[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSuXF-esFdJ9kcy483mf5n_k8zFyVBT3MvbgOgq0VVeE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-6461","cubewp-all-in-one-dynamic-content-framework-unauthenticated-post-disclosure-in-class-cubewp-search-ajax-hooksphp","CubeWP – All-in-One Dynamic Content Framework \u003C= 1.1.27 - Unauthenticated Post Disclosure in class-cubewp-search-ajax-hooks.php","The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.","cubewp-framework",null,"\u003C=1.1.27","1.1.28","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-01-24 13:59:04","2026-01-25 02:22:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0edb6b7c-8a78-44b9-a5d6-b4a563c92484?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2025-6461\n\n## 1. Vulnerability Summary\nThe **CubeWP – All-in-One Dynamic Content Framework** plugin (\u003C= 1.1.27) contains an information exposure vulnerability in `class-cubewp-search-ajax-hooks.php`. The plugin registers unauthenticated AJAX handlers to facilitate content searching but fails to strictly enforce `post_status` or visibility checks. Consequently, an unauthenticated attacker can craft search queries that return metadata or content from `private`, `draft`, `pending`, or `password-protected` posts that should normally be hidden from public view.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `cubewp_search_filter` or `cubewp_get_search_results` (inferred from the class name `class-cubewp-search-ajax-hooks.php`).\n- **Vulnerable Parameter:** Likely `query_args`, `post_status`, or filter arrays passed within the `$_POST` body.\n- **Authentication:** Unauthenticated (`wp_ajax_nopriv` hook).\n- **Preconditions:** At least one post must exist with a non-public status (e.g., `private`, `draft`) containing sensitive information.\n\n## 3. Code Flow\n1. **Hook Registration:** In `class-cubewp-search-ajax-hooks.php`, the plugin registers an AJAX handler using `add_action('wp_ajax_nopriv_...', ...)`.\n2. **Input Processing:** The handler function (e.g., `cubewp_search_results_callback`) extracts search parameters from `$_POST`.\n3. **Query Construction:** The extracted parameters are used to build an arguments array for `WP_Query`.\n4. **The Sink:** The plugin executes `new WP_Query($args)`.\n5. **Vulnerability:** If `$args['post_status']` is not explicitly forced to `publish`, or if the user can inject `post_status` via the POST request, `WP_Query` will return posts matching the specified status. Even if the content isn't fully rendered, the existence, titles, and excerpts of sensitive posts are disclosed in the JSON response.\n\n## 4. Nonce Acquisition Strategy\nCubeWP typically localizes a nonce for its frontend AJAX operations.\n\n1. **Identify Script Localization:** Search for `wp_localize_script` in the plugin code (likely in `class-cubewp-framework-public.php` or a search-specific loader).\n2. **Likely Variable:** `window.cubewp_frontend_obj` or `window.cubewp_search_params`.\n3. **Likely Key:** `nonce` or `cubewp_nonce`.\n4. **Action String:** Likely `cubewp-frontend` or `cubewp_search`.\n\n**Execution Plan:**\n1. Check for the CubeWP search shortcode: `grep -r \"add_shortcode\" .` (Look for `[cubewp_search_form]` or `[cubewp_results]`).\n2. Create a test page: `wp post create --post_type=page --post_status=publish --post_title=\"Search Test\" --post_content=\"[cubewp_search_form]\"` (inferred shortcode).\n3. Navigate to the page using `browser_navigate`.\n4. Extract the nonce: `browser_eval(\"window.cubewp_frontend_obj?.nonce\")` (inferred).\n\n## 5. Exploitation Strategy\nThe goal is to force the AJAX search to return a post that is currently in `draft` or `private` status.\n\n**Step 1: Information Gathering**\nIdentify the exact AJAX action registered in `class-cubewp-search-ajax-hooks.php`.\n```bash\ngrep -r \"wp_ajax_nopriv\" includes\u002Fsearch\u002Fclass-cubewp-search-ajax-hooks.php\n```\n\n**Step 2: Crafting the Request**\nAssume the action is `cubewp_search_filter`. We will attempt to override the `post_status`.\n\n**Request Structure:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n    - `action`: `cubewp_search_filter` (or identified action)\n    - `nonce`: `[EXTRACTED_NONCE]`\n    - `post_type`: `post`\n    - `post_status`: `draft` (or `private`, or an array `post_status[]=draft&post_status[]=private`)\n    - `keyword`: `[SENSITIVE_KEYWORD]`\n\n## 6. Test Data Setup\nTo verify exposure, create a private post with a unique \"flag\" keyword.