[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frQkJbRqxhssHY93ZJHTV1zDC9BsXRsHC1m96Dafu3gw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-4019","complianz-gdprccpa-cookie-consent-missing-authorization-to-unauthenticated-private-post-content-disclosure-via-consent-a","Complianz – GDPR\u002FCCPA Cookie Consent \u003C= 7.4.5 - Missing Authorization to Unauthenticated Private Post Content Disclosure via Consent Area REST Endpoint","The Complianz – GDPR\u002FCCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at \u002Fwp-json\u002Fcomplianz\u002Fv1\u002Fconsent-area\u002F{post_id}\u002F{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz\u002Fconsent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts.","complianz-gdpr",null,"\u003C=7.4.5","7.4.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-04-28 19:52:18","2026-04-29 08:27:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3892489e-6ff7-4664-bb06-b8edff6dd659?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin.min.css","assets\u002Fcss\u002Fadmin.scss","assets\u002Fcss\u002Fadmin\u002Fbase.scss","assets\u002Fcss\u002Fadmin\u002Flayout.scss","assets\u002Fcss\u002Fadmin\u002Fmodules\u002FCookieBannerPreview.scss","assets\u002Fcss\u002Fadmin\u002Fmodules\u002Fanimations.scss","assets\u002Fcss\u002Fadmin\u002Fmodules\u002Fbullets.scss","researched",false,3,"# Exploitation Research Plan: CVE-2026-4019 (Complianz Private Post Disclosure)\n\n## 1. Vulnerability Summary\nThe **Complianz – GDPR\u002FCCPA Cookie Consent** plugin (\u003C= 7.4.5) contains a missing authorization vulnerability in its REST API implementation. Specifically, the endpoint `\u002Fwp-json\u002Fcomplianz\u002Fv1\u002Fconsent-area\u002F{post_id}\u002F{block_id}` uses `__return_true` as its `permission_callback`, effectively allowing unauthenticated access. \n\nThe underlying function `cmplz_rest_consented_content()` retrieves a WordPress post using `get_post($post_id)` but fails to verify if the post is published, private, or draft, and does not check if the requesting user has the `read_post` capability for that specific post. If the post contains a `complianz\u002Fconsent-area` block, the function extracts and returns the `consentedContent` attribute, leading to unauthorized disclosure of sensitive information hidden within unpublished or private posts.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `GET \u002Fwp-json\u002Fcomplianz\u002Fv1\u002Fconsent-area\u002F{post_id}\u002F{block_id}`\n- **Authentication:** None (Unauthenticated)\n- **Parameters:**\n    - `post_id` (URL Path): The ID of the target post (Draft, Private, or Scheduled).\n    - `block_id` (URL Path): The unique identifier assigned to the specific \"Consent Area\" block within that post.\n- **Vulnerable Component:** `cmplz_rest_consented_content()` (inferred location: `includes\u002Fclass-rest-api.php` or similar logic file, though not provided in the source snippets).\n- **Preconditions:** A post must exist (regardless of status) that contains a Gutenberg block of type `complianz\u002Fconsent-area` which has the `consentedContent` attribute populated.\n\n## 3. Code Flow (Inferred from Description)\n1. **Registration:** The plugin registers a REST route using `register_rest_route('complianz\u002Fv1', '\u002Fconsent-area\u002F(?P\u003Cpost_id>\\d+)\u002F(?P\u003Cblock_id>[a-zA-Z0-9\\-]+)')`.\n2. **Authorization:** The `permission_callback` is set to `__return_true`, bypassing WordPress's default REST API authorization checks.\n3. **Execution:** When a request is made, `cmplz_rest_consented_content(WP_REST_Request $request)` is invoked.\n4. **Retrieval:**\n    - `$post_id = $request->get_param('post_id')`\n    - `$post = get_post($post_id)`\n5. **Vulnerability Sink:** The code proceeds to parse `$post->post_content` without checking `$post->post_status`. It looks for blocks matching `complianz\u002Fconsent-area`.\n6. **Data Extraction:** If a block matches the provided `block_id`, the value of the `consentedContent` attribute is returned in the JSON response.