[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEYzVJbpD-5i61y_u9bUgyXsbKcRS-2Fq4Gro_pyy46s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-32441","comments-import-export-missing-authorization","Comments Import & Export \u003C= 2.4.9 - Missing Authorization","The Comments Import & Export plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","comments-import-export-woocommerce",null,"\u003C=2.4.9","2.5.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-20 00:00:00","2026-03-27 19:20:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F14c5fd0c-0872-4b05-b28b-11353e9276d0?source=api-prod",8,[22,23,24,25,26,27,28],"changelog.txt","hf-comments-import-export.php","includes\u002Fclass-hf_cmt_impexpcsv-admin-screen.php","includes\u002Fsettings\u002Fclass-hf_cmt_impexpcsv-settings.php","includes\u002Fviews\u002Fhtml-hf-admin-screen.php","includes\u002Fviews\u002Fsettings\u002Fhtml-hf-settings-products.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-32441\n\n## 1. Vulnerability Summary\nThe **Comments Import & Export** plugin (up to 2.4.9) contains a missing authorization vulnerability where the administrative interface and its associated data processing functions are accessible to users with only **Subscriber-level** permissions. \n\nThe primary cause is the registration of the administrative menu in `includes\u002Fclass-hf_cmt_impexpcsv-admin-screen.php` using the `read` capability (via a filter), and the subsequent reliance on this low-privileged capability in authorization checks for exporting and potentially importing comments.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php` (for single exports) and `\u002Fwp-admin\u002Fadmin.php?page=hw_cmt_csv_im_ex` (for general access and bulk exports).\n- **Vulnerable Actions**:\n    - `wp_ajax_comment_export_to_csv_single` (AJAX action for single comment export).\n    - `admin_action_download_to_cmtiew_csv_hf` (Admin action for bulk export).\n    - Access to the plugin dashboard at `page=hw_cmt_csv_im_ex`.\n- **Payload Parameters**:\n    - `action`: `comment_export_to_csv_single`\n    - `comment_ID`: The ID of the comment to export.\n    - `_wpnonce`: Nonce for the `comments-import-export-woocommerce` action.\n- **Preconditions**: Attacker must be authenticated with at least Subscriber-level access.\n\n## 3. Code Flow\n1. **Menu Registration**: In `includes\u002Fclass-hf_cmt_impexpcsv-admin-screen.php`, the `admin_menu()` function registers the menu page:\n   ```php\n   $page = add_comments_page(..., apply_filters('product_reviews_csv_product_role', 'read'), 'hw_cmt_csv_im_ex', array($this, 'output'));\n   ```\n   The `read` capability is the default for Subscribers.\n2. **AJAX Handler Registration**: The constructor of `HW_Cmt_ImpExpCsv_Admin_Screen` registers:\n   ```php\n   add_action('wp_ajax_comment_export_to_csv_single', array($this, 'process_ajax_export_single_comment'));\n   ```\n3. **Weak Permission Check**: `process_ajax_export_single_comment()` performs the following check:\n   ```php\n   if (... || !HW_Product_Comments_Import_Export_CSV::hf_user_permission()) {\n       wp_die(esc_html__('You do not have sufficient permissions...', 'comments-import-export-woocommerce'));\n   }\n   ```\n   The `hf_user_permission()` function (inferred based on the `admin_menu` logic) likely evaluates `current_user_can(apply_filters('product_reviews_csv_product_role', 'read'))`, which passes for Subscribers.\n4. **Data Sink**: The function calls `HW_Cmt_ImpExpCsv_Exporter::do_export($comment_IDs)`, which generates and streams a CSV containing comment data (author, email, IP, content) to the requester.\n\n## 4. Nonce Acquisition Strategy\nThe `comment_export_to_csv_single` action requires a nonce with the action string `comments-import-export-woocommerce`. This nonce is embedded in the \"Comments\" list table in the WordPress admin dashboard, which Subscribers can access.\n\n1. **Identify Access**: Subscribers can view comments they've made or comments on their own posts. \n2. **Navigate**: Use the execution agent to navigate to `wp-admin\u002Fedit-comments.php`.