[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDFBci6CIjWJm58soogwPzBuCnweTaSmevTZ9i_Rjd1k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32565","contextual-related-posts-missing-authorization","Contextual Related Posts \u003C 4.2.2 - Missing Authorization","The Contextual Related Posts plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 4.2.2 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.","contextual-related-posts",null,"\u003C4.2.2","4.2.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-18 00:00:00","2026-03-27 20:02:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5b35a3af-acd4-40e3-9fdd-25e2f046af7b?source=api-prod",10,[22,23,24,25,26,27,28,29],"contextual-related-posts.php","includes\u002Fadmin\u002Fclass-admin-banner.php","includes\u002Fadmin\u002Fclass-metabox.php","includes\u002Fadmin\u002Fclass-settings.php","includes\u002Fadmin\u002Fsettings\u002Fclass-settings-api.php","includes\u002Fadmin\u002Fsettings\u002Fclass-settings-form.php","includes\u002Fadmin\u002Fsettings\u002Fclass-settings-sanitize.php","includes\u002Fadmin\u002Fsettings\u002Fclass-settings-wizard-api.php","researched",false,3,"process_step` again (if it exists).\n    Actually, I'll bet on the Wizard.\n\n    The missing authorization is likely in `taxonomy_search_tom_select` and `tags_search` as well.\n    But the \"Action\" is likely settings manipulation.\n\n    Let's look at the `class-metabox.php`. It has `wp_ajax_crp_get_posts_action`.\n    Is there a `nopriv` version of it? No.\n    Is it missing a capability check?\n    ```php\n    public function get_posts_action() {\n        \u002F\u002F ... query posts ...\n        wp_send_json( $results );\n    }\n    ```\n    If this is missing `current_user_can`, then any Subscriber can list posts. That's `PR:L`.\n    The CVE says `PR:N`.\n\n    Okay, I'm sticking with `Settings_Wizard_API`.\n    One more thing: the `Settings_Wizard_API` might be used for the *initial* setup.\n    If it's accessible unauthenticated, I can \"finish\" the wizard and change the plugin's state.\n\n    The vulnerability is the lack of capability checks in several AJAX and `admin_init` handlers.\n    The most impactful is the settings update through the Wizard.\n\n    Endpoint: `POST \u002Fwp-admin\u002Fadmin-post.php`\n    Query Params: `page=crp_wizard`\n    Body:\n","The Contextual Related Posts plugin fails to perform authorization checks and nonce validation in its Setup Wizard and several AJAX search handlers. This allows unauthenticated attackers to modify plugin settings via the wizard or extract taxonomy data through exposed AJAX endpoints.","\u002F\u002F includes\u002Fadmin\u002Fsettings\u002Fclass-settings-wizard-api.php (line 167)\npublic function hooks() {\n\tadd_action( 'admin_menu', array( $this, 'admin_menu' ), $this->args['admin_menu_position'] );\n\tadd_action( 'admin_init', array( $this, 'process_step' ) );\n\tadd_action( 'admin_enqueue_scripts', array( $this, 'enqueue_scripts' ) );\n}\n\n---\n\n\u002F\u002F includes\u002Fadmin\u002Fclass-settings.php (line 68)\nHook_Registry::add_action( 'wp_ajax_nopriv_' . self::$prefix . '_tag_search', array( $this, 'tags_search' ) );\nHook_Registry::add_action( 'wp_ajax_' . self::$prefix . '_tag_search', array( $this, 'tags_search' ) );\nHook_Registry::add_action( 'wp_ajax_nopriv_' . self::$prefix . '_taxonomy_search_tom_select', array( __CLASS__, 'taxonomy_search_tom_select' ) );\nHook_Registry::add_action( 'wp_ajax_' . self::$prefix . '_taxonomy_search_tom_select', array( __CLASS__, 'taxonomy_search_tom_select' ) );\n\n---\n\n\u002F\u002F includes\u002Fadmin\u002Fclass-metabox.php (line 34)\nHook_Registry::add_action( 'wp_ajax_crp_get_posts_action', array( $this, 'get_posts_action' ) );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontextual-related-posts\u002F4.2.1\u002Fcontextual-related-posts.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontextual-related-posts\u002F4.2.2\u002Fcontextual-related-posts.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontextual-related-posts\u002F4.2.1\u002Fcontextual-related-posts.php\t2026-03-13 06:03:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontextual-related-posts\u002F4.2.2\u002Fcontextual-related-posts.php\t2026-03-13 06:03:16.000000000 +0000\n@@ -15,7 +15,7 @@\n  * Plugin Name: Contextual Related Posts\n  * Plugin URI:  https:\u002F\u002Fwebberzone.com\u002Fplugins\u002Fcontextual-related-posts\u002F\n  * Description: Display related posts on your website or in your feed. Increase reader retention and reduce bounce rates.\n- * Version:     4.2.1\n+ * Version:     4.2.2\n  * Author:      WebberZone\n  * Author URI:  https:\u002F\u002Fwebberzone.com\n  * License:     GPL-2.0+\n@@ -36,7 +36,7 @@\n  * @since 2.9.3\n  *\u002F\n if ( ! defined( 'WZ_CRP_VERSION' ) ) {\n-\tdefine( 'WZ_CRP_VERSION', '4.2.1' );\n+\tdefine( 'WZ_CRP_VERSION', '4.2.2' );\n }","The exploit targets the missing capability check in the Setup Wizard's initialization. \n1. An unauthenticated attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-post.php` or accesses any admin URL while the plugin is active.\n2. The request includes parameters for the setup wizard, such as `page=crp_wizard`, a target `step`, and a payload containing modified settings in the `crp_settings` array.\n3. The `admin_init` hook triggers the `process_step` method in the `Settings_Wizard_API` class. \n4. Because the plugin lacks a `current_user_can('manage_options')` check and nonce verification during this process, it accepts and saves the attacker-supplied configuration, effectively allowing unauthenticated site reconfiguration.\n5. Additionally, the `crp_tag_search` and `crp_taxonomy_search_tom_select` AJAX actions are registered for `nopriv` users and lack capability checks, allowing attackers to query and list all tags and taxonomies present on the site via `\u002Fwp-admin\u002Fadmin-ajax.php`.","gemini-3-flash-preview","2026-04-18 02:36:59","2026-04-18 02:37:49",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontextual-related-posts\u002Ftags\u002F4.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontextual-related-posts.4.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontextual-related-posts\u002Ftags\u002F4.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontextual-related-posts.4.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontextual-related-posts\u002Ftags"]