[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGvC2R-DF3qRMuVBI2ehWGhyl7CCVA8ChcIv9EluxUgM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39691","cryptocurrency-donation-box-bitcoin-crypto-donations-missing-authorization","Cryptocurrency Donation Box – Bitcoin & Crypto Donations \u003C= 2.2.13 - Missing Authorization","The Cryptocurrency Donation Box – Bitcoin & Crypto Donations plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.2.13. This makes it possible for unauthenticated attackers to perform an unauthorized action.","cryptocurrency-donation-box",null,"\u003C=2.2.13","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-23 00:00:00","2026-04-15 21:30:43",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6483ba93-d9ae-44a1-a4fc-b3b4af5ac36f?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to analyze and exploit CVE-2026-39691, a missing authorization vulnerability in the \"Cryptocurrency Donation Box\" plugin.\n\n### 1. Vulnerability Summary\nThe **Cryptocurrency Donation Box – Bitcoin & Crypto Donations** plugin (up to 2.2.13) registers AJAX handlers that perform sensitive actions (likely updating wallet addresses or plugin settings) without properly checking the user's capabilities. Specifically, if a function is hooked to `wp_ajax_nopriv_`, it is accessible to unauthenticated users. If it is only hooked to `wp_ajax_` but lacks a `current_user_can()` check, it is accessible to any logged-in user (subscriber-level). The description \"unauthenticated attackers\" strongly suggests the existence of a `wp_ajax_nopriv_` hook or a failure in the initial check that allows the request to proceed.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** `cb_save_settings` or `cryptobox_ajax_update` (inferred based on plugin naming conventions)\n* **Vulnerable Parameter:** `$_POST` data containing wallet addresses (e.g., `btc_address`, `eth_address`) or general plugin settings.\n* **Authentication:** Unauthenticated (via `wp_ajax_nopriv_`) or low-privileged users.\n* **Preconditions:** A valid WordPress nonce for the specific AJAX action may be required, although the core issue is the lack of authorization (capability check) after the nonce is verified.\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers an AJAX handler during `init` or `admin_init`:\n `add_action( 'wp_ajax_nopriv_cb_save_settings', 'cb_save_settings_callback' );` (inferred)\n2. **Handler:** The function `cb_save_settings_callback()` is called.\n3. **Missing Check:** The function likely calls `check_ajax_referer()` (nonce check) but fails to call `current_user_can( 'manage_options' )`.\n4. **Sink:** The function processes `$_POST` data and updates WordPress options using `update_option()` or `update_post_meta()`.\n\n### 4. Nonce Acquisition Strategy\nIf the plugin enforces a nonce, it is typically exposed on the frontend where the donation box is displayed.\n\n1. **Identify Shortcode:** The plugin uses the shortcode `[cryptocurrency_donation_box]` (inferred) to display the box.\n2. **Create Test Page:**\n `wp post create --post_type=page --post_status=publish --post_title=\"Donation\" --post_content='[cryptocurrency_donation_box]'`\n3. **Identify Localization Key:** Search the codebase for `wp_localize_script`. The variable name is likely `cb_ajax_obj` or `cryptobox_vars`.\n4. **Extract via Browser:**\n Navigate to the newly created page and execute:\n `browser_eval(\"window.cb_ajax_obj?.nonce\")` (inferred) or check the HTML source for a hidden input field `id=\"cb_nonce\"`.\n\n### 5. Exploitation Strategy\nThis plan assumes the attacker aims to hijack donations by replacing the legitimate BTC address with an attacker-controlled one.\n\n**Step 1: Discover Action and Nonce Key**\nSearch the plugin directory for the AJAX registration:\n`grep -rn \"wp_ajax_nopriv\" .`\nFind the associated function and identify the nonce action string used in `check_ajax_referer('action_string', 'param_name')`.\n\n**Step 2: Prepare Payload**\n* **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** POST\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:** \n `action=cb_save_settings&cb_nonce=NONCE_VALUE&btc_address=1AttackerAddressHereð_address=0xAttackerAddressHere` (parameters inferred)\n\n**Step 3: Execute Request**\nUse the `http_request` tool to send the POST payload.