\n3. **Extract Nonce**: The plugin adds a \"Download to CSV\" column. The link looks like:\n   `admin-ajax.php?action=comment_export_to_csv_single&comment_ID=123&_wpnonce=abc1234567`\n4. **JS Extraction**:\n   ```javascript\n   \u002F\u002F Use browser_eval to find the link and extract the nonce\n   Array.from(document.querySelectorAll('a')).find(a => a.href.includes('comment_export_to_csv_single')).href.split('_wpnonce=')[1]\n   ```\n\n## 5. Exploitation Strategy\n### Goal: Export sensitive comment data (including author IPs and emails) as a Subscriber.\n\n1.  **Preparation**: Ensure at least one comment exists in the system (ID `1`).\n2.  **Login**: Authenticate as a Subscriber user.\n3.  **Bypass Access Check**: Verify that `wp-admin\u002Fadmin.php?page=hw_cmt_csv_im_ex` loads successfully (200 OK).\n4.  **Obtain Nonce**:\n    - Navigate to `wp-admin\u002Fedit-comments.php`.\n    - Extract the nonce for `comments-import-export-woocommerce`.\n5.  **Trigger Export**:\n    - Use `http_request` to call the AJAX endpoint.\n    ```http\n    GET \u002Fwp-admin\u002Fadmin-ajax.php?action=comment_export_to_csv_single&comment_ID=1&_wpnonce=[NONCE] HTTP\u002F1.1\n    Host: localhost:8080\n    Cookie: [SUBSCRIBER_COOKIES]\n    ```\n6.  **Verify Payload**: The response should have headers like `Content-Type: text\u002Fcsv` and contain the comment data.\n\n## 6. Test Data Setup\n1.  **Comments**: Ensure there is a comment with ID `1` (usually default in WP).\n2.  **User**: Create a user with the `subscriber` role.\n3.  **Post**: Create a post and ensure it has a comment so the `edit-comments.php` screen populated for the Subscriber.\n\n## 7. Expected Results\n- A Subscriber can successfully access the plugin's restricted menu page.\n- A Subscriber can successfully trigger a single comment export.\n- The exported CSV contains sensitive fields such as `comment_author_email` and `comment_author_IP`.\n\n## 8. Verification Steps\n1.  **Check HTTP Status**: Ensure the request to the AJAX endpoint returns `200 OK` rather than `403 Forbidden`.\n2.  **Inspect Content**: Verify the response body starts with CSV headers like `\"comment_ID\",\"comment_post_ID\",...`.\n3.  **CLI Verification**: Use `wp comment list` to verify the data received matches the database.\n\n## 9. Alternative Approaches\nIf the single comment export nonce is hard to find, try the **Bulk Export** action:\n1.  Navigate to `wp-admin\u002Fedit-comments.php`.\n2.  Select a comment checkbox.\n3.  The bulk action dropdown will contain \"Download to CSV\".\n4.  Submitting this form triggers `admin.php?action=download_to_cmtiew_csv_hf`.\n5.  Check if this action validates the `manage_options` capability (it likely only checks the weak `read` capability).","The Comments Import & Export plugin for WordPress fails to properly restrict access to its administrative interface and export functions. Authenticated attackers with Subscriber-level permissions can access the plugin's dashboard and trigger data exports that expose sensitive information, such as comment author IP addresses and email addresses, due to the use of the 'read' capability for authorization.","\u002F\u002F includes\u002Fclass-hf_cmt_impexpcsv-admin-screen.php lines 69-74\n    public function admin_menu() {\n       \n            $page = add_comments_page(esc_html__('Comments Im-Ex', 'comments-import-export-woocommerce'), __('Comments Im-Ex', 'comments-import-export-woocommerce'), apply_filters('product_reviews_csv_product_role', 'read'), 'hw_cmt_csv_im_ex', array($this, 'output'));\n       \n    }\n\n---\n\n\u002F\u002F includes\u002Fclass-hf_cmt_impexpcsv-admin-screen.php lines 45-50\n    public function process_ajax_export_single_comment() {\n        \n        $nonce = isset($_GET['_wpnonce']) ? sanitize_text_field(wp_unslash($_GET['_wpnonce'])) : '';\n        if (!empty($nonce) && !wp_verify_nonce($nonce,'comments-import-export-woocommerce') || !HW_Product_Comments_Import_Export_CSV::hf_user_permission()) {\n            wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'comments-import-export-woocommerce'));\n        }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-import-export-woocommerce\u002F2.4.9\u002Fincludes\u002Fclass-hf_cmt_impexpcsv-admin-screen.