[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTSf4PEh1vCHm-LtIJCnS2fgwwYcc0Fxiaz-dHKCTOdc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2112","dam-spam-cross-site-request-forgery-to-arbitrary-pending-comment-deletion","Dam Spam \u003C= 1.0.8 - Cross-Site Request Forgery to Arbitrary Pending Comment Deletion","The Dam Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce verification on the pending comment deletion action in the cleanup page. This makes it possible for unauthenticated attackers to delete all pending comments via a forged request granted they can trick an admin into performing an action such as clicking on a link.","dam-spam",null,"\u003C=1.0.8","1.0.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-02-17 19:02:21","2026-02-18 07:25:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe336dc27-4a76-4197-929c-b221f42bfe69?source=api-prod",1,[],"researched",false,3,"This plan outlines the research and exploitation strategy for **CVE-2026-2112**, a CSRF vulnerability in the \"Dam Spam\" WordPress plugin.\n\n### 1. Vulnerability Summary\nThe **Dam Spam** plugin (up to version 1.0.8) fails to implement nonce verification on its \"cleanup\" functionality. Specifically, the action responsible for deleting all pending comments does not check for a valid WordPress CSRF token (nonce). This allows an attacker to craft a malicious request that, when executed by a logged-in administrator (e.g., via a phishing link), triggers the bulk deletion of all comments currently in the \"Pending\" (moderation) queue.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Likely an admin page processing logic (e.g., `wp-admin\u002Fadmin.php` or `wp-admin\u002Fadmin-post.php`).\n*   **Vulnerable Action:** A parameter such as `action`, `dam_spam_action`, or a specific URL query variable used on the plugin's cleanup page.\n*   **Authentication Level:** Requires an active session of a user with permissions to manage comments and access the plugin's settings (typically `Administrator`).\n*   **Preconditions:** There must be pending comments in the database for the impact to be observable.\n*   **Vector:** CSRF. The attacker tricks the admin into sending a GET or POST request to the target endpoint.\n\n### 3. Code Flow (Inferred)\nSince source files are not provided, the following flow is inferred based on standard WordPress plugin patterns for \"Cleanup\" or \"Tools\" pages:\n\n1.  **Registration:** The plugin registers an admin page via `add_menu_page` or `add_submenu_page` with a slug (likely `dam-spam` or `dam-spam-cleanup`).\n2.  **Request Handling:** The plugin uses a hook like `admin_init` or logic inside the menu callback function to check for a specific trigger parameter (e.g., `if ( isset( $_GET['delete_pending'] ) )`).\n3.  **The Sink:** The code performs a database operation, likely using `$wpdb->query` to delete entries from the `wp_comments` table where `comment_approved = '0'`.\n4.  **The Vulnerability:** The code lacks a call to `check_admin_referer()` or `wp_verify_nonce()` before executing the deletion query.\n\n### 4. Nonce Acquisition Strategy\n**No nonce is required for this exploit.**\nThe nature of the vulnerability is the **absence** of nonce verification. The attacker does not need to bypass a check; they simply need to know the correct parameters to trigger the action.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discovery (Locate the Action)\nThe agent must first identify the exact parameter and value used to trigger the deletion.\n1.  Navigate to the plugin's settings\u002Fcleanup page.\n2.  Inspect the \"Delete Pending Comments\" button or link.\n3.  Identify if it is a GET request (link) or a POST request (form).\n\n#### Step 2: Craft the Exploit\nBased on the discovery, the agent will use the `http_request` tool to simulate a CSRF attack.\n\n**If GET-based (Likely):**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=[SLUG]&action=[ACTION_VALUE]`\n*   **Method:** GET\n*   **Headers:** Standard admin cookies (provided by the environment).\n\n**If POST-based:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=[SLUG]` (or `admin-post.php`)\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=[ACTION_VALUE]&other_params=...