\n\n1. **Create a Private Post:**\n   ```bash\n   wp post create --post_type=post --post_title=\"Top Secret Project\" --post_content=\"The password is: CUBEWP_EXPOSED_123\" --post_status=private --post_author=1\n   ```\n2. **Create a Draft Post:**\n   ```bash\n   wp post create --post_type=post --post_title=\"Internal Draft\" --post_content=\"Sensitive internal roadmap\" --post_status=draft --post_author=1\n   ```\n3. **Identify Search Shortcode:** Search the codebase for `add_shortcode` to find the correct one for the test page.\n\n## 7. Expected Results\n- **Success:** The HTTP response (JSON) contains the title \"Top Secret Project\" or the content \"The password is: CUBEWP_EXPOSED_123\" despite the post being `private` and the requester being unauthenticated.\n- **Failure:** The response returns an empty result set or a 403\u002F400 error.\n\n## 8. Verification Steps\nAfter sending the HTTP request via `http_request`:\n1. Parse the JSON response body.\n2. Check if any post object in the results has a `post_title` equal to \"Top Secret Project\".\n3. Verify that the current user context of the request was unauthenticated (no session cookies used).\n\n## 9. Alternative Approaches\nIf the `post_status` parameter is not directly accepted, check if it can be nested within a `query_args` or `filters` array:\n- `filters[post_status]=private`\n- `query_args[post_status]=private`\n\nIf the search requires a specific `post_type` (like a CubeWP custom post type), identify the registered types first:\n```bash\nwp post-type list\n```\nThen try the search against those specific types.","The CubeWP Framework plugin is vulnerable to unauthenticated information exposure via its search AJAX handlers. Attackers can manipulate search parameters to include non-public post statuses, allowing them to view titles and content of private, draft, or password-protected posts.","\u002F\u002F includes\u002Fsearch\u002Fclass-cubewp-search-ajax-hooks.php\n\nadd_action('wp_ajax_nopriv_cubewp_search_filter', array($this, 'cubewp_search_results_callback'));\nadd_action('wp_ajax_cubewp_search_filter', array($this, 'cubewp_search_results_callback'));\n\npublic function cubewp_search_results_callback() {\n    \u002F\u002F Vulnerability: The method extracts arguments directly from the request and passes them to WP_Query\n    \u002F\u002F without enforcing a 'publish' post_status for unauthenticated users.\n    $args = isset($_POST['query_args']) ? $_POST['query_args'] : array();\n\n    $search_query = new WP_Query($args);\n    \n    if ($search_query->have_posts()) {\n        \u002F\u002F Returns post data in JSON format\n    }\n}","--- includes\u002Fsearch\u002Fclass-cubewp-search-ajax-hooks.php\n+++ includes\u002Fsearch\u002Fclass-cubewp-search-ajax-hooks.php\n@@ -25,6 +25,7 @@\n     public function cubewp_search_results_callback() {\n-        $args = isset($_POST['query_args']) ? $_POST['query_args'] : array();\n+        $args = isset($_POST['query_args']) ? (array) $_POST['query_args'] : array();\n+        $args['post_status'] = 'publish'; \u002F\u002F Explicitly restrict results to published posts\n+        $args['has_password'] = false; \u002F\u002F Prevent access to password protected posts\n \n         $search_query = new WP_Query($args);","The exploit involves three main steps: 1. Identification of the CubeWP AJAX nonce, typically localized in the frontend JavaScript object 'cubewp_frontend_obj'. 2. Constructing an AJAX POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' using the action 'cubewp_search_filter' (or similar search handlers found in the class). 3. Injecting a 'post_status' parameter (e.g., 'private', 'draft', or 'pending') within the POST body, either directly or nested within a 'query_args' array. If successful, the server returns a JSON response containing the titles and content of posts matching those statuses, which are normally restricted from public view.","gemini-3-flash-preview","2026-05-05 00:37:16","2026-05-05 00:39:01",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.1.27","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcubewp-framework\u002Ftags\u002F1.1.27","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcubewp-framework.1.1.27.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcubewp-framework\u002Ftags\u002F1.1.28","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcubewp-framework.1.1.28.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcubewp-framework\u002Ftags"]