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-import-export-woocommerce\u002F2.5.0\u002Fincludes\u002Fclass-hf_cmt_impexpcsv-admin-screen.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-import-export-woocommerce\u002F2.4.9\u002Fincludes\u002Fclass-hf_cmt_impexpcsv-admin-screen.php\t2026-02-17 11:58:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-import-export-woocommerce\u002F2.5.0\u002Fincludes\u002Fclass-hf_cmt_impexpcsv-admin-screen.php\t2026-02-19 17:04:42.000000000 +0000\n@@ -69,9 +69,14 @@\n      * Admin Menu\n      *\u002F\n     public function admin_menu() {\n-       \n-            $page = add_comments_page(esc_html__('Comments Im-Ex', 'comments-import-export-woocommerce'), __('Comments Im-Ex', 'comments-import-export-woocommerce'), apply_filters('product_reviews_csv_product_role', 'read'), 'hw_cmt_csv_im_ex', array($this, 'output'));\n-       \n+        \u002F\u002F Restrict menu visibility to roles that can edit content by default.\n+        $page = add_comments_page(\n+            esc_html__('Comments Im-Ex', 'comments-import-export-woocommerce'),\n+            __('Comments Im-Ex', 'comments-import-export-woocommerce'),\n+            apply_filters('product_reviews_csv_product_role', 'edit_posts'),\n+            'hw_cmt_csv_im_ex',\n+            array($this, 'output')\n+        );\n     }\n \n     \u002F**\n@@ -122,6 +127,10 @@\n \t * Admin Screen output\n \t *\u002F\n \tpublic function output() {\n+        \u002F\u002F Prevent direct access to the admin screen by low-privileged users.\n+        if (!HW_Product_Comments_Import_Export_CSV::hf_user_permission()) {\n+            wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'comments-import-export-woocommerce'));\n+        }\n \n \t\t$tab = 'import';\n         \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verification not needed.\n@@ -136,6 +145,13 @@\n \t\t\t}\n \t\t}\n \n+        $can_view_settings = current_user_can('manage_options');\n+\n+        \u002F\u002F Settings include credentials; require admin capability.\n+        if ('settings' === $tab && !$can_view_settings) {\n+            wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'comments-import-export-woocommerce'));\n+        }\n+\n \t\tinclude( 'views\u002Fhtml-hf-admin-screen.php' );\n \t}\n \n@@ -217,6 +233,9 @@\n      * Admin Page for settings\n      *\u002F\n     public function admin_settings_page() {\n+        if (!current_user_can('manage_options')) {\n+            wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'comments-import-export-woocommerce'));\n+        }\n         include( 'views\u002Fsettings\u002Fhtml-hf-settings-products.php' );\n     }","The attacker first authenticates as a user with Subscriber-level privileges. Since the plugin registers its admin menu with the 'read' capability, the attacker can navigate directly to the plugin's dashboard at \u002Fwp-admin\u002Fadmin.php?page=hw_cmt_csv_im_ex. To export data, the attacker must obtain a valid security nonce for the 'comments-import-export-woocommerce' action, which is typically exposed in the WordPress admin's comment list page (\u002Fwp-admin\u002Fedit-comments.php) where the plugin injects 'Download to CSV' links. With this nonce and a target comment ID, the attacker sends a GET request to \u002Fwp-admin\u002Fadmin-ajax.php?action=comment_export_to_csv_single&comment_ID=[ID]&_wpnonce=[NONCE]. The server processes this request because the authorization check erroneously permits any user with 'read' permissions, returning a CSV file containing sensitive metadata for the specified comment.","gemini-3-flash-preview","2026-04-18 02:06:58","2026-04-18 02:07:48",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.4.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomments-import-export-woocommerce\u002Ftags\u002F2.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomments-import-export-woocommerce.2.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomments-import-export-woocommerce\u002Ftags\u002F2.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomments-import-export-woocommerce.2.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomments-import-export-woocommerce\u002Ftags"]