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the `permission_callback` is `__return_true`. This indicates that **no WordPress nonce is required** for this endpoint when accessed via a direct GET request. \n\nIf for any reason the environment requires a REST nonce (e.g., due to global security headers), it can be obtained from the homepage:\n1. Navigate to the homepage using `browser_navigate`.\n2. Execute `browser_eval(\"window.wpApiSettings?.nonce\")`.\n3. Note: This is likely unnecessary given the `__return_true` callback.\n\n## 5. Exploitation Strategy\nThe goal is to retrieve content from a `private` post that contains a `complianz\u002Fconsent-area` block.\n\n### Step 1: Discover Post IDs (Brute Force)\nSince post IDs are incremental, an attacker can iterate through IDs. For the PoC, we will create a known post ID.\n\n### Step 2: Request the Content\n1. Send a GET request to the target endpoint.\n2. **Tool:** `http_request`\n3. **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fcomplianz\u002Fv1\u002Fconsent-area\u002F{post_id}\u002F{block_id}`\n4. **Headers:** `Accept: application\u002Fjson`\n\n## 6. Test Data Setup\nTo verify the vulnerability, we must create a private post containing the specific Gutenberg block structure used by Complianz.\n\n**WP-CLI Command:**\n```bash\n# Create a private post with a Consent Area block\n# Note: The blockId and consentedContent attributes are key.\nwp post create --post_type=post \\\n               --post_status=private \\\n               --post_title=\"Secret Disclosure Test\" \\\n               --post_content='\u003C!-- wp:complianz\u002Fconsent-area {\"blockId\":\"exploit-id-123\",\"consentedContent\":\"CENSORED_PRIVATE_TOKEN_9999\"} --> \u003Cdiv class=\"cmplz-consent-area\">Visible placeholder\u003C\u002Fdiv> \u003C!-- \u002Fwp:complianz\u002Fconsent-area -->'\n```\n*Note the resulting ID from the command output.*\n\n## 7. Expected Results\n- **Success:** The REST API returns a `200 OK` response with a JSON body containing the `consentedContent`.\n- **Payload Response Example:**\n```json\n{\n    \"consentedContent\": \"CENSORED_PRIVATE_TOKEN_9999\"\n}\n```\n- **Failure (Patched):** The API returns a `403 Forbidden` or `401 Unauthorized` if the post is private and the user is unauthenticated.\n\n## 8. Verification Steps\n1. **Identify ID:** Run `wp post list --post_status=private` to get the ID of the post created in Step 6.\n2. **Execute Exploit:** Use `http_request` to fetch the REST endpoint.\n3. **Compare:** Verify the string returned in the JSON matches the `consentedContent` string defined in the WP-CLI setup.\n4. **Check Permissions:** Verify that visiting the post URL directly (`\u002F?p=ID`) as an unauthenticated user results in a 404 or a login prompt, proving the post is indeed private and otherwise inaccessible.\n\n## 9. Alternative Approaches\nIf the `block_id` used in the URL is not the `blockId` attribute but rather a numeric index or a different hash:\n1. **Brute Force\u002FInference:** Use the `browser_eval` tool on the private post (while logged in as admin) to inspect the Gutenberg block attributes: `wp.data.select('core\u002Fblock-editor').getBlocks()`.\n2. **Block ID discovery:** Check if the plugin leaks block IDs in any other public endpoints or if they are predictable (e.g., based on post ID). However, for a PoC, the manually defined `blockId` in the Gutenberg comment is the standard target.","gemini-3-flash-preview","2026-05-04 18:09:38","2026-05-04 18:10:03",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","7.4.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomplianz-gdpr\u002Ftags\u002F7.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomplianz-gdpr.7.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomplianz-gdpr\u002Ftags\u002F7.4.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomplianz-gdpr.7.4.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomplianz-gdpr\u002Ftags"]