`\n\n#### Step 3: Execute\nTrigger the request while authenticated as the Administrator.\n\n### 6. Test Data Setup\nTo demonstrate the vulnerability, the environment must contain pending comments:\n1.  **Create Pending Comments:** Use WP-CLI to generate dummy comments in the \"hold\" status.\n    ```bash\n    wp comment create --comment_post_ID=1 --comment_content=\"Spam Comment 1\" --comment_approved=0\n    wp comment create --comment_post_ID=1 --comment_content=\"Spam Comment 2\" --comment_approved=0\n    ```\n2.  **Verify Setup:**\n    ```bash\n    wp comment list --status=hold\n    ```\n\n### 7. Expected Results\n*   **Response:** A 302 redirect back to the cleanup page or a success message.\n*   **State Change:** The database table `wp_comments` should no longer contain any rows with `comment_approved = '0'`.\n*   **Log:** If `WP_DEBUG` is on, no \"headers already sent\" or nonce errors should appear during the process.\n\n### 8. Verification Steps\nAfter sending the malicious HTTP request, verify the deletion via WP-CLI:\n```bash\n# This should return an empty list or a count of 0\nwp comment list --status=hold --count\n```\nIf the count is 0 and the comments existed previously, the CSRF is confirmed.\n\n### 9. Alternative Approaches\nIf the plugin uses a custom AJAX handler for the cleanup (less common for \"cleanup\" pages but possible):\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** Look for `wp_ajax_dam_spam_cleanup` in the source code.\n*   **Verification:** Perform the POST request to `admin-ajax.php` with the `action` parameter but **without** a `security` or `_wpnonce` parameter. If the comments are deleted, the vulnerability is confirmed.\n\n### Grep Commands for Initial Analysis\nThe agent should run these to ground the plan in the actual source:\n```bash\n# Find the cleanup action string\ngrep -r \"DELETE\" wp-content\u002Fplugins\u002Fdam-spam\u002F\ngrep -r \"comment_approved\" wp-content\u002Fplugins\u002Fdam-spam\u002F\n\n# Find the admin page registration to get the slug\ngrep -r \"add_menu_page\" wp-content\u002Fplugins\u002Fdam-spam\u002F\ngrep -r \"add_submenu_page\" wp-content\u002Fplugins\u002Fdam-spam\u002F\n\n# Check for missing nonces in the identified file\ngrep -L \"nonce\" [IDENTIFIED_FILE].php\n```","The Dam Spam plugin for WordPress fails to perform nonce verification when processing the bulk deletion of pending comments. This allows an unauthenticated attacker to delete all comments awaiting moderation by tricking a logged-in administrator into clicking a malicious link.","\u002F\u002F Inferred logic based on plugin functionality in wp-content\u002Fplugins\u002Fdam-spam\u002Fdam-spam.php or similar admin-handling file\n\nif ( isset( $_GET['delete_pending'] ) ) {\n    global $wpdb;\n    $wpdb->query( \"DELETE FROM $wpdb->comments WHERE comment_approved = '0'\" );\n    \u002F\u002F Redirect or display success message follows without nonce check\n}","--- wp-content\u002Fplugins\u002Fdam-spam\u002Fdam-spam.php\n+++ wp-content\u002Fplugins\u002Fdam-spam\u002Fdam-spam.php\n@@ -10,4 +10,5 @@\n \n if ( isset( $_GET['delete_pending'] ) ) {\n+    check_admin_referer( 'dam_spam_cleanup_action' );\n     global $wpdb;\n     $wpdb->query( \"DELETE FROM $wpdb->comments WHERE comment_approved = '0'\" );","1. The attacker identifies the administrative URL and parameter used by the plugin to trigger the 'Delete Pending' action (e.g., \u002Fwp-admin\u002Fadmin.php?page=dam-spam-cleanup&delete_pending=1).\n2. The attacker crafts a malicious GET request targeting this URL.\n3. The attacker tricks a logged-in WordPress administrator into clicking a link containing this URL or visiting a site that performs the request automatically (e.g., via an \u003Cimg> tag or window.location).\n4. Because the plugin does not verify a cryptographic nonce (CSRF token), the WordPress site processes the request as legitimate, executing the database query to delete all rows in the comments table with a status of '0' (Pending).","gemini-3-flash-preview","2026-04-19 06:01:38","2026-04-19 06:02:01",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdam-spam\u002Ftags"]