\n\n### 6. Test Data Setup\n1. **Install Plugin:** Ensure `cryptocurrency-donation-box` version 2.2.13 is installed.\n2. **Initial Configuration:** Configure a legitimate BTC address in the plugin settings via the admin UI.\n3. **Public Page:** Create a page with the shortcode `[cryptocurrency_donation_box]` to ensure scripts and nonces are generated.\n\n### 7. Expected Results\n* **Response:** The server returns a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n* **Outcome:** The plugin's settings are updated in the database without any administrator interaction.\n* **Frontend Change:** When viewing the donation page, the \"Bitcoin Address\" displayed in the donation box now shows the attacker's address.\n\n### 8. Verification Steps\n1. **Check Options Table:**\n Use WP-CLI to verify the option value:\n `wp option get cb_btc_address` (inferred)\n Verify it matches `1AttackerAddressHere`.\n2. **Frontend Inspection:**\n `browser_navigate(\"http:\u002F\u002F\u003Ctarget>\u002Fdonation-page\u002F\")`\n Inspect the donation box element to confirm the displayed address has changed.\n\n### 9. Alternative Approaches\n* **Missing Nonce:** If `check_ajax_referer` is entirely missing, the exploit is a trivial POST request with no nonce required.\n* **Different Actions:** Search for other `wp_ajax_nopriv` actions such as `cb_delete_log`, `cb_update_wallet`, or `cb_export_settings` which might leak information or allow site disruption.\n* **Subscriber Access:** If `wp_ajax_nopriv` is not present, test the `wp_ajax_` (authenticated) version using a Subscriber account to see if the capability check is still missing.","The Cryptocurrency Donation Box plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check in its AJAX handlers. This allows unauthenticated attackers to hijack donations by replacing legitimate cryptocurrency wallet addresses with their own via the admin-ajax.php endpoint.","\u002F\u002F Inferred registration and handler structure based on research plan\n\u002F\u002F File: cryptocurrency-donation-box.php (inferred location)\n\nadd_action( 'wp_ajax_nopriv_cb_save_settings', 'cb_save_settings_callback' );\nadd_action( 'wp_ajax_cb_save_settings', 'cb_save_settings_callback' );\n\nfunction cb_save_settings_callback() {\n \u002F\u002F Nonce check may be present but authorization is not\n check_ajax_referer( 'cb_ajax_nonce', 'security' );\n\n \u002F\u002F Missing current_user_can( 'manage_options' ) check\n\n if ( isset( $_POST['btc_address'] ) ) {\n update_option( 'cb_btc_address', sanitize_text_field( $_POST['btc_address'] ) );\n }\n \u002F\u002F ... other settings updates ...\n wp_send_json_success();\n}","--- a\u002Fcryptocurrency-donation-box.php\n+++ b\u002Fcryptocurrency-donation-box.php\n@@ -10,6 +10,10 @@\n function cb_save_settings_callback() {\n check_ajax_referer( 'cb_ajax_nonce', 'security' );\n \n+ if ( ! current_user_can( 'manage_options' ) ) {\n+ wp_send_json_error( 'Forbidden', 403 );\n+ }\n+\n if ( isset( $_POST['btc_address'] ) ) {\n update_option( 'cb_btc_address', sanitize_text_field( $_POST['btc_address'] ) );\n }","1. Nonce Extraction: Navigate to any page on the target site where the donation box shortcode [cryptocurrency_donation_box] is active. Extract the security nonce from the frontend, typically found in the localized JavaScript object (e.g., cb_ajax_obj.nonce) or as a hidden input field.\n2. Target Endpoint: Use the WordPress AJAX endpoint at \u002Fwp-admin\u002Fadmin-ajax.php.\n3. Craft Payload: Construct a POST request containing the vulnerable action (e.g., action=cb_save_settings), the extracted nonce, and the parameters for the wallet addresses the attacker wishes to overwrite (e.g., btc_address=1AttackerAddress).\n4. Unauthorized Execution: Send the request. Since the handler is registered with wp_ajax_nopriv_ and lacks a capability check like current_user_can('manage_options'), the server will update the plugin options in the database, effectively redirecting future donations to the attacker.","gemini-3-flash-preview","2026-04-19 01:26:08","2026-04-19 01:26:24",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcryptocurrency-donation-box\u002Ftags"]