and the vulnerability is unauthenticated, the nonce might be missing entirely or the check might be flawed.\n    - **Note:** If `check_ajax_referer` is present, it usually requires a nonce. If the vulnerability is truly unauthenticated, the nonce check is likely absent or the action is registered via `wp_ajax_nopriv_` with a publicly accessible nonce.\n\n### 5. Exploitation Strategy\nThe agent should follow these steps:\n\n**Step 1: Discovery**\nSearch the plugin files for the vulnerable action:\n```bash\ngrep -rn \"wp_ajax_nopriv\" wp-content\u002Fplugins\u002Fclp-varnish-cache\u002F\ngrep -rn \"admin_init\" wp-content\u002Fplugins\u002Fclp-varnish-cache\u002F\n```\nIdentify the callback function and check for `current_user_can`.\n\n**Step 2: Identifying the Purge Action**\nExamine the callback function. Note the action name (e.g., `clp_varnish_purge_all`) and any required parameters or nonces.\n\n**Step 3: Constructing the Payload**\nIf the action is `clp_varnish_purge_all` and no nonce is required:\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body (URL Encoded):** `action=clp_varnish_purge_all`\n\n**Step 4: Execution**\nUse the `http_request` tool to send the purge request.\n\n### 6. Test Data Setup\n1.  Install the `clp-varnish-cache` plugin version 1.0.2.\n2.  Activate the plugin.\n3.  (Optional) Configure a dummy Varnish IP in the plugin settings to ensure the code path for purging is fully executed.\n\n### 7. Expected Results\n*   **Response Code:** `200 OK` (WordPress AJAX typically returns 200 even on logical failure).\n*   **Response Body:** Likely a JSON response like `{\"success\":true}` or a string like `1` or `Cache Purged`.\n*   **Behavior:** The plugin logic that connects to Varnish and sends a `PURGE` or `BAN` request is triggered.\n\n### 8. Verification Steps\n1.  **Check Output:** Inspect the HTTP response body from the `http_request` tool.\n2.  **Verify via Logs:** If possible, check the WordPress debug log (`wp-content\u002Fdebug.log`) for messages indicating the purge function was executed.\n3.  **Code Analysis Verification:**\n    Confirm the function name and lack of capability check:\n    `cat wp-content\u002Fplugins\u002Fclp-varnish-cache\u002F\u003Cfound_file>.php`\n    Verify that `current_user_can` is absent from the identified function.\n\n### 9. Alternative Approaches\n*   **GET Request:** Some plugins handle actions via `$_GET`. Try:\n    `GET \u002Fwp-admin\u002Fadmin-ajax.php?action=clp_varnish_purge_all`\n*   **Direct Hook:** If the action is in `admin_init`, any request to a file in `\u002Fwp-admin\u002F` (like `admin-ajax.php` or `admin-post.php`) will trigger it if the correct parameters are passed.\n*   **Parameter variations:** Check for parameters like `purge_all=1` or `clp_purge=true` that might be checked within an `init` or `admin_init` hook.","The CLP Varnish Cache plugin for WordPress is vulnerable to unauthorized cache purging in versions up to 1.0.2. This occurs because the plugin registers an AJAX action for purging the cache without implementing capability checks or nonce verification, allowing unauthenticated attackers to trigger the operation.","1. Identify the AJAX action name (likely `clp_varnish_purge_all`) registered by the plugin.\n2. Construct a POST or GET request to the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint.\n3. Include the `action` parameter set to the identified purge function name.\n4. Send the request without any authentication headers or WordPress nonces. \n5. The server will execute the cache purge logic, typically indicated by a '1' or a success message in the response body.","gemini-3-flash-preview","2026-05-05 00:05:52","2026-05-05 00:06:57",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","1.0.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclp-varnish-cache\u002Ftags\u002F1.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclp-varnish-cache.1.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclp-varnish-cache\u002Ftags\u002F1.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclp-varnish-cache.1.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclp-varnish-cache\u002Ftags"]